The security protocols defined in this memo employ several
types of mechanisms in order to realize the goals and security
services described above:
In support of data integrity, a message digest algorithm
is required. A digest is calculated over an appropriate
portion of a SNMPv2 message and included as part of the
message sent to the recipient.
In support of data origin authentication and data
integrity, the portion of a SNMPv2 message that is
digested is first prefixed with a secret value shared by
the originator of that message and its intended
recipient.
To protect against the threat of message delay or replay,
(to an extent greater than can occur through normal
operation), a timestamp value is included in each message
generated. A recipient evaluates the timestamp to
determine if the message is recent. This protection
against the threat of message delay or replay does not
imply nor provide any protection against unauthorized
deletion or suppression of messages. Other mechanisms
defined independently of the security protocol can also
be used to detect message replay (e.g., the request-id
[2]), or for set operations, the re-ordering, replay,
deletion, or suppression of messages (e.g., the MIB
variable snmpSetSerialNo [14]).
In support of data confidentiality, a symmetric
encryption algorithm is required. An appropriate portion
of the message is encrypted prior to being transmitted to
its recipient.
The security protocols in this memo are defined independently
of the particular choice of a message digest and encryption
algorithm - owing principally to the lack of a suitable metric
by which to evaluate the security of particular algorithm
choices. However, in the interests of completeness and in
order to guarantee interoperability, Sections 1.5.1 and 1.5.2
specify particular choices, which are considered acceptably
secure as of this writing. In the future, this memo may be
updated by the publication of a memo specifying substitute or
alternate choices of algorithms, i.e., a replacement for or
addition to the sections below.