Background: Know: OID tree, Recognize: USM





View-based Access Control Model (VACM)Edit

The other concept related to SNMPv3 Security includes User Security Model (USM).

View-based access control (VACM) is anSNMPv3 mechanism, which is defined in RFC 2575. It provides the access control to MIB , which SNMPv1 and SNMPv2 provide as well with different method. More specifically, SNMPv1 and SNMPv2 differentiate MIB ranges and access control by community string, while VACM has a more complex and strict model to control access and configure MIB.

The content of msgFlags, msgSecurityMode and scopedPDU in theSNMPv3 packet is needed in VACM. msgFlag is to ensure the security level of VACM, msgSecurityMode is to identify VACM security mode and scopedPDU that contains context unique OID is to exactly match the information needed, which is the strong point compared with SNMPv1 and SNMPv2.

Each variable in the PDU must be matched exactly, otherwise errors will be reported or access will be forbidden. VACM divides content in four tables to make information matched, which are vacmSecurityToGroupTable, vacmContextTable, vacmAccessTable and vacmViewTreeFamilyTable. Although these four tables control different aspects of access permission, all of them can be modified by remoted VACM MIB.

vacmSecurityToGroupTable is to save group information. In the vacmSecurityToGroupTable, the group of securityModel and securityName make MIB unique identified. NoSuchContext will send back if the information is not matched.

contextTable defines the collected managed entity SNMPv3 can access. It lists the whole context local can access and the keyword is contextName. NoSuchContext will send back if the information is not matched.

​vacmAccessTable has the ability of controlling access limitation and the information searched is already matched by vacmSecurityToGroupTable and vacmContextTable. The table search parameters include groupName, contextPrefix, securityModel and securityLevel. If there is no access control matched, the access will be refused and NoAccessEntry will return.

vacmViewTreeFamilyTable stores MIB views which is defined by both OID subtrees and marks. One OID belongs to a MIB view when it satisfies the conditions: the length of OID is not less than subtree; OID&mark== OID subtree&mark. The table index the information by variableName(OID) which is from PDU OID and viewName which is from vacmAccessTable. If OID doesn't belong to any MIB view, the system will refuse to continue accessing and return notInView. If OID matches the MIB view, it means access is allowed and returns accessAllowed.

The access control model VACM defined is complex to understand, while it makes SNMPv3 modulized possible.

Shifted from xxAN :

VACM, defined in RFC 3415, specifies the components of procedure for controlling access to management information in the objects. It is an SNMPv3 mechanism that provides the ability to limit access to objects on a per-user or per-group basis with different levels of security, i.e., noAuthNoPriv, authNoPriv, and authPriv. 

See alsoEdit

Corresponding TELE9752 lecture slide