Re: Does Net-SNMP support AES192 or AES256?
Test results (omitted rwuser instruction for brevity): createUser user0 MD5 "authpw-00" Works createUser user1 MD5 "authpw-00" AES "default-00" Works createUser user2 MD5 "authpw-00" AES192 "default-00" FAILED createUser user2c MD5 "authpw-00" AES192C "default-00" Works createUser user3 SHA "authpw-00" AES192 "default-00" FAILED createUser user3c SHA "authpw-00" AES192C "default-00" Works createUser user4 SHA "authpw-00" AES256 "default-00" FAILED createUser user4c SHA "authpw-00" AES256C "default-00" Works In summary, it works when 'C' is added ("Cisco" algorithm); Unfortunately I couldn't try SHA224, SHA256, SHA384 and SHA512 since my browser supports only SHA96 Thank you Bill !! Simon On Mon, Apr 9, 2018 at 4:13 PM, Bill Fenner wrote: > On Mon, Apr 9, 2018 at 12:21 PM, Simon Chamlian > wrote: > >> Hi , >> >> Thanks for the information Bill. So --with-transports="DTLSUDP" >> --with-security-modules="tsm" are not required but simply >> --enable-blumenthal-aes >> >> So I compiled the agent using the following configuration: >> >> ./configure --disable-embedded-perl >> --without-perl-modules with_endianness=big >> --enable-mini-agent --with-default-snmp-version="3" >> --disable-debugging >> --with-sys-contact="who@where" >> --with-logfile="/var/log/snmp" >> --with-transports="UDP TCP" >> --enable-blumenthal-aes >> >> In snmpd.conf I have: >> >>createUser user MD5 "authpw-00" >>rwuser user >> >>createUser user1 MD5 "authpw-00" AES "default-00" >>rwuser user1 >> >>createUser user2 MD5 "authpw-00" AES192 "default-00" >>rwuser user2 >> >> 1) The error message unknown privProtocol has disappeared from log file. >> 2) From the MIB browser, I do a GET on one of the OID using user >> (noPriv) and it works fine. >> 3) From the MIB browser, I do a GET on one of the OID using user2 using >> AES-128 and it works fine . >> 4) From the MIB browser, I do a GET on one of the OID using user3 using >> AES-192 and it DOES NOT work! I get the following error in the log file: >> >> security service 3 error parsing ScopedPDU >> >> What I am missing? >> > > There are two ways to take a short auth key and lengthen it for a strong > privacy algorithm. Two things to try: > > 1. Use "AES192C" for the user instead of "AES192" (this uses the "Cisco" > algorithm); > 2. Use a stronger auth mechanism, which creates a longer auth key, which > doesn't have to be lengthened for the strong privacy algorithm, avoiding > the question of how to lengthen it. I think SHA suffices, but of course > SHA224, SHA256, SHA384 and SHA512 are available to try. > > Bill > > >> >> On Fri, Apr 6, 2018 at 8:49 PM, Bill Fenner wrote: >> >>> Simon, >>> >>> The USM AES192 and AES256 support is based upon an Internet Draft, which >>> never became a standard - therefore, you have to pass >>> "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or >>> the TLS transports; that's a whole different kettle of fish.) >>> >>> Bill >>> >>> >>> On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian >>> wrote: >>> Thanks for the tip. I did compile with the following options: --disable-embedded-perl --without-perl-modules with_endianness=big --enable-mini-agent --with-default-snmp-version="3" --enable-ipv6 --disable-debugging --with-sys-contact="who@where" --with-logfile="/var/log/snmp" *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" * Still when I put createUser User2 MD5 "passwrd-00" AES192 (or AES-192) "default-00" I get an error message: snmpd.conf: line 27: Error: unknown privProtocol So does SNMP 5.8 support AES192 and AES256? Is it another syntax I need in snmpd.conf? Thanks, S. On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza wrote: > Simon, > Those options have to be enabled in the configure options. I suggest > building with the following configure options: > --with-transports="DTLSUDP" --with-security-modules="tsm" > > There might be other configure options that you need to make it work. > > Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256; > they specified some older algorithms that were "latest and greatest" > at the time it was being drafted :( > > Thanks, > Keith > Thanks, > Keith > > > On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian > wrote: > > > > > > > > Hi, > > > > Does Net-SNMP support AES192 or AES256? > > > > According to this link > > > > http://www.net-snmp.org/wiki/index.php/Strong_Authentication > _or_Encryption > > > > The short answer is Yes, starting with
Re: Does Net-SNMP support AES192 or AES256?
On Mon, Apr 9, 2018 at 12:21 PM, Simon Chamlian wrote: > Hi , > > Thanks for the information Bill. So --with-transports="DTLSUDP" > --with-security-modules="tsm" are not required but simply > --enable-blumenthal-aes > > So I compiled the agent using the following configuration: > > ./configure --disable-embedded-perl > --without-perl-modules with_endianness=big > --enable-mini-agent --with-default-snmp-version="3" > --disable-debugging > --with-sys-contact="who@where" > --with-logfile="/var/log/snmp" > --with-transports="UDP TCP" > --enable-blumenthal-aes > > In snmpd.conf I have: > >createUser user MD5 "authpw-00" >rwuser user > >createUser user1 MD5 "authpw-00" AES "default-00" >rwuser user1 > >createUser user2 MD5 "authpw-00" AES192 "default-00" >rwuser user2 > > 1) The error message unknown privProtocol has disappeared from log file. > 2) From the MIB browser, I do a GET on one of the OID using user (noPriv) > and it works fine. > 3) From the MIB browser, I do a GET on one of the OID using user2 using > AES-128 and it works fine . > 4) From the MIB browser, I do a GET on one of the OID using user3 using > AES-192 and it DOES NOT work! I get the following error in the log file: > > security service 3 error parsing ScopedPDU > > What I am missing? > There are two ways to take a short auth key and lengthen it for a strong privacy algorithm. Two things to try: 1. Use "AES192C" for the user instead of "AES192" (this uses the "Cisco" algorithm); 2. Use a stronger auth mechanism, which creates a longer auth key, which doesn't have to be lengthened for the strong privacy algorithm, avoiding the question of how to lengthen it. I think SHA suffices, but of course SHA224, SHA256, SHA384 and SHA512 are available to try. Bill > > On Fri, Apr 6, 2018 at 8:49 PM, Bill Fenner wrote: > >> Simon, >> >> The USM AES192 and AES256 support is based upon an Internet Draft, which >> never became a standard - therefore, you have to pass >> "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or >> the TLS transports; that's a whole different kettle of fish.) >> >> Bill >> >> >> On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian >> wrote: >> >>> Thanks for the tip. >>> >>> I did compile with the following options: >>> >>> --disable-embedded-perl >>> --without-perl-modules with_endianness=big >>> --enable-mini-agent >>> --with-default-snmp-version="3" >>> --enable-ipv6 >>> --disable-debugging >>> --with-sys-contact="who@where" >>> --with-logfile="/var/log/snmp" >>> >>> *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" * >>> >>> >>> Still when I put >>> >>> createUser User2 MD5 "passwrd-00" AES192 (or AES-192) "default-00" >>> >>> I get an error message: >>> >>> snmpd.conf: line 27: Error: unknown privProtocol >>> >>> So does SNMP 5.8 support AES192 and AES256? >>> Is it another syntax I need in snmpd.conf? >>> >>> Thanks, >>> >>> S. >>> >>> >>> >>> >>> On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza >>> wrote: >>> Simon, Those options have to be enabled in the configure options. I suggest building with the following configure options: --with-transports="DTLSUDP" --with-security-modules="tsm" There might be other configure options that you need to make it work. Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256; they specified some older algorithms that were "latest and greatest" at the time it was being drafted :( Thanks, Keith Thanks, Keith On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian wrote: > > > > Hi, > > Does Net-SNMP support AES192 or AES256? > > According to this link > > http://www.net-snmp.org/wiki/index.php/Strong_Authentication _or_Encryption > > The short answer is Yes, starting with release 5.8 AES193 and AES256 are an > optional configure option. > > So I downloaded version 5.8.pre2 and tried: > > > createUser user2 SHA "passwrd-00" AES192 "default-00" > rwuser user2 > > createUser user3 SHA "passwrd-00" AES256 "default-00" > rwuser user3 > > > Does not work. I get an error: > snmpd.conf: line 27: Error: unknown privProtocol > snmpd.conf: line 31: Error: unknown privProtocol > > Any insight will be highly appreciated. > > S. > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Net-snmp-coders mailing list > Net-snmp-coders@lists.s
Re: Does Net-SNMP support AES192 or AES256?
Hi , Thanks for the information Bill. So --with-transports="DTLSUDP" --with-security-modules="tsm" are not required but simply --enable-blumenthal-aes So I compiled the agent using the following configuration: ./configure --disable-embedded-perl --without-perl-modules with_endianness=big --enable-mini-agent --with-default-snmp-version="3" --disable-debugging --with-sys-contact="who@where" --with-logfile="/var/log/snmp" --with-transports="UDP TCP" --enable-blumenthal-aes In snmpd.conf I have: createUser user MD5 "authpw-00" rwuser user createUser user1 MD5 "authpw-00" AES "default-00" rwuser user1 createUser user2 MD5 "authpw-00" AES192 "default-00" rwuser user2 1) The error message unknown privProtocol has disappeared from log file. 2) From the MIB browser, I do a GET on one of the OID using user (noPriv) and it works fine. 3) From the MIB browser, I do a GET on one of the OID using user2 using AES-128 and it works fine . 4) From the MIB browser, I do a GET on one of the OID using user3 using AES-192 and it DOES NOT work! I get the following error in the log file: security service 3 error parsing ScopedPDU What I am missing? Thanks, Simon On Fri, Apr 6, 2018 at 8:49 PM, Bill Fenner wrote: > Simon, > > The USM AES192 and AES256 support is based upon an Internet Draft, which > never became a standard - therefore, you have to pass > "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or > the TLS transports; that's a whole different kettle of fish.) > > Bill > > > On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian > wrote: > >> Thanks for the tip. >> >> I did compile with the following options: >> >> --disable-embedded-perl >> --without-perl-modules with_endianness=big >> --enable-mini-agent >> --with-default-snmp-version="3" >> --enable-ipv6 >> --disable-debugging >> --with-sys-contact="who@where" >> --with-logfile="/var/log/snmp" >> >> *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" * >> >> >> Still when I put >> >> createUser User2 MD5 "passwrd-00" AES192 (or AES-192) "default-00" >> >> I get an error message: >> >> snmpd.conf: line 27: Error: unknown privProtocol >> >> So does SNMP 5.8 support AES192 and AES256? >> Is it another syntax I need in snmpd.conf? >> >> Thanks, >> >> S. >> >> >> >> >> On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza >> wrote: >> >>> Simon, >>> Those options have to be enabled in the configure options. I suggest >>> building with the following configure options: >>> --with-transports="DTLSUDP" --with-security-modules="tsm" >>> >>> There might be other configure options that you need to make it work. >>> >>> Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256; >>> they specified some older algorithms that were "latest and greatest" >>> at the time it was being drafted :( >>> >>> Thanks, >>> Keith >>> Thanks, >>> Keith >>> >>> >>> On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian >>> wrote: >>> > >>> > >>> > >>> > Hi, >>> > >>> > Does Net-SNMP support AES192 or AES256? >>> > >>> > According to this link >>> > >>> > http://www.net-snmp.org/wiki/index.php/Strong_Authentication >>> _or_Encryption >>> > >>> > The short answer is Yes, starting with release 5.8 AES193 and AES256 >>> are an >>> > optional configure option. >>> > >>> > So I downloaded version 5.8.pre2 and tried: >>> > >>> > >>> > createUser user2 SHA "passwrd-00" AES192 "default-00" >>> > rwuser user2 >>> > >>> > createUser user3 SHA "passwrd-00" AES256 "default-00" >>> > rwuser user3 >>> > >>> > >>> > Does not work. I get an error: >>> > snmpd.conf: line 27: Error: unknown privProtocol >>> > snmpd.conf: line 31: Error: unknown privProtocol >>> > >>> > Any insight will be highly appreciated. >>> > >>> > S. >>> > >>> > >>> > >>> > >>> > >>> -- >>> > Check out the vibrant tech community on one of the world's most >>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> > ___ >>> > Net-snmp-coders mailing list >>> > Net-snmp-coders@lists.sourceforge.net >>> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders >>> > >>> >> >> >> >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> ___ >> Net-snmp-coders mailing list >> Net-snmp-coders@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders >> >> > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slash
Re: Does Net-SNMP support AES192 or AES256?
Simon, The USM AES192 and AES256 support is based upon an Internet Draft, which never became a standard - therefore, you have to pass "--enable-blumenthal-aes" to ./configure. (You don't have to enable TSM or the TLS transports; that's a whole different kettle of fish.) Bill On Fri, Apr 6, 2018 at 12:01 PM, Simon Chamlian wrote: > Thanks for the tip. > > I did compile with the following options: > > --disable-embedded-perl > --without-perl-modules with_endianness=big > --enable-mini-agent > --with-default-snmp-version="3" > --enable-ipv6 > --disable-debugging > --with-sys-contact="who@where" > --with-logfile="/var/log/snmp" > > *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" * > > > Still when I put > > createUser User2 MD5 "passwrd-00" AES192 (or AES-192) "default-00" > > I get an error message: > > snmpd.conf: line 27: Error: unknown privProtocol > > So does SNMP 5.8 support AES192 and AES256? > Is it another syntax I need in snmpd.conf? > > Thanks, > > S. > > > > > On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza wrote: > >> Simon, >> Those options have to be enabled in the configure options. I suggest >> building with the following configure options: >> --with-transports="DTLSUDP" --with-security-modules="tsm" >> >> There might be other configure options that you need to make it work. >> >> Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256; >> they specified some older algorithms that were "latest and greatest" >> at the time it was being drafted :( >> >> Thanks, >> Keith >> Thanks, >> Keith >> >> >> On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian >> wrote: >> > >> > >> > >> > Hi, >> > >> > Does Net-SNMP support AES192 or AES256? >> > >> > According to this link >> > >> > http://www.net-snmp.org/wiki/index.php/Strong_Authentication >> _or_Encryption >> > >> > The short answer is Yes, starting with release 5.8 AES193 and AES256 >> are an >> > optional configure option. >> > >> > So I downloaded version 5.8.pre2 and tried: >> > >> > >> > createUser user2 SHA "passwrd-00" AES192 "default-00" >> > rwuser user2 >> > >> > createUser user3 SHA "passwrd-00" AES256 "default-00" >> > rwuser user3 >> > >> > >> > Does not work. I get an error: >> > snmpd.conf: line 27: Error: unknown privProtocol >> > snmpd.conf: line 31: Error: unknown privProtocol >> > >> > Any insight will be highly appreciated. >> > >> > S. >> > >> > >> > >> > >> > >> -- >> > Check out the vibrant tech community on one of the world's most >> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> > ___ >> > Net-snmp-coders mailing list >> > Net-snmp-coders@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders >> > >> > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Net-snmp-coders mailing list > Net-snmp-coders@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Does Net-SNMP support AES192 or AES256?
Thanks for the tip. I did compile with the following options: --disable-embedded-perl --without-perl-modules with_endianness=big --enable-mini-agent --with-default-snmp-version="3" --enable-ipv6 --disable-debugging --with-sys-contact="who@where" --with-logfile="/var/log/snmp" *--with-transports="DTLSUDP TLSTCP" --with-security-modules="tsm" * Still when I put createUser User2 MD5 "passwrd-00" AES192 (or AES-192) "default-00" I get an error message: snmpd.conf: line 27: Error: unknown privProtocol So does SNMP 5.8 support AES192 and AES256? Is it another syntax I need in snmpd.conf? Thanks, S. On Thu, Apr 5, 2018 at 5:14 PM, Keith Mendoza wrote: > Simon, > Those options have to be enabled in the configure options. I suggest > building with the following configure options: > --with-transports="DTLSUDP" --with-security-modules="tsm" > > There might be other configure options that you need to make it work. > > Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256; > they specified some older algorithms that were "latest and greatest" > at the time it was being drafted :( > > Thanks, > Keith > Thanks, > Keith > > > On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian > wrote: > > > > > > > > Hi, > > > > Does Net-SNMP support AES192 or AES256? > > > > According to this link > > > > http://www.net-snmp.org/wiki/index.php/Strong_ > Authentication_or_Encryption > > > > The short answer is Yes, starting with release 5.8 AES193 and AES256 are > an > > optional configure option. > > > > So I downloaded version 5.8.pre2 and tried: > > > > > > createUser user2 SHA "passwrd-00" AES192 "default-00" > > rwuser user2 > > > > createUser user3 SHA "passwrd-00" AES256 "default-00" > > rwuser user3 > > > > > > Does not work. I get an error: > > snmpd.conf: line 27: Error: unknown privProtocol > > snmpd.conf: line 31: Error: unknown privProtocol > > > > Any insight will be highly appreciated. > > > > S. > > > > > > > > > > > -- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > ___ > > Net-snmp-coders mailing list > > Net-snmp-coders@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders > > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Does Net-SNMP support AES192 or AES256?
Simon, Those options have to be enabled in the configure options. I suggest building with the following configure options: --with-transports="DTLSUDP" --with-security-modules="tsm" There might be other configure options that you need to make it work. Just note though that SNMPv3 RFC _does not_ specify AES192 and AES256; they specified some older algorithms that were "latest and greatest" at the time it was being drafted :( Thanks, Keith Thanks, Keith On Thu, Apr 5, 2018 at 1:54 PM, Simon Chamlian wrote: > > > > Hi, > > Does Net-SNMP support AES192 or AES256? > > According to this link > > http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption > > The short answer is Yes, starting with release 5.8 AES193 and AES256 are an > optional configure option. > > So I downloaded version 5.8.pre2 and tried: > > > createUser user2 SHA "passwrd-00" AES192 "default-00" > rwuser user2 > > createUser user3 SHA "passwrd-00" AES256 "default-00" > rwuser user3 > > > Does not work. I get an error: > snmpd.conf: line 27: Error: unknown privProtocol > snmpd.conf: line 31: Error: unknown privProtocol > > Any insight will be highly appreciated. > > S. > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Net-snmp-coders mailing list > Net-snmp-coders@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders