Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

SNMPv3 authentication and privacy protocols

 

Information

 

Summary:

Details about algorithms used for SNMPv3 in authentication and privacy protocols.

Environment:

Product: Flowmon OS

Version: Any

Platform: Any

Question/Problem Description:

Is it possible to use AES256 when obtaining flow source information via SNMPv3?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:

Flowmon OS uses standard implementations of SNMP, like net-snmp and PHP snmp functions. These are following the RFCs.

Authentication is defined in RFC 3414 (https://datatracker.ietf.org/doc/html/rfc3414) and defines:

  • HMAC-MD5-96,
  • HMAC-SHA-96


The same RFC also defines privacy protocol as CBC-DES.

The privacy protocol was later extended by RFC 3826 (https://datatracker.ietf.org/doc/html/rfc3826) to CFB128-AES-128.

If Flowmon OS is configured (Monitoring Center - Sources) to use SHA + AES for obtaining information via SNMPv3, it uses HMAC-SHA-96 and CFB128-AES-128 as defined by RFCs. Other algorithms are not supported. 

It might be possible to use SHA256 (proposal https://datatracker.ietf.org/doc/html/rfc7630) and AES256 (not defined by RFC) in SNMP, but it is pretty rare, and many tools do not support it.

CLI snmpwalk also uses HMAC-SHA-96 and CFB128-AES-128. 

Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments