Mark Reynolds
2016-04-08 14:38:56 UTC
Hi,
We use NetSNMP in our product and we would like to use more up to date
algorithms for authorisation and privacy with SNMP v3.
I see RFC3414 from 2002, 'describes the use of HMAC-MD5-96 and HMAC-SHA-96
as the authentication protocols and the use of CBC-DES as the privacy
protocol. The User-based Security Model however allows for other such
protocols to be used instead of or concurrent with these protocols.'
This seems to be the most up to date RFC on security in SNMP v3 but please
correct me if I'm wrong.
I see from
http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption
(last updated 2011) that work was started on implementing AES192 and 256 in
NetSNMP but that it was never supported completely. Is this still the case?
Can someone please clarify the current status of AES support in the latest
Net SNMP? Is AES128 supported?
Is it the case that SHA1 and MD5 are the only supported hash algorithms?
Are there currently any plans to implement support for algorithms not
specified in the RFC but which are recommended as best practise such as
SHA2 given that the USM design allows for this?
While NIST SP 800-131A states that SHA1 is acceptable for HMAC applications
it is deprecated for signature verification and is legacy use only for
generation. See table 9, page 17 of
http://csrc.nist.gov/publications/drafts/800-131A/sp800-131a_r1_draft.pdf
Thanks,
Mark
We use NetSNMP in our product and we would like to use more up to date
algorithms for authorisation and privacy with SNMP v3.
I see RFC3414 from 2002, 'describes the use of HMAC-MD5-96 and HMAC-SHA-96
as the authentication protocols and the use of CBC-DES as the privacy
protocol. The User-based Security Model however allows for other such
protocols to be used instead of or concurrent with these protocols.'
This seems to be the most up to date RFC on security in SNMP v3 but please
correct me if I'm wrong.
I see from
http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption
(last updated 2011) that work was started on implementing AES192 and 256 in
NetSNMP but that it was never supported completely. Is this still the case?
Can someone please clarify the current status of AES support in the latest
Net SNMP? Is AES128 supported?
Is it the case that SHA1 and MD5 are the only supported hash algorithms?
Are there currently any plans to implement support for algorithms not
specified in the RFC but which are recommended as best practise such as
SHA2 given that the USM design allows for this?
While NIST SP 800-131A states that SHA1 is acceptable for HMAC applications
it is deprecated for signature verification and is legacy use only for
generation. See table 9, page 17 of
http://csrc.nist.gov/publications/drafts/800-131A/sp800-131a_r1_draft.pdf
Thanks,
Mark
--
------------------------------
***** Email confidentiality notice *****
This message is private and confidential. If you have received this message
in error, please notify us and remove it from your system.
Insider Technologies Limited is a company registered in England and Wales
(Company Number: 2352867) and its registered office is at: Spinnaker Court,
Chandlers Point, 37 Broadway, Salford Quays, MANCHESTER, United Kingdom,
M50 2YR
------------------------------
***** Email confidentiality notice *****
This message is private and confidential. If you have received this message
in error, please notify us and remove it from your system.
Insider Technologies Limited is a company registered in England and Wales
(Company Number: 2352867) and its registered office is at: Spinnaker Court,
Chandlers Point, 37 Broadway, Salford Quays, MANCHESTER, United Kingdom,
M50 2YR