Skip to main content

11.3. Conformance

11.3. Conformance

This section addresses conformance issues related to the User-based Security Model.

Mandatory Protocols

An implementation of this USM MUST support:

  1. HMAC-MD5-96 Authentication Protocol (as described in section 6)
  2. CBC-DES Privacy Protocol (as described in section 8)

These protocols are mandatory to ensure interoperability between different SNMPv3 implementations.

Optional Protocols

An implementation of this USM MAY also support:

  1. HMAC-SHA-96 Authentication Protocol (as described in section 7)
  2. Other authentication and privacy protocols as they are defined and registered with IANA

No Authentication and No Privacy

An implementation MUST also support:

  • Authentication without privacy (authNoPriv)
  • No authentication and no privacy (noAuthNoPriv)

These options are required to support scenarios where security is not needed or where only authentication (without encryption) is required.

MIB Module Conformance

Implementations MUST comply with the MIB module defined in section 5, including:

  • The usmUserTable for user configuration
  • The usmStats group for monitoring USM statistics
  • The conformance statements defined in the MIB module

Protocol Operations

An implementation MUST correctly implement:

  1. Discovery procedures (section 4) - for learning the authoritative engine's snmpEngineID
  2. Time synchronization (section 2.3) - for maintaining synchronized time values
  3. Message processing (sections 3.1 and 3.2) - for generating and processing secured SNMP messages
  4. Key management - including key localization (section 2.6) and key changes

Interoperability Requirements

To ensure interoperability:

  1. Implementations MUST accept messages from other compliant implementations using the mandatory authentication and privacy protocols.
  2. Implementations SHOULD provide clear error messages when they receive messages using unsupported optional protocols.
  3. Implementations MUST correctly generate and process all USM-related error reports (e.g., usmStatsUnsupportedSecLevels, usmStatsWrongDigests, usmStatsDecryptionErrors).

Algorithm Identifiers

The following algorithm identifiers MUST be supported:

  • usmNoAuthProtocol - for no authentication
  • usmHMACMD5AuthProtocol - for HMAC-MD5-96 authentication
  • usmNoPrivProtocol - for no privacy

The following algorithm identifier MAY be supported:

  • usmHMACSHAAuthProtocol - for HMAC-SHA-96 authentication
  • usmDESPrivProtocol - for CBC-DES privacy (MANDATORY)
Last updated on