The protocols described in Sections 3 and 4 assume the
existence of loosely synchronized clocks and shared secret
values. Three requirements constrain the strategy by which
clock values and secrets are distributed.
If the value of an authentication clock is decreased, the
private authentication key must be changed concurrently.
When the value of an authentication clock is decreased,
messages that have been sent with a timestamp value
between the value of the authentication clock and its new
value may be replayed. Changing the private
authentication key obviates this threat.
The private authentication key and private privacy key
must be known only to the parties requiring knowledge of
them.
Protecting the secrets from disclosure is critical to the
security of the protocols. Knowledge of the secrets must
be as restricted as possible within an implementation.
In particular, although the secrets may be known to one
or more persons during the initial configuration of a
device, the secrets should be changed immediately after
configuration such that their actual value is known only
to the software. A management station has the additional
responsibility of recovering the state of all parties
whenever it boots, and it may address this responsibility
by recording the secrets on a long-term storage device.
Access to information on this device must be as
restricted as is practically possible.
There must exist at least one SNMPv2 entity that assumes
the role of a responsible management station.
This management station is responsible for ensuring that
all authentication clocks are synchronized and for
changing the secret values when necessary. Although more
than one management station may share this
responsibility, their coordination is essential to the
secure management of the network. The mechanism by which
multiple management stations ensure that no more than one
of them attempts to synchronize the clocks or update the
secrets at any one time is a local implementation issue.
A responsible management station may either support clock
synchronization and secret distribution as separate
functions, or combine them into a single functional unit.
The first section below specifies the procedures by which a
SNMPv2 entity is initially configured. The next two sections
describe one strategy for distributing clock values and one
for determining a synchronized clock value among SNMPv2
parties supporting the Digest Authentication Protocol. For
SNMPv2 parties supporting the Symmetric Privacy Protocol, the
next section describes a strategy for distributing secret
values. The last section specifies the procedures by which a
SNMPv2 entity recovers from a "crash."
