Secure MP Login
The first step in accessing the MP is login. Normally, the user must be identified and authorized. This is the purpose of the server on the right side of Figure 2, which may use any of the security schemes listed.
SNMPv3 provides facilities for authentication, encryption, and timeliness (protecting against replay attacks). In part 2 of this series, we'll look in a little more detail at the security mechanisms provided by RADIUS, Kerberos, SecurID, TACACS, and SNMPv3.
Reading and Writing Device Data Securely
Let's assume that we've logged in and now have the authority to interact with the network devices in Figure 2 via the MP. Figure 3 illustrates some network management operations that involve both the CLI and SNMPv3 on MPLS nodes X, Y, and Z.
Figure 3 Network management operations.
Using the CLI, the network manager configures the two adjacent MPLS interfaces on nodes X and Y. The same operation often can be done using SNMPv3 with a series of messages, such as set, get, and get-Bulk.  For full security, the NMS and the nodes must be configured for SNMPv3 (part 2 looks at this topic).
Receiving Network-Originated Device Data Securely
Suppose node Z in Figure 2 reboots for some reason (a software bug). This case results in the device sending an SNMPv3 notification message to the management system. As described in the preceding section, the NMS must be appropriately configured to receive and process this message. In addition, Z must be configured to allow access to the required managed objects (on Z) in order to create the notification.