Smarts IP: What modes of encryption are supported for SNMP v3 discovery? AES, DES, 3DES or AES256?
Article ID: 345346
Updated On:
Products
VMware
Issue/Introduction
Currently the snmpwalk --help does not list all of the supported protocols as shown below
Symptoms:
Is AES 128-bit encryption supported for SNMP v3 discovery in Smarts IP?
What other protocols are supported for Smarts snmp v3 including the snmpwalk v3 command?
SNMP Version 3 specific
-a PROTOCOL set authentication protocol (MD5|SHA)
-A PASSPHRASE set authentication protocol pass phrase
-e ENGINE-ID set security engine ID (e.g. 800000020109840301)
-E ENGINE-ID set context engine ID (e.g. 800000020109840301)
-l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)
-n CONTEXT set context name (e.g. bridge1)
-u USER-NAME set security name (e.g. bert)
-x PROTOCOL set privacy protocol (DES|AES)
-X PASSPHRASE set privacy protocol pass phrase
Symptoms:
Is AES 128-bit encryption supported for SNMP v3 discovery in Smarts IP?
What other protocols are supported for Smarts snmp v3 including the snmpwalk v3 command?
Environment
VMware Smart Assurance - SMARTS
Cause
Our current documentation from the IP 9.2. Confguration Guide lists AES only and this is known as AES128 which is defined in RFC 3826
Resolution
Yes, AES 128-bit encryption is supported by default.
Smarts 9.4.2.x and newer also support the following protocols for snmp v3:
DES/3DES/AES/AES128/AES192/ AES256 / NONE
See the additional notes below regarding DES and 3DES from CISCO
Smarts 9.4.2.x and newer also support the following protocols for snmp v3:
DES/3DES/AES/AES128/AES192/ AES256
See the additional notes below regarding DES and 3DES from CISCO
Additional Information
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-3s/asr903/snmp-xe-3s-asr903-book/nm-snmp-encrypt-snmp-support.pdf
The AES Cipher Algorithm in theSimple Network ManagementProtocol (SNMP) User-basedSecurity Model (USM) draft describes the use of AES with 128-bit key size. However, the other options are also implemented with the extension to use the USM. There is no standard for generating localized keys for 192- or 256-bit size keys for AES or for 168-bit size key for 3-DES. There is no authentication protocol available for longer keys. Support for SNMP Version 3 USM is compliant with RFC 3414, which defines DES as the only required method of message encryption for SNMP Version 3 authPriv mode. The AES and 3-DES Encryption Support for SNMP Version 3 feature supports the selection of privacy protocols through the CLI and the MIB. A new standard MIB, SNMP-USM-AES-MIB, provides support for the 128-bit key in the Advanced Encryption Standard (AES). The extended options of AES with 192- or 256-bit keys and 3-DES are supported as extensions to the SNMP-USM-MIB in the Cisco-specific MIB—CISCO-SNMP-USM-EXT-MIB
Impact/Risks:
None
The AES Cipher Algorithm in theSimple Network ManagementProtocol (SNMP) User-basedSecurity Model (USM) draft describes the use of AES with 128-bit key size. However, the other options are also implemented with the extension to use the USM. There is no standard for generating localized keys for 192- or 256-bit size keys for AES or for 168-bit size key for 3-DES. There is no authentication protocol available for longer keys. Support for SNMP Version 3 USM is compliant with RFC 3414, which defines DES as the only required method of message encryption for SNMP Version 3 authPriv mode. The AES and 3-DES Encryption Support for SNMP Version 3 feature supports the selection of privacy protocols through the CLI and the MIB. A new standard MIB, SNMP-USM-AES-MIB, provides support for the 128-bit key in the Advanced Encryption Standard (AES). The extended options of AES with 192- or 256-bit keys and 3-DES are supported as extensions to the SNMP-USM-MIB in the Cisco-specific MIB—CISCO-SNMP-USM-EXT-MIB
Impact/Risks:
None
Feedback
Yes
No
Powered by
