On Fri, Apr 8, 2016 at 11:38 AM, Mark Reynolds <
mark.reyno...@insidertech.co.uk> wrote:
> Hi,
>
> We use NetSNMP in our product and we would like to use more up to date
> algorithms for authorisation and privacy with SNMP v3.
>
>
>
> I see RFC3414 from 2002, 'describes the use of HMAC-MD5-96 and HMAC-SHA-96
> as the authentication protocols and the use of CBC-DES as the privacy
> protocol. The User-based Security Model however allows for other such
> protocols to be used instead of or concurrent with these protocols.'
>
>
>
> This seems to be the most up to date RFC on security in SNMP v3 but please
> correct me if I'm wrong.
>
AES128 support is described in RFC3826, and SHA2 support is described in
RFC7630.
> I see from
> http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption
> (last updated 2011) that work was started on implementing AES192 and 256 in
> NetSNMP but that it was never supported completely. Is this still the case?
>
>
>
> Can someone please clarify the current status of AES support in the latest
> Net SNMP? Is AES128 supported?
>
Yes, when the tools refer to AES, they are referring to AES as described in
RFC3826.
> Is it the case that SHA1 and MD5 are the only supported hash algorithms?
>
Yes, the algorithms from RFC3414.
> Are there currently any plans to implement support for algorithms not
> specified in the RFC but which are recommended as best practise such as
> SHA2 given that the USM design allows for this?
>
RFC7630 standardizes SHA2 hashes: SHA-224, -256, -384 and -512. I've heard
that someone was working on support but I haven't seen code yet.
>
>
> While NIST SP 800-131A states that SHA1 is acceptable for HMAC
> applications it is deprecated for signature verification and is legacy use
> only for generation. See table 9, page 17 of
>
> http://csrc.nist.gov/publications/drafts/800-131A/sp800-131a_r1_draft.pdf
>
>
>
An alternative is to use SNMP over (D)TLS, with which you can use any
(D)TLS mechanism you want.
See, e.g., http://www.net-snmp.org/wiki/index.php/Using_DTLS .
Bill
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
