Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NMIS supports using SNMPv3 for securing the collection of sensitive network information.  This is especially important from core switches and routers which if compromised could have a considerable business impact.  This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.

...

NMIS9 nameNameOIDNotes
desusmDESPrivProtocol1.3.6.1.6.3.10.1.2.1RFC3411
3desusm3DESPrivProtocol1.3.6.1.4.1.14832.1RFC3411
aes (or aes128)usmAESCfb128PrivProtocol1.3.6.1.4.1.14832.2Blumenthal implementation of SNMPv3
aes192usmAESCfb192PrivProtocol1.3.6.1.4.1.14832.3Blumenthal implementation of SNMPv3
aes256usmAESCfb256PrivProtocol1.3.6.1.4.1.14832.4Blumenthal implementation of SNMPv3
aes192ccusmAESCfb192PrivProtocol

1.3.6.1.4.1.9.12.6.1.1

Cisco implementation of SNMPv3 AES192
aes256ccusmAESCfb256PrivProtocol1.3.6.1.4.1.9.12.6.1.2Cisco implementation of SNMPv3 AES256
aes192c2

usmAES192Cisco2PrivProtocol

1.3.6.1.4.1.9.12.6.1.101A mysterious version 2 of the Cisco implementation, possibly related to pysnmp
aes256c2usmAES256Cisco2PrivProtocol1.3.6.1.4.1.9.12.6.1.102A mysterious version 2 of the Cisco implementation, possibly related to pysnmp

...

Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).

...

This is by no means a comprehensive list of the products we support.

Vendor / Operating SystemSHAAES
Cisco IOSSHA1AES256CCisco IOS
NMIS Considerations
Cisco IOSSHA1
AES192C
AES256"aes256c" needs to be configured as the entry.configuration.privprotocol" value in NMIS
SHA1
AES128Cisco NX-OSSHA1AES128Cisco NX-OSSHA256AES128FortinetSHA256CAES256C
AES192"aes192c" needs to be configured as the entry.configuration.privprotocol" value in NMIS
SHA1AES128
Cisco NX-OSSHA1AES128
SHA256AES128
FortinetSHA256CAES256C"sha256" needs to be configured as the entry.configuration.authprotocol" value in NMIS AND "aes256c" needs to be configured as the entry.configuration.privprotocol" value in NMIS
Palo AltoSHA1AES128
SHA224AES128
SHA256AES128
SHA384AES128
SHA224AES192"aes192c" needs to be configured as the entry.configuration.privprotocol" value in NMIS
SHA256AES192"aes192c" needs to be configured as the entry.configuration.privprotocol" value in NMIS
SHA256AES256"aes256c" needs to be configured as the entry.configuration.privprotocol" value in NMIS
SHA384AES192"aes192c" needs to be configured as the entry.configuration.privprotocol" value in NMIS
SHA384AES256"aes256c" needs to be configured as the entry.configuration.privprotocol" value in NMIS

You may notice that when configuring SNMPv3 on a (for example) Cisco IOS device that there is not an explicit AES192C/AES256C in the command, rather it is needed to be defined as AES 192 and/or AES 256.

When configuring the device for NMIS, you will need to explicitly tell it to use AES192C/AES256C using node_admin.pl (example covered previously).

...