Smarts IP: What modes of encryption are supported for SNMP v3 discovery? AES, DES, 3DES or AES256?
search cancel

Smarts IP: What modes of encryption are supported for SNMP v3 discovery? AES, DES, 3DES or AES256?

book

Article ID: 345346

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

Currently the snmpwalk --help does not list all of the supported protocols as shown below 
 

SNMP Version 3 specific

  -a PROTOCOL           set authentication protocol (MD5|SHA)

  -A PASSPHRASE         set authentication protocol pass phrase

  -e ENGINE-ID          set security engine ID (e.g. 800000020109840301)

  -E ENGINE-ID          set context engine ID (e.g. 800000020109840301)

  -l LEVEL              set security level (noAuthNoPriv|authNoPriv|authPriv)

  -n CONTEXT            set context name (e.g. bridge1)

  -u USER-NAME          set security name (e.g. bert)

  -x PROTOCOL           set privacy protocol (DES|AES)

  -X PASSPHRASE         set privacy protocol pass phrase


Symptoms:
Is AES 128-bit encryption supported for SNMP v3 discovery in Smarts IP?

What other protocols are supported for Smarts snmp v3 including the snmpwalk v3 command?

Environment

VMware Smart Assurance - SMARTS

Cause

Our current documentation from the IP 9.2. Confguration Guide lists AES only and this is known as AES128 which is defined in RFC 3826

Resolution

Yes, AES 128-bit encryption is supported by default.

Smarts 9.4.2.x and newer also support the following protocols for snmp v3:

DES/3DES/AES/AES128/AES192/ AES256 / NONE

See the additional notes below regarding DES and 3DES from CISCO

Additional Information

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-3s/asr903/snmp-xe-3s-asr903-book/nm-snmp-encrypt-snmp-support.pdf

The AES Cipher Algorithm in theSimple Network ManagementProtocol (SNMP) User-basedSecurity Model (USM) draft describes the use of AES with 128-bit key size. However, the other options are also implemented with the extension to use the USM. There is no standard for generating localized keys for 192- or 256-bit size keys for AES or for 168-bit size key for 3-DES. There is no authentication protocol available for longer keys. Support for SNMP Version 3 USM is compliant with RFC 3414, which defines DES as the only required method of message encryption for SNMP Version 3 authPriv mode. The AES and 3-DES Encryption Support for SNMP Version 3 feature supports the selection of privacy protocols through the CLI and the MIB. A new standard MIB, SNMP-USM-AES-MIB, provides support for the 128-bit key in the Advanced Encryption Standard (AES). The extended options of AES with 192- or 256-bit keys and 3-DES are supported as extensions to the SNMP-USM-MIB in the Cisco-specific MIB—CISCO-SNMP-USM-EXT-MIB

Impact/Risks:
None