Skip to main content

2.4. SNMP Messages Using this Security Model

2.4. SNMP Messages Using this Security Model

This section describes the format and structure of SNMP messages when using the User-based Security Model.

SNMPv3 Message Format

An SNMPv3 message using USM has the following structure:

SNMPv3Message ::= SEQUENCE {
    msgVersion INTEGER (3),
    msgGlobalData HeaderData,
    msgSecurityParameters OCTET STRING,
    msgData ScopedPduData
}

Message Components

1. msgVersion

  • Type: INTEGER
  • Value: 3 (for SNMPv3)
  • Purpose: Identifies the SNMP version

2. msgGlobalData (HeaderData)

Contains global message header information:

HeaderData ::= SEQUENCE {
    msgID INTEGER (0..2147483647),
    msgMaxSize INTEGER (484..2147483647),
    msgFlags OCTET STRING (SIZE(1)),
    msgSecurityModel INTEGER (1..2147483647)
}

Fields:

  • msgID: Unique identifier for coordinating request and response messages

    • Range: 0 to 2147483647
    • Used by request/response model to match responses to requests

  • msgMaxSize: Maximum message size the sender can accept

    • Minimum: 484 octets
    • Used for message size negotiation

  • msgFlags: OCTET STRING of 1 octet containing bit flags

    • Bit 0 (LSB): authFlag - 1 if authentication used, 0 otherwise
    • Bit 1: privFlag - 1 if privacy (encryption) used, 0 otherwise
    • Bit 2: reportableFlag - 1 if a Report-PDU should be sent on error
    • Bits 3-7: Reserved, must be zero

  • msgSecurityModel: Identifies the security model in use

    • Value: 3 for User-based Security Model (USM)

3. msgSecurityParameters

For USM, this is an OCTET STRING containing the BER-encoded UsmSecurityParameters:

UsmSecurityParameters ::= SEQUENCE {
    msgAuthoritativeEngineID OCTET STRING,
    msgAuthoritativeEngineBoots INTEGER (0..2147483647),
    msgAuthoritativeEngineTime INTEGER (0..2147483647),
    msgUserName OCTET STRING (SIZE(0..32)),
    msgAuthenticationParameters OCTET STRING,
    msgPrivacyParameters OCTET STRING
}

Fields:

  • msgAuthoritativeEngineID: The snmpEngineID of the authoritative SNMP engine

    • For requests: The command responder's engineID
    • For notifications: The notification originator's engineID
    • For responses: The command responder's engineID
    • For reports: The report sender's engineID

  • msgAuthoritativeEngineBoots: Boot counter of the authoritative engine

    • Range: 0 to 2147483647
    • Incremented when engine reinitializes
    • Used for replay protection

  • msgAuthoritativeEngineTime: Number of seconds since last boot

    • Range: 0 to 2147483647
    • Incremented each second
    • Used for replay protection and time window verification

  • msgUserName: The user (principal) on whose behalf the message is sent

    • Length: 0 to 32 octets
    • Must exist in the authoritative engine's usmUserTable
    • Case-sensitive

  • msgAuthenticationParameters: Authentication digest

    • Length depends on authentication protocol:
      • HMAC-MD5-96: 12 octets
      • HMAC-SHA-96: 12 octets
    • Empty (zero-length) if no authentication
    • Calculated over the entire message (with this field initially set to zeros)

  • msgPrivacyParameters: Privacy protocol parameters

    • For CBC-DES: 8 octets (salt value)
    • Empty (zero-length) if no privacy
    • Used to ensure different cipher initialization vectors

4. msgData (ScopedPduData)

The message payload, which can be either plaintext or encrypted:

ScopedPduData ::= CHOICE {
    plaintext ScopedPDU,
    encryptedPDU OCTET STRING
}

When privacy is NOT used (privFlag = 0):

  • msgData contains plaintext ScopedPDU

When privacy IS used (privFlag = 1):

  • msgData contains encryptedPDU (OCTET STRING)
  • The encrypted data is the BER-encoded ScopedPDU

ScopedPDU Format

ScopedPDU ::= SEQUENCE {
    contextEngineID OCTET STRING,
    contextName OCTET STRING,
    data ANY -- PDU from RFC 3416
}

Fields:

  • contextEngineID: The snmpEngineID for the context

    • Typically the same as msgAuthoritativeEngineID for non-proxy scenarios
    • May differ in proxy scenarios

  • contextName: The context name

    • Used with contextEngineID to identify the management information
    • Enables multiple virtual SNMP contexts on a single engine

  • data: The actual SNMP PDU

    • GetRequest, GetNextRequest, GetBulkRequest, SetRequest, InformRequest, SNMPv2-Trap, Response, or Report

Security Level Combinations

The msgFlags determine three security levels:

  1. noAuthNoPriv: authFlag=0, privFlag=0

    • No authentication, no privacy
    • msgAuthenticationParameters is empty
    • msgPrivacyParameters is empty
    • msgData is plaintext

  2. authNoPriv: authFlag=1, privFlag=0

    • Authentication without privacy
    • msgAuthenticationParameters contains digest
    • msgPrivacyParameters is empty
    • msgData is plaintext

  3. authPriv: authFlag=1, privFlag=1

    • Authentication and privacy
    • msgAuthenticationParameters contains digest
    • msgPrivacyParameters contains privacy parameters
    • msgData is encrypted

Note: Privacy without authentication (authFlag=0, privFlag=1) is not allowed. Such messages must be rejected.

Message Flow Examples

Example 1: noAuthNoPriv Discovery Request

SNMPv3Message {
    msgVersion: 3,
    msgGlobalData: {
        msgID: 12345,
        msgMaxSize: 65507,
        msgFlags: 0x04 (reportableFlag set),
        msgSecurityModel: 3
    },
    msgSecurityParameters: {
        msgAuthoritativeEngineID: "",
        msgAuthoritativeEngineBoots: 0,
        msgAuthoritativeEngineTime: 0,
        msgUserName: "",
        msgAuthenticationParameters: "",
        msgPrivacyParameters: ""
    },
    msgData: plaintext ScopedPDU {
        contextEngineID: "",
        contextName: "",
        data: GetRequest-PDU
    }
}

Example 2: authPriv Authenticated and Encrypted Request

SNMPv3Message {
    msgVersion: 3,
    msgGlobalData: {
        msgID: 12346,
        msgMaxSize: 65507,
        msgFlags: 0x07 (authFlag, privFlag, reportableFlag),
        msgSecurityModel: 3
    },
    msgSecurityParameters: {
        msgAuthoritativeEngineID: 0x80001F8880...,
        msgAuthoritativeEngineBoots: 15,
        msgAuthoritativeEngineTime: 3045678,
        msgUserName: "admin",
        msgAuthenticationParameters: 0x9F3B7A2E... (12 octets),
        msgPrivacyParameters: 0x0000000012345678 (8 octets)
    },
    msgData: encryptedPDU (encrypted ScopedPDU)
}

Message Size Considerations

The minimum message size that implementations must support is 484 octets. This ensures:

  1. Room for message headers
  2. At least minimal PDU content
  3. Security parameters including authentication digest

Implementations should support larger messages (e.g., 65507 octets for UDP on IPv4) to accommodate:

  • Large variable bindings
  • GetBulk responses with many items
  • Encrypted messages with padding overhead

Special Message Cases

Report Messages

Report-PDUs are special responses used for error notification and information exchange (discovery, time synchronization). They:

  • May be sent without authentication (for discovery)
  • May be sent with authentication (for other errors)
  • Contain a single variable binding with an error counter OID
  • Use the msgID from the message that caused the report

Notification Messages

For InformRequest and SNMPv2-Trap PDUs:

  • The notification originator is the authoritative engine
  • msgAuthoritativeEngineID is the originator's engineID
  • The notification receiver must cache the originator's time values

This is the reverse of the command responder model, where the command responder is authoritative.

Last updated on