-
-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNMPV3 AES192/256 privacy does not work with Cisco IOS. #14
Comments
I have an update to this. At our research center, I was able to test against an Extreme Networks switch runnning ExtremeXOS (X440G2-48p-10G4) version 21.1.1.4 21.1.1.4-patch1-5. This implemented AES192/AES256 in exactly the same was as Cisco (this means my pull request solves this problem for Extreme network devices as well). I believe that Cisco has now establish a 'de facto' standard for AES192/256 privacy, and that everybody else is following with this, so there is no reason to support multiple key localization methods for AES192/256. Just do it how Cisco does it (i.e, via my pull request that implements the 3DES localization method) and that should be good enough. |
Sorry, did not mean to close this issue. |
Thank you for solving this mess! Could you please take a look at PRs to resolve my uncertainties? |
I made commits to both of my pull requests that cleaned up the code as per your comments, and left some other comments that hopefully cleared up things. Thank you for looking at this. |
Both schemes were implemented in master since c9c3d13. Your verification and further changes are very welcome. Thank you for your efforts! |
Public SNMP simulator is now running pysnmp master. You are welcome to test its agent-side 3DES/AES192/256 implementation with your MIB browsing tools. |
On August 22/2016, pulled latest PySNMP source and tested 3DES/AES192/256 SNMPV3 privacy credentials against Cisco IOS 15.4, 800 Series Router -- all passed! I am closing this issue. |
Pysnmp SNMPV3 AES192/AES256 privacy options does not work for Cisco devices
(test this with any Cisco device running an IOS that suppports AES192/AES256).
This is because Cisco devices (ie, IOS that supports AES192/AES256) do not use
https://tools.ietf.org/html/draft-blumenthal-aes-usm-04 for key localization/short key extension.
Instead, they use the procedure for 3DES key localization specified in
https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00 which
specifies the 3DES key localization/short key extension.
I believe Cisco did this because they view the reeder mechanism as an improvement
over the bluementhal mechanism.
Please see the pull request that fixes this issue. However, the pull breaks
SNMPV3 AES192/AES256 privacy for any device that uses the key localization in
https://tools.ietf.org/html/draft-blumenthal-aes-usm-04
The text was updated successfully, but these errors were encountered: