Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNMPV3 AES192/256 privacy does not work with Cisco IOS. #14

Closed
rbreesems opened this issue Aug 10, 2016 · 7 comments
Closed

SNMPV3 AES192/256 privacy does not work with Cisco IOS. #14

rbreesems opened this issue Aug 10, 2016 · 7 comments

Comments

@rbreesems
Copy link

Pysnmp SNMPV3 AES192/AES256 privacy options does not work for Cisco devices
(test this with any Cisco device running an IOS that suppports AES192/AES256).

This is because Cisco devices (ie, IOS that supports AES192/AES256) do not use
https://tools.ietf.org/html/draft-blumenthal-aes-usm-04 for key localization/short key extension.
Instead, they use the procedure for 3DES key localization specified in
https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00 which
specifies the 3DES key localization/short key extension.
I believe Cisco did this because they view the reeder mechanism as an improvement
over the bluementhal mechanism.

Please see the pull request that fixes this issue. However, the pull breaks
SNMPV3 AES192/AES256 privacy for any device that uses the key localization in
https://tools.ietf.org/html/draft-blumenthal-aes-usm-04
@rbreesems
Copy link
Author

I have an update to this. At our research center, I was able to test against an Extreme Networks switch runnning ExtremeXOS (X440G2-48p-10G4) version 21.1.1.4 21.1.1.4-patch1-5.

This implemented AES192/AES256 in exactly the same was as Cisco (this means my pull request solves this problem for Extreme network devices as well).

I believe that Cisco has now establish a 'de facto' standard for AES192/256 privacy, and that everybody else is following with this, so there is no reason to support multiple key localization methods for AES192/256. Just do it how Cisco does it (i.e, via my pull request that implements the 3DES localization method) and that should be good enough.

@rbreesems rbreesems reopened this Aug 11, 2016
@rbreesems
Copy link
Author

Sorry, did not mean to close this issue.

@etingof
Copy link
Owner

etingof commented Aug 15, 2016

Thank you for solving this mess!

Could you please take a look at PRs to resolve my uncertainties?

@rbreesems
Copy link
Author

I made commits to both of my pull requests that cleaned up the code as per your comments, and left some other comments that hopefully cleared up things.

Thank you for looking at this.

@etingof
Copy link
Owner

etingof commented Aug 21, 2016
edited

Both schemes were implemented in master since c9c3d13. Your verification and further changes are very welcome. Thank you for your efforts!

@etingof
Copy link
Owner

etingof commented Aug 21, 2016

Public SNMP simulator is now running pysnmp master. You are welcome to test its agent-side 3DES/AES192/256 implementation with your MIB browsing tools.

@rbreesems
Copy link
Author

On August 22/2016, pulled latest PySNMP source and tested 3DES/AES192/256 SNMPV3 privacy credentials against Cisco IOS 15.4, 800 Series Router -- all passed!

I am closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbreesems @etingof