Hi jyw-ga,
There are numerous reasons why one would choose SNMPv3 over SNMPv1. I
will be providing descriptions of the differences and/or links for the
main categories that are relevant here:
There is essentially no security measures integrated into v1, however,
v3 offers many features which combat this problem. Some of them
include:
Authentication:
* shared manager/agent authentication key
* the USM (Used-based Security Model) defines two authentication
protocols
* inclusion of timeliness mechanisms
Privacy:
* this is optional due to regulations in many countries that disallow
its use
* manager and agent share a secret encryption key (different
passwords)
Security Levels:
* three levels that can be used in some combination consistent with
perceived protection needs - "The lowest level does not provide
authentication or privacy (noAuthNoPriv). This level's security is
thus comparable to SNMPv1. The second level provides authentication,
but no privacy (AuthNoPriv), and the highest level provides
authentication and security (AuthPriv). (The combination of no
authentication with privacy is not supported by SNMPv3). "
Access Control:
"Access control is a security function performed at the PDU level.
SNMPv3 allows for the definition of multiple access controls, but
suggests the View-based Access Control Model (VACM).([10]). Strong
access control demands strong authentication, which SNMPv3 does have."
http://www.cs.utk.edu/~race/594paper.html
Another source, ISP-Planet, verifies the points made in the paper
above, stating that:
"SNMPv3 was introduced in 1999, and gets around the security concerns
by making it possible to encrypt all SNMP related traffic. It also
accommodates authentication via a digital signature for remote
systems. "
They also point out several other features made available in v3 that
are missing from v1:
* auditing
* enhanced time synchronization protocol
* increased set of management tools
* non-security related enhancements that were included in SNMPv2
Taking directly from the article, "SNMPv3 takes the best of version 2,
perfects these features, adds a few of its own and then makes it
secure. Another major plus for SNMPv3 is that it has been designed in
a modular manner that, some say, will make it unnecessary for a new
version (v4 per chance) to be introduced in the near future. When the
need for new functionality is realized, it can be incorporated into
SNMPv3 without the need for wholesale changes."
http://www.isp-planet.com/technology/2002/snmp_v1v2v3.html
Just to get an idea of the features in SNMPv2 that were alluded to in
the source above, I strongly suggest referring to William Stalling's
"Data and Computer Communications" 6th Edition (pg. 705-709) for a
concise and informative overview. Unfortunately this cannot be
reproduced here due to copyright restrictions. The ISBN is:
0-13-084370-9.
If you have any problems understanding the information above please
post a clarification and I will respond to it. Happy networking :)
Cheers!
answerguru-ga |
