Child pages
  • How to configure nonstandard AES 192/256 for a SNMPv3 user?
Skip to end of metadata
Go to start of metadata

Some devices* and SNMP tools use an AES key extension algorithm implementation for 192 and 256 bit key length that was not specified in the IETF draft http://tools.ietf.org/html/draft-blumenthal-aes-usm-04. Instead those implementations use the key extension algorithm specified by http://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00. To use the latter non-standard protocol follow the steps below:

  1. Use SNMP4J 2.2.3 or later.

  2. Add the nonstandard privacy protocol to the SecurityProtocols instance with

    import org.snmp4j.security.nonstandard.PrivAES256With3DESKeyExtension;
    SecurityProtocols.getInstance().addPrivacyProtocol(new  PrivAES256With3DESKeyExtension()); 
  3. Specify the nonstandard privacy protocol for the SNMPv3 user that should use it:

        user = new UsmUser(new OctetString("SHAAES256"),
                                   AuthSHA.ID,
                                   new OctetString("SHAAES256AuthPassword"),
        // Use the following privacy protocol if you want to use AES 256 with 3DES  like key extension for this user:
                                   PrivAES256With3DESKeyExtension.ID,
        // Use the following privacy protocol for standard conform AES 256 privacy:
        //                         PrivAES256.ID,
                                   new OctetString("SHAAES256PrivPassword"));
    
    

Note: Standard and non-standard protocols cannot be used for the same SNMPv3 security Name concurrently.

* SNMP4J users reported that there are Cisco devices using the 3DES key extension also for AES.

  • No labels