A network expansion management method and device based on SNMPv3

By constructing an aggregated view configuration table and a data subscription management information base in the SNMPv3 network, and utilizing SetRequest and InformRequest PDUs to achieve proactive and reliable information subscription publishing, the problems of rigid data structure and low transmission efficiency in SNMPv3 network management are solved, thereby improving the efficiency and security of network management.

CN122160230APending Publication Date: 2026-06-05BEIJING CHANGYANG TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING CHANGYANG TECH CO LTD
Filing Date
2026-03-13
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing SNMPv3 network management suffers from rigid data structures, low transmission efficiency, and insufficient security in large-scale, highly dynamic network environments, especially in high-frequency monitoring scenarios where network overhead is high and the notification mechanism is unreliable.

Method used

By building an aggregated view configuration table and a data subscription management information base on the agent side, and using SetRequest and InformRequest PDUs to implement an active and reliable information subscription and publishing mechanism, combined with the SNMPv3 security and access control framework, the network management station is allowed to define logical data sets as needed and transmit data when trigger conditions are met.

Benefits of technology

It significantly improves the efficiency, real-time performance, and security of network management, reduces the workload of network management stations and agents, simplifies the application structure of network management stations, and enhances the security of data transmission.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160230A_ABST
    Figure CN122160230A_ABST
Patent Text Reader

Abstract

The application discloses a network expansion management method and device based on SNMPv3. The method comprises: constructing, at the proxy end, an aggregated view configuration management information base including an aggregated view configuration table and an aggregated view OID table, and a data subscription management information base including a subscription table; sending, by the network management station, a first and a second SetRequest PDU to the proxy end; creating, based on the first SetRequest PDU, an aggregated view in the aggregated view configuration table, assigning a unique name and ID to the aggregated view, and configuring, in the aggregated view OID table, a mapping relationship between each object identifier OID from different MIB trees and each aggregated view ID; creating, based on the second SetRequest PDU, a subscription entry in the subscription table, each subscription entry specifying a target aggregated view, a trigger condition and a security parameter; monitoring, by the proxy end, the target aggregated view in the subscription entry, and obtaining a target object identifier OID corresponding to the ID when the trigger condition is met; constructing, by the proxy end, an InformRequest PDU, and sending, based on the security parameter, data corresponding to the target object identifier OID to the network management station; and updating, by the network management station, the data based on the InformRequest PDU and sending back an acknowledgement. The application can improve the efficiency, real-time performance and security of network management.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a network extension management method and apparatus based on SNMPv3. Background Technology

[0002] SNMPv3 (Simple Network Management Protocol version 3) is a widely adopted standard protocol in the field of network management. Building upon the functionality of previous versions, it significantly enhances security by providing message-level authentication, encryption, and access control mechanisms. An SNMPv3 network primarily consists of a Network Management Station (NMS) and agents on the managed devices. It uses a Management Information Base (MIB) to monitor the status, manage the configuration, and diagnose faults of network devices (such as routers, switches, and servers). Its core advantages lie in its User Security Model (USM) to ensure the confidentiality and integrity of data packets, and its View-Based Access Control Model (VACM) to achieve fine-grained access control over managed objects. This allows network administrators to perform remote operation and maintenance of cross-vendor devices within a unified and secure framework.

[0003] However, despite the significant progress SNMPv3 has made in security and standardization, its request-response polling model and rigid data structure organization still result in problems such as low network management efficiency, poor real-time performance, and insufficient security in actual large-scale network monitoring.

[0004] Therefore, there is an urgent need for a network extension management method and device based on SNMPv3 to solve the above problems. Summary of the Invention

[0005] This invention provides a network extended management method and apparatus based on SNMPv3, which can significantly improve the efficiency, real-time performance, and security of network management. The technical solution is as follows: On the one hand, a network extension management method based on SNMPv3 is provided, the method comprising: On the agent side, build an aggregate view configuration management information repository including an aggregate view configuration table and an aggregate view OID table, as well as a data subscription management information repository including a subscription table; In response to the network management station sending a first SetRequest PDU and a second SetRequest PDU to the agent and passing the authorization verification, at least one aggregate view is created in the aggregate view configuration table based on the first SetRequest PDU, and a unique name and ID are assigned to each aggregate view. The mapping relationship between each object identifier OID from different MIB trees and each aggregate view ID is configured in the aggregate view OID table. At least one subscription entry is created in the subscription table based on the second SetRequest PDU. Each subscription entry specifies its corresponding target aggregate view, triggering conditions, and SNMPv3 security parameters to be used when the agent sends a notification. The agent monitors the target aggregate view corresponding to each subscription item, and when the target aggregate view meets the triggering condition, it obtains the target object identifier (OID) corresponding to its ID. The proxy end is used to construct an InformRequest PDU, and the data corresponding to the target object identifier OID is sent to the network management station based on the security parameters; The network management station decrypts and verifies the received InformRequest PDU, and updates the data and sends back a Response-PDU for confirmation after successful verification.

[0006] On the other hand, a network extended management device based on SNMPv3 is provided, the device comprising: The building unit is used to build an aggregate view configuration management information repository, including an aggregate view configuration table and an aggregate view OID table, and a data subscription management information repository, including a subscription table, on the agent side. The configuration unit is configured to, in response to the network management station sending a first SetRequest PDU and a second SetRequest PDU to the agent and passing the authorization verification, create at least one aggregate view in the aggregate view configuration table based on the first SetRequest PDU, assign a unique name and ID to each aggregate view, and configure the mapping relationship between each object identifier OID from different MIB trees and each aggregate view ID in the aggregate view OID table; and create at least one subscription entry in the subscription table based on the second SetRequest PDU, each subscription entry specifying its corresponding target aggregate view, triggering conditions, and SNMPv3 security parameters to be used when the agent sends a notification. The monitoring unit is used to monitor the target aggregate view corresponding to each subscription entry using the agent, and when the target aggregate view meets the triggering condition, obtain the target object identifier (OID) corresponding to its ID. The sending unit is used to construct an InformRequest PDU using the proxy end and send the data corresponding to the target object identifier OID to the network management station based on the security parameters; The update unit is used by the network management station to decrypt and verify the received InformRequest PDU, and after successful verification, update the data and send back a Response-PDU for confirmation.

[0007] On the other hand, a computer device is provided, the computer device including a memory and a processor, the memory for storing computer programs, and the processor for executing the computer programs stored in the memory to implement the steps of the SNMPv3-based network extended management method described above.

[0008] On the other hand, a computer-readable storage medium is provided, wherein a computer program is stored therein, and when the computer program is executed by a processor, it implements the steps of the above-described SNMPv3-based network extended management method.

[0009] On the other hand, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps of the SNMPv3-based network extended management method described above.

[0010] This invention provides a network extension management method and apparatus based on SNMPv3. First, no new PDU types are introduced; all operations (such as configuration, subscription, and publication) reuse SetRequest PDU and InformRequest PDU, fully encapsulated in SNMPv3 security messages, ensuring full compatibility with the SNMPv3 security and access control framework. Second, when creating a subscription entry, triggering conditions and SNMPv3 security parameters required for data feedback are specified, seamlessly integrating the control over "who can create aggregate views" and "who can create subscription entries" into the existing View Access Control Model (VACM) permissions, enhancing data transmission security. Furthermore, by subscribing to entries, the passive polling mechanism is transformed into an active and reliable information subscription and publishing mechanism, generating network traffic only when data meets the subscription conditions, significantly reducing the workload of the network management station, agent, and their transmission network. Additionally, the "aggregate view MIB" allows the network management station to define logical data sets as needed, transferring the complexity of data aggregation from the network management station to the agent, simplifying the network management station's application and making the structure more flexible. Therefore, this application does not require adding new PDU types, is fully compatible with the SNMPv3 security and access control framework, and changes passive polling to active subscription and publication, which significantly improves the efficiency, real-time performance and security of network management. Attached Figure Description

[0011] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0012] Figure 1 This is a flowchart of a network extension management method based on SNMPv3 provided in an embodiment of the present invention; Figure 2 This is an extended system architecture diagram based on SNMPv3 provided by an embodiment of the present invention, including a network management station, an agent, a newly added aggregated view configuration management information base SNMP-AGG-VIEW-MIB, a data subscription management information base SNMP-SUB-MIB, and an internal engine; Figure 3 This is a flowchart illustrating how a network management station uses SetRequest to create a subscription, according to an embodiment of the present invention. Figure 4 This is a flowchart of how an agent publishes data using InformRequest after the triggering conditions are met, according to an embodiment of the present invention. Figure 5 This is a structural diagram of a network extension management device based on SNMPv3 provided in an embodiment of the present invention; Figure 6 This is a hardware architecture diagram of a computer device provided in an embodiment of the present invention. Detailed Implementation

[0013] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative effort are within the scope of protection of the present invention.

[0014] As mentioned earlier, although SNMPv3 is very mature in terms of security and functionality, the inventors discovered that existing SNMPv3 networks still have the following technical problems when applied to large-scale, highly dynamic network environments: (1) Rigid data structure: If the NMS (Network Management Station) wants to obtain a set of logically related but physically scattered OIDs (Object Identifiers) (e.g., description, rate, error packets, and MAC address of an interface), it must construct a GetRequest or GetBulkRequest PDU containing multiple OIDs. The access control of VACM is also based on the OID tree and lacks direct support for "aggregated data view".

[0015] (2) Transmission efficiency depends on polling: The core operation mode of SNMP is the periodic polling of NMS. Even if the network device status does not change, the polling traffic still exists. This will generate huge network overhead in high-frequency monitoring scenarios (such as once per second).

[0016] (3) Limitations of the notification mechanism: Trap is unreliable (UDP, no response required).

[0017] InformRequest provides a reliable notification mechanism that requires an NMS response. However, it is typically triggered by predefined events on the Agent (such as link interruption or device restart), rather than by data thresholds subscribed to on demand by the NMS (such as "notify me when CPU utilization exceeds 80%)".

[0018] Based on this, the inventors proposed that improvements be made to the existing SNMPv3 network architecture to achieve a more flexible data structure and a more efficient "subscribe-publish" message transmission model.

[0019] The specific implementation of the method in this application is described in detail below.

[0020] Please refer to Figure 1 This invention provides a network extension management method based on SNMPv3, the method comprising: Step 100: On the agent side, construct an aggregate view configuration management information base including an aggregate view configuration table and an aggregate view OID table, as well as a data subscription management information base including a subscription table; Step 102: In response to the network management station sending the first SetRequest PDU and the second SetRequest PDU to the agent and passing the authorization verification, at least one aggregate view is created in the aggregate view configuration table based on the first SetRequest PDU, and a unique name and ID are assigned to each aggregate view. The mapping relationship between the object identifiers OID from different MIB trees and the aggregate view IDs is configured in the aggregate view OID table. At least one subscription entry is created in the subscription table based on the second SetRequest PDU. Each subscription entry specifies its corresponding target aggregate view, triggering conditions, and SNMPv3 security parameters to be used when the agent sends a notification. Step 104: Use the agent to monitor the target aggregation view corresponding to each subscription item, and when the target aggregation view meets the triggering condition, obtain the target object identifier (OID) corresponding to its ID. Step 106: Construct an InformRequest PDU using the proxy and send the data corresponding to the target object identifier OID to the network management station based on security parameters; Step 108: The network management station decrypts and verifies the received InformRequest PDU, updates the data after successful verification, and sends back a Response-PDU for confirmation.

[0021] In this embodiment, firstly, no new PDU types are introduced; all operations (such as configuration, subscription, and publication) reuse SetRequest PDU and InformRequest PDU, fully encapsulated in SNMPv3 security messages, ensuring full compatibility with the SNMPv3 security and access control framework. Secondly, when creating a subscription entry, the triggering conditions and SNMPv3 security parameters required for data feedback are specified, seamlessly integrating the control over "who can create aggregate views" and "who can create subscription entries" into the existing View Access Control Model (VACM) permissions, enhancing data transmission security. Furthermore, by subscribing to entries, the passive polling mechanism is transformed into an active and reliable information subscription and publishing mechanism, generating network traffic only when data meets the subscription conditions, significantly reducing the workload of the network management station, agent, and their transmission network. Additionally, the "Aggregate View MIB" allows the network management station to define logical data sets as needed, shifting the complexity of data aggregation from the network management station to the agent, simplifying the network management station's application and making the structure more flexible. Therefore, this application does not require adding new PDU types, is fully compatible with the SNMPv3 security and access control framework, and changes passive polling to active subscription and publication, which significantly improves the efficiency, real-time performance and security of network management.

[0022] The following description Figure 1The execution method of each step is shown.

[0023] First, such as Figure 2 As shown, steps 100 and 102 are described together: On the one hand, the Aggregated View Configuration Management Information Base (SNMP-AGG-VIEW-MIB), as the first new MIB module, allows the Network Management Station (NMS) to configure the "Aggregated View" on the agent side via the standard First SetRequest PDU.

[0024] The Aggregate View Configuration Management Information Base contains an Aggregate View Configuration Table (aggViewConfigTable) and an Aggregate View OID Table (aggViewOidTable). The Aggregate View Configuration Table allows the network management station to create an "aggregate view" and assign it a unique aggview name (aggViewName) and ID (i.e., the aggview identifier, aggViewID). The Aggregate View OID Table is used to map one or more OID instances or OID columns from different MIB trees to the aggViewID of that aggview.

[0025] Furthermore, through SNMPv3 integration, operations (including creation, deletion, and modification) of the Aggregated View Configuration Management Information Base by the network management station are fully controlled by SNMPv3's USM and VCAM. The VCAM on the agent side must be configured with appropriate permissions, allowing users with specific security levels to operate this Aggregated View Configuration Management Information Base.

[0026] On the other hand, the Data Subscription Management Information Base (SNMP-SUB-MIB), as the second new MIB module, allows the Network Management Station (NMS) to create "data subscriptions" on the agent side using the standard second SetRequest PDU. This Data Subscription Management Information Base contains a subscription table. The network management station creates one or more new rows in this subscription table using the second SetRequest PDU; each new row is a subscription entry, and each subscription entry defines a subscription rule. Each subscription rule corresponds to a column in the subscription table. The subscription table must include at least the following key columns, meaning that a subscription rule must include at least the following items: (1) Subscription Object View Identifier (subTargetViewID): Points to the aggregate view ID defined in the aggregate view configuration management information base, indicating the data content to be subscribed.

[0027] (2) Subscription trigger type: including when data changes (onChange), when data volume exceeds the threshold (onThreshold), periodic (periodic), or one-time on demand (onDemand).

[0028] (3) Subscribe to trigger parameters (subTriggerParams): such as threshold or period.

[0029] (4) Subscription destination address: The address and port of the information publishing object, i.e., NMS, such as IP address + port or domain name + port, etc.

[0030] (5) Subscription protocol: For example, InformRequest using SNMPv3.

[0031] (6) Subscription security username (subSecurityName): Specifies that the agent should use the SNMPv3 security username (securityName) when sending subscription information. This is a key security parameter that is of particular concern when integrating SNMPv3.

[0032] (7) Subscription Context Name: Specifies the context name (contextName) that the agent should use when sending subscription information.

[0033] (8) Subscription Security Level: Specifies the security level that the agent should use when sending subscription information; for example, AuthPriv (authenticated and encrypted) or AuthNoPriv (authenticated but not encrypted).

[0034] (9) Subscription Row Status: The row status identifier used to activate or delete this subscription.

[0035] (10) SNMPv3 Integration: The NMS's operations on the data subscription management information base (including creation, deletion, and modification) are also fully controlled by the SNMPv3 USM and VACM. The VACM on the agent side must be configured with appropriate permissions to allow users with specific security levels to operate this MIB.

[0036] In addition, the SNMPv3 security parameters required for the agent to send notifications include: Subscribe to a secure username, which specifies the security credentials used when the agent sends notifications; Subscribe to a security level to specify the authentication and encryption attributes for notification messages; The subscription context name is used to specify the context information when sending notifications.

[0037] Furthermore, the network management station's operations on the aggregated view configuration management information repository and data subscription management information repository are governed by the SNMPv3 user security model and view access control model; among them, The user security model is used to provide message authentication and encryption functions; The view access control model is used to provide access control; based on the view access control model, the agent allows users with preset subscription security levels to operate the corresponding aggregated view configuration management information repository and data subscription management information repository.

[0038] For steps 104-108, each subscription item has its own triggering condition. The triggering condition must include at least one of the following: Data changes in the aggregated view, target data volume exceeding a preset threshold, periodic triggering, and one-time triggering as needed.

[0039] When a subscribed item meets the triggering conditions, the target object identifier (OID) corresponding to the target aggregated view ID is retrieved and stored, and then sent to the network management station based on security parameters. Upon receiving the data, the network management station decrypts and verifies it. If the verification is successful, the data is updated and a Response-PDU is sent back for confirmation.

[0040] It should be noted that the triggering conditions and the actual content of the subscribed items are determined according to the user's requirements, and this application does not impose any specific restrictions.

[0041] In some implementations, when the triggering condition is on-demand one-time triggering and the target data volume exceeds a preset threshold, the method further includes: The agent divides the target data in the target aggregate view into multiple data blocks; For each data block, an InformRequest PDU containing a data block index is constructed using the agent. Each InformRequest PDU uses the same SNMPv3 security context authentication mechanism and is distinguished by its request identifier. Each InformRequest PDU is then sent to the network management station. The network management station decrypts and verifies each InformRequest PDU received, and updates the data and sends back a Response-PDU for confirmation after successful verification.

[0042] In this embodiment, each data block is stored in a variable binding list VarBindList to be sent. VarBindList contains the data block index (chunkIndex), the total number of data blocks (totalChunks), and the data block itself. This embodiment achieves reliable batch transmission by modeling bulk transmission as on-demand subscription and utilizing a reliable notification mechanism to realize reliable streaming data acquisition.

[0043] The following uses the subscription table shown in Table 1 as a specific example to illustrate the interaction process between the Network Management System (NMS) and the Agent.

[0044] Table 1 Subscription Table like Figure 3 The diagram shows a flowchart of NMS using SetRequest to create a subscription. Figure 4 The diagram shows the flowchart of how the Agent publishes data using an InformRequest after the triggering conditions are met. The interaction process between NMS and the Agent includes four stages, steps A through D. Each stage is described below: Step A, during the subscription phase (NMS->Agent): Suppose that the network management station (NMS) wants to subscribe to data with ViewID=100 (e.g., this line represents CPU and memory utilization), on the condition that the data changes (On change).

[0045] The NMS then uses its valid SNMPv3 credentials (such as the security username securityName=admin) to send an SNMPv3 SetRequest PDU to the Agent (this PDU is USM-authenticated and encrypted).

[0046] The goal of this SetRequest PDU is to request the creation of a row, i.e., a subscription entry, in the subscription table of SNMP-SUB-MIB, and to set the subscription object view identifier (subTargetViewID) = 100, the trigger type subTriggerType = onChange, and the security parameters to be used when the Agent sends back a notification (e.g., the subscription security username subSecurityName = agent_notifier).

[0047] The VACM module on the agent side verifies whether the admin user has the authority to operate on SNMP-SUB-MIB and create subscription entries. Once verification is successful, the subscription entry is created.

[0048] Step B: During the monitoring phase (within the Agent) A "subscription monitoring engine" on the agent side reads the subscription table. When a new subscription entry ViewID=100 is found, the agent starts monitoring the local MIB data corresponding to ViewID=100 in the subscription table.

[0049] Step C: Deployment Phase (Agent->NMS) When the Agent's monitoring engine detects a change in the data in ViewID=100 (meeting the onChange trigger condition), the Agent's "information sending" program is started.

[0050] The Agent reads the subscription entry from the subscription table to obtain the target NMS address and the required security credentials (subSecurityName=agent_notifier, security level subSecurityLevel=AuthPriv).

[0051] The agent retrieves the aggregated data with ViewID=100 and adds it to the VarBindList. It's worth noting that the aggregated data can be compressed before being added to VarBindList, or not compressed at all, depending on user requirements. When compressing, formats such as CBOR can be used. If CBOR or similar compression formats are used, the data must be encapsulated in the predefined OCTET STRING type of ASN.1. In the implementation, a dedicated OID (such as aggDataBlob) should be defined to carry the compressed data, with a corresponding value type of OCTET STRING. This preserves the efficiency of compression while maintaining full compatibility with standard SNMP syntax.

[0052] The agent constructs a standard SNMPv3 InformRequest PDU. The snmpTrapOID of this InformRequest PDU is set to a special value, such as snmpPublishNotification. The agent uses the agent_notifier user's key to authenticate and encrypt the InformRequest PDU via USM. After authentication, the agent sends the aggregated data from the pending variable binding list to the NMS.

[0053] Step D: Confirmation Phase (NMS -> Agent) Upon receiving the InformRequest, the NMS uses the context and key of the agent_notifier for decryption and authentication. The NMS parses the aggregated data obtained from the list of variable bindings to be sent. Following the SNMPv3 InformRequest standard, the NMS sends an SNMPv3 Response-PDU back to the Agent as confirmation of the notification.

[0054] The method of this application will be further explained below using CPU threshold subscription as an example: It should be noted that before the NMS issues a subscription SetRequest, it must be ensured that the subscription security username (subSecurityName) and its corresponding security credentials (Passwords / Keys) referenced in the subscription entry have been pre-configured on the agent side through standard management methods (such as standard SNMP-USER-BASED-SM-MIB operations).

[0055] Configure view (optional): NMS first creates an aggViewID=101 in SNMP-AGG-VIEW-MIB via SetRequest, which is mapped to host.hrProcessor.hrProcessorLoad (host CPU load OID).

[0056] Creating a subscription: NMS sends a SetRequest using the secure username securityName=admin, creating a row in the SNMP-SUB-MIB subscription table. This row includes the following: Subscription object view identifier subTargetViewID=101 Subscription trigger type subTriggerType=onThreshold The subscription trigger parameter `subTriggerParams=">80"` (threshold parameter) is set to trigger the subscription. Subscription destination address: subDestination="10.1.1.1:162" (NMS address) Subscribe to the security username subSecurityName="agent_inform_user" Subscription security level subSecurityLevel=authPriv Subscription row status subRowStatus=createAndGo Agent Authentication and Monitoring: The agent's VAM authentication verifies that the admin has the right to write to the SNMP-SUB-MIB. Authentication is successful, and the subscription is activated. The agent's "Subscription Monitoring Engine" begins monitoring hrProcessorLoad (host CPU load OID).

[0057] Triggering and Release: The triggering condition is met when hrProcessorLoad (host CPU load OID) reaches 85%.

[0058] The Agent's "Notification Initiator" checks the subscription table to find the key for agent_inform_user.

[0059] Agent constructs InformRequest PDU: snmpTrapOID = snmpPublishNotification The variable to be sent, VarBind[1] = (aggViewID, 101), is... The variable to be sent, VarBind[2] = (hrProcessorLoad.5, 85), is... The Agent encrypts this PDU using the key of the subscribed security username subSecurityName="agent_inform_user" and sends it to 10.1.1.1.

[0060] NMS receives, decrypts, and authenticates the InformRequest, detects excessive CPU usage, and sends a Response-PDU confirmation back to the Agent.

[0061] As can be seen from the above embodiments, the method of this application can achieve efficient data aggregation query and a reliable "subscription-publish" mechanism by defining a new standard MIB and reusing existing PDUs.

[0062] like Figure 5 , Figure 6 As shown, this embodiment of the invention provides a network extension management device based on SNMPv3. The device embodiment can be implemented through software, hardware, or a combination of both. From a hardware perspective, such as... Figure 5 The diagram shown is a hardware architecture diagram of a computing device containing a network extension management device based on SNMPv3, as provided in an embodiment of the present invention. (Except for...) Figure 5 In addition to the processor, memory, network interface, and non-volatile memory shown, the computing device in the embodiment may also include other hardware, such as a forwarding chip responsible for processing packets. Taking software implementation as an example, such as... Figure 6As shown, a device in a logical sense is formed by the CPU of the computing device in which it is located reading the corresponding computer program from the non-volatile memory into the memory for execution.

[0063] Please refer to Figure 6 This invention provides a network extension management device based on SNMPv3, the device comprising: The building unit 600 is used to build an aggregate view configuration management information base, including an aggregate view configuration table and an aggregate view OID table, and a data subscription management information base, including a subscription table, on the agent side. Configuration unit 602 is configured to, in response to the network management station sending a first SetRequest PDU and a second SetRequest PDU to the agent and passing the authorization verification, create at least one aggregate view in the aggregate view configuration table based on the first SetRequest PDU, assign a unique name and ID to each aggregate view, and configure the mapping relationship between each object identifier OID from different MIB trees and each aggregate view ID in the aggregate view OID table; and create at least one subscription entry in the subscription table based on the second SetRequest PDU, each subscription entry specifying its corresponding target aggregate view, triggering conditions, and SNMPv3 security parameters to be used when the agent sends a notification; The monitoring unit 604 is used to monitor the target aggregate view corresponding to each subscription entry using the agent, and when the target aggregate view meets the triggering condition, obtain the target object identifier OID corresponding to its ID. The sending unit 606 is used to construct an InformRequest PDU using the proxy end and send the data corresponding to the target object identifier OID to the network management station based on security parameters; The update unit 608 is used by the network management station to decrypt and verify the received InformRequest PDU, and after successful verification, update the data and send back a Response-PDU for confirmation.

[0064] In some implementations, the SNMPv3 security parameters that the agent needs to use when sending notifications include: Subscribe to a secure username, which specifies the security credentials used when the agent sends notifications; Subscribe to a security level to specify the authentication and encryption attributes for notification messages; The subscription context name is used to specify the context information when sending notifications.

[0065] In some implementations, the network management station's operations on the aggregated view configuration management information base and data subscription management information base are governed by the SNMPv3 user security model and view access control model; wherein, The user security model is used to provide message authentication and encryption functions; The view access control model is used to provide access control; based on the view access control model, the agent allows users with preset subscription security levels to operate the corresponding aggregated view configuration management information repository and data subscription management information repository.

[0066] In some implementations, each row of the subscription table corresponds to a subscription entry, and each subscription entry corresponds to a subscription rule; Subscription rules should include at least the following: subscription object view identifier, aggregate view identifier, subscription trigger type, subscription trigger parameters, subscription destination address, subscription protocol, subscription security username, security username, subscription context name, context name, subscription security level, subscription row status, and SNMPv3 integration.

[0067] In some implementations, the triggering condition includes at least one of the following conditions: Data changes in the aggregated view, target data volume exceeding a preset threshold, periodic triggering, and one-time triggering as needed.

[0068] In some implementations, when the triggering condition is on-demand one-time triggering and the target data volume exceeds a preset threshold, the method further includes: The agent divides the target data in the target aggregate view into multiple data blocks; For each data block, an InformRequest PDU containing a data block index is constructed using the agent. Each InformRequest PDU uses the same SNMPv3 security context authentication mechanism and is distinguished by its request identifier. Each InformRequest PDU is then sent to the network management station. The network management station decrypts and verifies each InformRequest PDU received, and updates the data and sends back a Response-PDU for confirmation after successful verification.

[0069] Embodiments of this application also provide a computer device, please refer to... Figure 6 The computer device includes a processor and a memory, the memory storing at least one instruction, at least one program, code set, or instruction set, the at least one instruction, at least one program, code set, or instruction set being loaded and executed by the processor to implement the SNMPv3-based network extended management method provided in the above-described method embodiments.

[0070] Embodiments of this application also provide a computer-readable storage medium storing at least one instruction, at least one program, code set, or instruction set, wherein the at least one instruction, at least one program, code set, or instruction set is loaded and executed by a processor to implement the SNMPv3-based network extended management method provided in the above-described method embodiments.

[0071] Embodiments of this application also provide a computer program product, which includes a computer program. A processor of a computer device reads the computer program from a computer-readable storage medium and executes the computer program, causing the computer device to perform any of the SNMPv3-based network extended management methods described in the above embodiments.

[0072] For ease of description, the above systems or devices are described separately as various modules or units based on their functions. Of course, in implementing this application, the functions of each unit can be implemented in one or more software and / or hardware components.

[0073] As can be seen from the above description of the embodiments, those skilled in the art can clearly understand that this application can be implemented by means of software plus necessary general-purpose hardware platforms. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in various embodiments or some parts of the embodiments of this application.

[0074] Finally, it should be noted that in this document, relational terms such as first, second, third, and fourth are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0075] The above description is only a preferred embodiment of this application. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of this application, and these improvements and modifications should also be considered within the scope of protection of this application.

Claims

1. A network extended management method based on SNMPv3, characterized in that, The method includes: On the agent side, build an aggregate view configuration management information repository including an aggregate view configuration table and an aggregate view OID table, as well as a data subscription management information repository including a subscription table; In response to the network management station sending a first SetRequest PDU and a second SetRequest PDU to the agent and passing the authorization verification, at least one aggregate view is created in the aggregate view configuration table based on the first SetRequest PDU, and a unique name and ID are assigned to each aggregate view. The mapping relationship between each object identifier OID from different MIB trees and each aggregate view ID is configured in the aggregate view OID table. At least one subscription entry is created in the subscription table based on the second SetRequest PDU. Each subscription entry specifies its corresponding target aggregate view, triggering conditions, and SNMPv3 security parameters to be used when the agent sends a notification. The agent monitors the target aggregate view corresponding to each subscription item, and when the target aggregate view meets the triggering condition, it obtains the target object identifier (OID) corresponding to its ID. The proxy end is used to construct an InformRequest PDU, and the data corresponding to the target object identifier OID is sent to the network management station based on the security parameters; The network management station decrypts and verifies the received InformRequest PDU, and updates the data and sends back a Response-PDU for confirmation after successful verification.

2. The method according to claim 1, characterized in that, The SNMPv3 security parameters that the agent needs to use when sending notifications include: Subscribe to a secure username, which specifies the security credentials used when the agent sends notifications; Subscribe to a security level to specify the authentication and encryption attributes for notification messages; The subscription context name is used to specify the context information when sending notifications.

3. The method according to claim 2, characterized in that, The network management station's operations on the aggregated view configuration management information base and the data subscription management information base are governed by the SNMPv3 user security model and view access control model; wherein... The user security model is used to provide message authentication and encryption functions; The view access control model is used to provide access control; based on the view access control model, the agent allows users with preset subscription security levels to operate the corresponding aggregated view configuration management information repository and data subscription management information repository.

4. The method according to claim 1, characterized in that, Each row in the subscription table corresponds to a subscription entry, and each subscription entry corresponds to a subscription rule. The subscription rules include at least the subscription object view identifier, aggregate view identifier, subscription trigger type, subscription trigger parameters, subscription destination address, subscription protocol, subscription security username, security username, subscription context name, context name, subscription security level, subscription row status, and SNMPv3 integration.

5. The method according to claim 1, characterized in that, The triggering condition includes at least one of the following conditions: Data changes in the aggregated view, target data volume exceeding a preset threshold, periodic triggering, and one-time triggering as needed.

6. The method according to claim 5, characterized in that, When the triggering condition is on-demand one-time triggering and the target data volume exceeds a preset threshold, it also includes: The proxy end divides the target data in the target aggregate view into multiple data blocks; For each data block, an InformRequestPDU containing a data block index is constructed using the agent. Each InformRequest PDU uses the same SNMPv3 security context confirmation mechanism and is distinguished by its request identifier. Each InformRequest PDU is then sent to the network management station. The network management station decrypts and verifies each InformRequest PDU received, and updates the data and sends back a Response-PDU for confirmation after successful verification.

7. A network extended management device based on SNMPv3, characterized in that, The device includes: The building unit is used to build an aggregate view configuration management information repository, including an aggregate view configuration table and an aggregate view OID table, and a data subscription management information repository, including a subscription table, on the agent side. The configuration unit is configured to, in response to the network management station sending a first SetRequest PDU and a second SetRequest PDU to the agent and passing the authorization verification, create at least one aggregate view in the aggregate view configuration table based on the first SetRequest PDU, assign a unique name and ID to each aggregate view, and configure the mapping relationship between each object identifier OID from different MIB trees and each aggregate view ID in the aggregate view OID table; and create at least one subscription entry in the subscription table based on the second SetRequest PDU, each subscription entry specifying its corresponding target aggregate view, triggering conditions, and SNMPv3 security parameters to be used when the agent sends a notification. The monitoring unit is used to monitor the target aggregate view corresponding to each subscription entry using the agent, and when the target aggregate view meets the triggering condition, obtain the target object identifier (OID) corresponding to its ID. The sending unit is used to construct an InformRequest PDU using the proxy end and send the data corresponding to the target object identifier OID to the network management station based on the security parameters; The update unit is used by the network management station to decrypt and verify the received InformRequest PDU, and after successful verification, update the data and send back a Response-PDU for confirmation.

8. A computer device, characterized in that, The computer device includes a memory and a processor. The memory is used to store computer programs, and the processor is used to execute the computer programs stored in the memory to implement the steps of the method according to any one of claims 1-6.

9. A computer-readable storage medium, characterized in that, The storage medium stores a computer program, which, when executed by a processor, implements the steps of the method described in any one of claims 1-6.

10. A computer program product, characterized in that, Includes a computer program, which, when executed by a processor, implements the steps of the method according to any one of claims 1-6.