Jump to content

SNMP v3 Notes


Cowboy Denny
 Share

Recommended Posts

When using SNMP v3 it's important you use the correct Security Mechanisms to keep your devices safe.

The quick and short of it is to be the most secure you should be using SNMPv3

  • Auth = MD5
  • Priv = AES
  • Different passwords for each

 

MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value.

SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.

User-based Authentication Mechanism is based on the following:

  • MD5 message digest algorithm in HMAC
    • Directly provides data integrity checks
    • Indirectly provides data origin authentication
    • Uses private key known by sender and receiver
    • 16-byte key
    • 128-bit digest (truncates to 96 bits)
  • SHA, an optional alternative algorithm
  • Loosely synchronized monotonically increasing time indicator values defend against certain message stream modification attacks

 

Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm.  The AES 128-bit cipher algorithm is a stronger encryption protocol than the current Data Encryption Standard (DES) 56-bit algorithm. AES is a symmetric cipher algorithm that the National Institute of Standards (NIST) selects to replace DES. RFC 3826, The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model (USM), specifies that Cipher Feedback Mode (CFB) mode is to be used with AES encryption.

User-based Privacy Mechanism is based on the following:

  • Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode
    • Provides data confidentiality
    • Uses encryption
    • Subject to export and use restrictions in many jurisdictions
  • Uses 16-byte key (56-bit DES key, 8-byte DES initialization vector) known by sender and receiver
  • Multiple levels of compliances with respect to DES due to problems associated with international use
  • Triple Data Encryption Standard (Triple DES)
  • Advanced Encryption Standard (AES) (128, 192, and 256, bit keys)

 

SNMPv3 provides the following configuration possibilities. (Note: availability depends on export restrictions.) 

  • No authentication and no privacy (noAuthNoPriv) - usually for monitoring
  • Authentication and no privacy (authNoPriv) - usually for control
  • Authentication and privacy (authPriv) - usually for downloading secrets

 

 

Link to comment
Share on other sites

 Share

×
×
  • Create New...