SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 2/12
Table of Contents
1. Introduction
1.1 Purpose of this Document
1.2 Glossary
1.3 Contact Us
2. About SNMP
2.1 SNMP Usage in BorderNet
2.2 Authentication and Privacy
2.3 SNMPv3 Discovery
3. SNMP Trap Managers
4. SNMPv3 Configuration Parameters
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 3/12
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 4/12
Copyright and Legal Notice
Copyright © 2014-2019 Dialogic Corporation. All Rights Reserved. You may not reproduce this document in whole or in part
without permission in writing from Dialogic Corporation at the address provided below.
All contents of this document are furnished for informational use only and are subject to change without notice and do not
represent a commitment on the part of Dialogic Corporation and its ailiates or subsidiaries ("Dialogic"). Reasonable eort is
made to ensure the accuracy of the information contained in the document. However, Dialogic does not warrant the accuracy of
this information and cannot accept responsibility for errors, inaccuracies or omissions that may be contained in this document.
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH DIALOGIC® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED,
BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED
IN A SIGNED AGREEMENT BETWEEN YOU AND DIALOGIC, DIALOGIC ASSUMES NO LIABILITY WHATSOEVER, AND DIALOGIC DISCLAIMS
ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF DIALOGIC PRODUCTS INCLUDING LIABILITY OR
WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY INTELLECTUAL
PROPERTY RIGHT OF A THIRD PARTY.
Dialogic products are not intended for use in certain safety-aecting situations.
Please see http://www.dialogic.com/company/terms-of-use.aspx for more details.
Due to diering national regulations and approval requirements, certain Dialogic products may be suitable for use only in specific
countries, and thus may not function properly in other countries. You are responsible for ensuring that your use of such products
occurs only in the countries where such use is suitable. For information on specific products, contact Dialogic Corporation at the
address indicated below or on the web at www.dialogic.com.
It is possible that the use or implementation of any one of the concepts, applications, or ideas described in this document, in
marketing collateral produced by or on web pages maintained by Dialogic may infringe one or more patents or other intellectual
property rights owned by third parties. Dialogic does not provide any intellectual property licenses with the sale of Dialogic
products other than a license to use such product in accordance with intellectual property owned or validly licensed by Dialogic
and no such licenses are provided except pursuant to a signed agreement with Dialogic. More detailed information about such
intellectual property is available from Dialogic's legal department at 6700 Cote-de-Liesse Road, Suite 100, Borough of Saint-
Laurent, Montreal, Quebec, Canada H4T 2B5. Dialogic encourages all users of its products to procure all necessary intellectual
property licenses required to implement any concepts or applications and does not condone or encourage any intellectual
property infringement and disclaims any responsibility related thereto. These intellectual property licenses may dier from
country to country and it is the responsibility of those who develop the concepts or applications to be aware of and comply
with dierent national license requirements.
Dialogic, Dialogic Pro, Dialogic Blue, Veraz, Brooktrout, Diva, BorderNet, PowerMedia, PowerVille, PowerNova, MSaaS,
ControlSwitch, I-Gate, Mobile Experience Matters, Network Fuel, Video is the New Voice, Making Innovation Thrive, Diastar, Cantata,
TruFax, SwitchKit, Eiconcard, NMS Communications, SIPcontrol, Exnet, EXS, Vision, inCloud9, NaturalAccess and Shiva, among
others as well as related logos, are either registered trademarks or trademarks of Dialogic Corporation and its ailiates or
subsidiaries. Dialogic's trademarks may be used publicly only with permission from Dialogic. Such permission may only be granted
by Dialogic's legal department at 6700 Cote-de-Liesse Road, Suite 100, Borough of Saint-Laurent, Montreal, Quebec, Canada H4T
2B5. Any authorized use of Dialogic's trademarks will be subject to full respect of the trademark guidelines published by Dialogic
from time to time and any use of Dialogic's trademarks requires proper acknowledgement.
The names of actual companies and products mentioned herein are the trademarks of their respective owners.
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 5/12
This document discusses one or more open source products, systems and/or releases. Dialogic is not responsible for your decision
to use open source in connection with Dialogic products (including without limitation those referred to herein), nor is Dialogic
responsible for any present or future eects such usage might have, including without limitation eects on your products, your
business, or your intellectual property rights.
Revision History
Revision Release Date Notes
1.0 June 2019 Initial version of document
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 6/12
1. Introduction
1.1 Purpose of this Document
This document describes the SNMPv3 feature in the BorderNet Session Border Controller (SBC) v3.8.1.
1.2 Glossary
For the purposes of this document the following abbreviations apply:
Abbreviation Meaning
SNMP Simple Network Management Protocol
1.3 Contact Us
For a list of Dialogic locations and oices, please visit: https://www.dialogic.com/contact.aspx.
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 7/12
2. About SNMP
The BorderNet SBC uses Simple Network Management Protocol (SNMP) for sending alarm traps to external SNMP managers, and
also for remote SNMP managers to retrieve limited information from the BorderNet via GET requests.
BorderNet SBC supports SNMPv3, which enables each SNMP packet to be both authenticated and encrypted in a secure way.
SNMPv1 and SNMPv2 use the SNMP Community String as a security mechanism.
The community string is like a user-ID or a password that allows access to a network element. It can be set as read only, allowing
only SNMP GET requests, or as read-write, allowing both GET and SET requests.
In both SNMPv1 and SNMPv2c the community string is sent as clear text in each SNMP packet, exposing it to anyone which
captures the SNMP packet.
SNMPv3 introduces a more secure mechanism, supporting authentication and privacy protocols. These protocols provide a higher
level of security than is available in SNMP v1 and v2c, which use community strings for security.
2.1 SNMP Usage in BorderNet
SNMP is used in the BorderNetSBC as follows:
To send alarms as SNMP traps. The SNMP Trap Manager must be configured.
To provide session information as a response to GET requests, supporting the below two OIDs. The SNMP Access-List must be
configured.
OID Name Description State Type
1.3.6.1.4.1.3028.6.8.1.1.1 totalSessionSignaling The total number of signaling sessions read-only Integer32
1.3.6.1.4.1.3028.6.8.1.1.2 totalSessionMedia The total number of media sessions read-only Integer32
The traps and GET requests do not have common configuration.
The traps will be sent to the servers configured as trap managers, and the GET request is allowed for every network element which
is allowed in the ACL.
Both the GET and traps use a fixed non-configurable 'public' community.
2.2 Authentication and Privacy
Authentication is used to ensure the identity of users, while privacy allows for encryption of SNMPv3 messages to ensure
confidentiality of data.
Both authentication and privacy are optional. However, you must enable authentication in order to enable privacy.
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 8/12
Authentication - an HMAC algorithm is applied on the message together with an authentication key, and the final hashed
value is added to the message.
The integrity of the message is protected by computing a digest over an appropriate portion of the message.
The digest is computed by the originator of the message, transmitted with the message, and verified by the recipient of the
message.
Verification of the user on whose behalf the message was generated - a secret value known only to SNMP engines authorized
to generate messages on behalf of a user is used in HMAC mode.
Privacy - an encryption algorithm is applied on a portion of the message prior to being transmitted, meaning the packet is
sent out encrypted.
There are three authentication and privacy combinations that are supported in SNMPv3:
noAuthNoPriv: No authentication and no privacy (encryption) will be applied on the SNMP packets.
authNoPriv: Authentication will be required, but the SNMP packets will not be encrypted.
authPriv: Both authentication and privacy (encryption)will be applied on the SNMP packets.
SNMPv3 requires an application to know the identifier (snmpEngineID) of the remote SNMP protocol engine in order to retrieve or
manipulate objects maintained on the remote SNMP entity. The EngineID is also one of the inputs used for key derivation of the
authentication and privacy keys.
In order to learn the snmpEngineID of a remote SNMP protocol engine, a discovery mechanism is used.
SNMPv3 is defined by several documents:
RFC 3410: "Introduction and Applicability Statements for Internet Standard," provides an overview of SNMPv3 and the related
documents.
RFC 3414: "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)," as a
specification that describes the threats, mechanisms, protocols, and supporting data used to provide SNMP message-level
security.
A user-based security is described as "The main idea is that we use the traditional concept of a user (identified by a userName)
with which to associate security information."
The authoritative SNMP engine for a trap packet is the sending SNMP agent.
Since the generator of the message and the authoritative engine are one and the same, there is no need for the SNMPv3 discovery
process. All the information is already inside the single trap message.
As mentioned, SNMPv3 traps use the engineID of the local application sending the trap rather than the engineID of the remote
application (like in a GET request). This means that you have to create users in your remote user database (the SNMP trap server)
for every engineID you wish to send traps from. Some servers allow all engineIDs and identify the traps by their user-name.
2.3 SNMPv3 Discovery
An snmpEngineID is the unique and unambiguous identifier of an SNMP engine.
SNMPv3 requires that an application knows the identifier (snmpEngineID) of the remote SNMP protocol engine in order to retrieve
or manipulate objects maintained on the remote SNMP entity.
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 9/12
In order to learn the snmpEngineID of a remote SNMP protocol engine, a discovery mechanism is used.
From RFC-3414: "Discovery requires a non-authoritative SNMP engine to learn the authoritative SNMP engine's snmpEngineID
value before communication may proceed.
This may be accomplished by generating a Request message with a security level of noAuthNoPriv, a msgUserName of zero-
length, a msgAuthoritativeEngineID value of zero length, and the varBindList le empty.
The response to this message will be a Report message containing the snmpEngineID of the authoritative SNMP engine as the
value of the msgAuthoritativeEngineID field within the msgSecurityParameters field.
In other words, prior to making any SNMP request to an authoritative SNMP engine, it is required to send it a discovery packet,
which is basically an empty SNMPv3 packet and wait for the Report message that the agent will send in response.
The Report includes authoritative SNMP engine ID, SNMP engine boots and SNMP engine time values that should be used in the
subsequent requests.
Engine boots value is the number of times authoritative SNMP engine has been started, booted, executed, initialized, or assumed
any other state that can be called 'booted'. Engine time is the number of seconds since the last time authoritative SNMP engine
has been 'booted'. These two values, together, are used for timeliness check.
Timeliness check is performed by verifying that the engine boots value is identical between the arriving packet and the stored
value on the authoritative SNMP engine and that engine time is within 150 seconds of the value on the authoritative SNMP engine.
In other words, if engine boots in the incoming packet is not equal to the local value and time is outside the 150 second window
when compared with the local value, authoritative SNMP engine will discard the packet.
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 10/12
3. SNMP Trap Managers
SNMP Trap Managers are configured to manage sending alarms in real time to North-bound trap managers. For SNMPv3 traps
there is no discovery process.
→ To configure an SNMP Trap Manager:
1. From the System menu, select SNMP Trap Managers to access the SNMP Trap Manager screen.
2. Select the +Add SNMP Trap Manager button in the upper right corner of the screen to configure a new SNMP Trap Manager.
Explicit IP routes must be added for the SNMP Trap Manager.
3. Click Save.
SNMP is also used on BorderNet to provide session information as a response to GET requests, supporting the below two OIDs.
The SNMP Access List must be configured.
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 11/12
4. SNMPv3 Configuration Parameters
The traps and GET requests do not have common configuration. The traps will be sent to the servers configured as Trap Managers,
and the GET request is allowed for every network element which is enabled in the ACL.
Both the GET and traps use a fixed non-configurable 'public' community.
SNMPv3 Mode. Type of security to be deployed. There is no privacy without authentication.
Possible values:
o No authentication, no privacy
o Authentication, no privacy
o Authentication, privacy
User Name. Mandatory string 1-32 characters.
Authentication Protocol. Authentication algorithm.
Possible values:
o None
o HMAC-MD5
o MHAC-SHA
§ Privacy Protocol. Encryption algorithm.
Possible values:
o None
o DES
o AES-128
o AES-192
o AES-256
Authentication Key. A phrase used as the secret for the authentication algorithm. Mandatory if 'Authentication Protocol'
parameter is not set to None.
Privacy Key. A phrase used as the secret for the encryption algorithm. Mandatory if 'Privacy protocol' parameter is not set to
None.
Refer also to the table below:
Parameter Type Description Optional values Default value
SNMPv3 Mode Drop-
down
Which type of security should be deployed. A
combination of privacy and authentication is
listed. Note there is no privacy without
authentication.
No Authentication, No
Privacy Authentication,
No Privacy
Authentication, Privacy
No
Authentication
No Privacy
User-Name String Username Mandatory in any SNMPv3 mode. String, 1 to 32
characters. (SIZE(1..32)) None
Authentication
protocol
Drop-
down
Authentication algorithm (MD5/SHA) to be
applied
None HMAC-MD5 HMAC-
SHA None
Privacy
Protocol
Drop-
down
Encryption algorithm (DES/AES) to be
applied
None DES AES-128 AES-
192 AES-256 None
SNMPv3 User GuideDialogic Session Border Controller
Dialogic Inc. Proprietary Page 12/12
Parameter Type Description Optional values Default value
Authentication
Key String
A phrase used as the secret for the
authentication algorithm. Mandatory if
'Authentication protocol' parameter is not
set to 'None'
String None
Privacy Key String
A phrase used as the secret for the
encryption algorithm. Mandatory if 'Privacy
protocol' parameter is not set to 'None'
String None
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
Dialogic PowerMedia MRB Installation and Configuration Guide
-
-
-
Dialogic PowerMedia XMS Installation and Configuration Guide
-
-
-
-
-
-