SNMP Version Comparison
The following table compares three main versions of the SNMP protocol (v1, v2, and v3). SNMP v2 has a number of versions and extensions, the most popular being SNMP v2c and SNMP v2u. In this comparison, we use SNMP v2c and generically call it SNMP v2.
Property |
SNMP v1 |
SNMP v2 |
SNMP v3 |
---|---|---|---|
Release Date |
1988 |
1993 |
1998 |
Deprecated |
Yes |
Yes |
No |
Community Strings1 |
Yes |
Yes |
Yes |
64-bit Data Structures |
No2 |
Yes |
Yes |
Detection of Malformed Packets |
No |
Yes |
Yes |
Transport Protocol |
UDP |
UDP |
UDP, TCP, SNMP over TLS |
Cryptographic Security |
No |
No |
Yes3 |
Default Password |
Yes |
Yes |
No |
Data Encryption |
No4 |
Yes (DES, SHA, MD5, AES) |
Yes (DES, SHA, MD5, AES) |
Security Model |
Community String |
Community String |
User |
Vulnerable to Sniffing |
Yes |
Yes |
Yes |
Vulnerable to Masquerading |
Yes |
Yes |
No |
Vulnerable to Brute Force |
Yes |
Yes |
No |
Vulnerable to Injection |
Yes |
No |
No |
Vulnerable to Replay Attacks |
Yes |
No |
No |
1 Community strings establish an identification for the network to be monitored by SNMP. That identification establishes the perimeter for your SNMP network. However, it does not provide the means to authenticate the requests and responses, exposing SNMP v1 to a number of attacks.
2 SNMP v1 uses 32-bit data structures. In this case, metrics that have an exponential growth, like the data transfer of network cards, can easily surpass the 32-bit data structures.
3 Cryptographic security was added only on SNMP v3, past versions are vulnerable in a number of attacks including the Man In The Middle (MITM) attacks and hash collision if Message-Digest 5 (MD5) is used.
4 Communication between the agent and the NMS on SNMP v1 are done in plain text, allowing plain text passwords to be captured.
For the introduction to SNMP, refer to SNMP Overview.