-
Notifications
You must be signed in to change notification settings - Fork 2
Strong_Authentication_or_Encryption
Does it support anything stronger than SHA1?
Yes. Net-SNMP 5.8 and later support all the authentication protocols defined in [RFC7860|https://tools.ietf.org/html/rfc7860], w hich are:
- SHA-192
- SHA-256
- SHA-284
- SHA-512
Does Net-SNMP support AES192 or AES256?
The short answer is Yes, starting with release 5.8 AES193 and AES256 are an optional configure option.
There are two separate parts to the long answer:
AES192 and AES256 were never defined in a RFC. At one point the AES draft document was going to standardize the 192 and 256 modes, but ended up dropping it before the final release of the RFC.
From the net-snmp point of view we started supporting AES192 and 256 [in v5.1.x] when the initial drafts started circulating. HOWEVER, Net-SNMP never supported it completely and it was removed. Complete support was added for release 5.8.
There was an internet-draft created in the IETF to standardize 3DES encryption support, but the work was never pushed forward into the full standardization process and was later dropped. A few companies picked up that work and implemented it internally to their products. Net-SNMP does not yet support 3DES, however, as most people believe that the AES support provides sufficiently strong encryption.
Starting with version 5.6, Net-SNMP has the ability to tunnel SNMPv3 packets over the TLS and DTLS protocols. These protocols offer their own negotiation of security algorithms to use and thus the resulting security is dependent on that negotiation. It is possible to configure OpenSSL, which Net-SNMP relies on for the connections, to use stronger authentication and encryption algorithms than the ones that are offered by SNMPv3 with USM.
For further reading on using DTLS and TLS, see The tutorial on using TLS and DTLS
Category:SNMPv3 Category:Encryption Category:Authentication