Strong Authentication or Encryption
This is a Good Answer article. It was likely created as a response to a question on a Net-SNMP Mailing List and written up here for others to see. It likely covers material not yet in the FAQ or in the Tutorial but may someday be moved there
Contents
Question: Authentication
Does it support anything stronger than SHA1?
Answer
Yes. Net-SNMP 5.8 and later support all the authentication protocols defined in [RFC7860|https://tools.ietf.org/html/rfc7860], w hich are:
- SHA-192
- SHA-256
- SHA-284
- SHA-512
Question: Encryption
Does Net-SNMP support AES192 or AES256?
Answer
The short answer is Yes, starting with release 5.8 AES193 and AES256 are an optional configure option.
There are two separate parts to the long answer:
SNMPv3 with the USM Security Model
AES192 and AES256 were never defined in a RFC. At one point the AES draft document was going to standardize the 192 and 256 modes, but ended up dropping it before the final release of the RFC.
From the net-snmp point of view we started supporting AES192 and 256 [in v5.1.x] when the initial drafts started circulating. HOWEVER, Net-SNMP never supported it completely and it was removed. Complete support was added for release 5.8.
There was an internet-draft created in the IETF to standardize 3DES encryption support, but the work was never pushed forward into the full standardization process and was later dropped. A few companies picked up that work and implemented it internally to their products. Net-SNMP does not yet support 3DES, however, as most people believe that the AES support provides sufficiently strong encryption.
SNMPv3 using TLS and DTLS
Starting with version 5.6, Net-SNMP has the ability to tunnel SNMPv3 packets over the TLS and DTLS protocols. These protocols offer their own negotiation of security algorithms to use and thus the resulting security is dependent on that negotiation. It is possible to configure OpenSSL, which Net-SNMP relies on for the connections, to use stronger authentication and encryption algorithms than the ones that are offered by SNMPv3 with USM.
For further reading on using DTLS and TLS, see The tutorial on using TLS and DTLS