Snmp++ library is not working with Cisco devices when trying to connect using SNMPv3 user which was configured using AES256.

thatisuresh · November 14, 2019, 3:25pm

Hi All,
I have downloaded snmp++ source code and compiled it using openssl for the purpose of SNMPv3 support. However when I ran the snmpGet it shows that the request timedout.

However snmpGet worked fine when tested against non cisco devices though the SNMPv3 users are configured with AES256.

I have quickly tested and found the same behavior with SNMP4J as well.

Please let me know if it is something SNMP++/SNMP4J does not support Cisco devices when it comes to SNMPv3 user with AES256 privacy?

Regards,
Suresh

jkatz · November 14, 2019, 9:39pm

Hi,

snmp++ has the privacy protocol PrivAESW3DESKeyExt to support such devices. But this protocol is not added by default.

In order to use the PrivAESW3DESKeyExt you will have to add the protocol using a call like this:
usm->get_auth_priv()->add_priv(new PrivAESW3DESKeyExt(SNMP_PRIVPROTOCOL_AES256W3DESKEYEXT));

When adding the user using usm->add_usm_user(), also use the protocol SNMP_PRIVPROTOCOL_AES256W3DESKEYEXT.

Kind regards,
Jochen

AGENTPP · November 14, 2019, 10:55pm

For SNMP4J you need the Cisco privacy AES256 protocol as follows:

SecurityProtocols.getInstance().addPrivacyProtocol(new PrivAES256With3DESKeyExtension());

Then use the privacy protocol OID below when you add the USM user for that protocol:
PrivAES256With3DESKeyExtension.ID

Background info: AES256 privacy protocol for SNMP is not an Internet Standard from the IETF. AES128 is a proposed standard, see https://datatracker.ietf.org/doc/rfc3826/.
Many years ago, there was a draft called “draft-blumenthal-aes-usm” which was not advanced to standard. The main reasons for that (AFAIK) had been, that to run AES192 and AES256 with SHA-1 and MD5 a so called key-extension is necessary. This key extension reduces the entropy of the key base and thus lowers the security of the privacy below the expected level for those two protocols.

Because there exists many implementations of this draft in the field, SNMP++ and SNMP4J implement those two non-standard AES privacy protocols too with the key extension defined/implied by the IETF draft mentioned before.

Cisco and other manufacturers decided to use the 3DES key extension algorithm which is incompatible with the Blumenthal draft. That’s why there is an additional set of AES privacy protocols.

thatisuresh · November 15, 2019, 4:03pm

Thank you very much for your help on this. Now I am able to connect to Cisco devices as well after making suggested changes.

thatisuresh · November 15, 2019, 4:03pm

Thank you very much for providing history.