Skip to main content

2.3. Time Synchronization

2.3. Time Synchronization

Time synchronization between SNMP engines is essential for the replay protection mechanism to work effectively. The User-based Security Model uses a time synchronization protocol that allows a non-authoritative SNMP engine to learn the current time values from an authoritative SNMP engine.

Time Synchronization Process

  1. Initial State: When a non-authoritative SNMP engine first communicates with an authoritative SNMP engine, it does not know the authoritative engine's current time values.

  2. Discovery: The non-authoritative engine sends a message to the authoritative engine. This message can be:

    • An unauthenticated message (securityLevel = noAuthNoPriv) with msgUserName of zero length, or
    • An authenticated message with a userName that is unknown to the authoritative engine
  3. Response: The authoritative engine responds with a Report message containing:

    • msgAuthoritativeEngineID
    • msgAuthoritativeEngineBoots
    • msgAuthoritativeEngineTime
  4. Synchronization: The non-authoritative engine stores these values and uses them for subsequent authenticated message exchanges with that authoritative engine.

Time Updates

The non-authoritative SNMP engine updates its notion of the authoritative engine's time whenever it receives an authenticated message from that engine. The update process is:

  1. Calculate the time differential between the received msgAuthoritativeEngineTime and the locally stored time.
  2. If the differential is within acceptable bounds (< 150 seconds), update the local notion of the authoritative engine's time.
  3. If the differential is too large, the message is considered outside the time window and is discarded.

Time Window Considerations

The time window of 150 seconds was chosen to:

  • Allow for reasonable clock skew between SNMP engines
  • Limit the window of opportunity for message replay attacks
  • Accommodate typical network delays and processing times

This time window means that authenticated messages are only considered valid if they arrive within 150 seconds of being generated.