Strong Authentication or Encryption

From Net-SNMP Wiki
Jump to: navigation, search
Good Answer

This is a Good Answer article. It was likely created as a response to a question on a Net-SNMP Mailing List and written up here for others to see. It likely covers material not yet in the FAQ or in the Tutorial but may someday be moved there


Question: Authentication

Does it support anything stronger than SHA1?

Answer

Yes. Net-SNMP 5.8 and later support all the authentication protocols defined in [RFC7860|https://tools.ietf.org/html/rfc7860], w hich are:

  • SHA-192
  • SHA-256
  • SHA-284
  • SHA-512

Question: Encryption

Does Net-SNMP support AES192 or AES256?

Answer

The short answer is Yes, starting with release 5.8 AES193 and AES256 are an optional configure option.

There are two separate parts to the long answer:

SNMPv3 with the USM Security Model

AES192 and AES256 were never defined in a RFC. At one point the AES draft document was going to standardize the 192 and 256 modes, but ended up dropping it before the final release of the RFC.

From the net-snmp point of view we started supporting AES192 and 256 [in v5.1.x] when the initial drafts started circulating. HOWEVER, Net-SNMP never supported it completely and it was removed. Complete support was added for release 5.8.

There was an internet-draft created in the IETF to standardize 3DES encryption support, but the work was never pushed forward into the full standardization process and was later dropped. A few companies picked up that work and implemented it internally to their products. Net-SNMP does not yet support 3DES, however, as most people believe that the AES support provides sufficiently strong encryption.

SNMPv3 using TLS and DTLS

Starting with version 5.6, Net-SNMP has the ability to tunnel SNMPv3 packets over the TLS and DTLS protocols. These protocols offer their own negotiation of security algorithms to use and thus the resulting security is dependent on that negotiation. It is possible to configure OpenSSL, which Net-SNMP relies on for the connections, to use stronger authentication and encryption algorithms than the ones that are offered by SNMPv3 with USM.

For further reading on using DTLS and TLS, see The tutorial on using TLS and DTLS