SNMP Configuration Guide, Cisco IOS XE Release 3S
AES and 3-DES Encryption Support for SNMP Version 3
Downloads: This chapterpdf (PDF - 123.0KB) The complete bookPDF (PDF - 0.98MB) | The complete bookePub (ePub - 860.0KB) | Feedback

AES and 3-DES Encryption Support for SNMP Version 3

AES and 3-DES Encryption Support for SNMP Version 3

Last Updated: April 1, 2013

The AES and 3-DES Encryption Support for SNMP Version 3feature enhances the encryption capabilities of SNMP version 3. This support for Simple Network Management Protocol (SNMP) version 3 User-Based Security Model (USM) is complaint with RFC 3414, which defines DES as the only required method of message encryption for SNMP version 3 authPriv mode.

The AES and 3-DES Encryption Support for SNMP Version 3 feature adds Advanced Encryption Standard (AES) 128-bit encryption in compliance with RFC 3826. RFC 3826 extensions have been included in the SNMP-USM-AES-MIB. In addition, Cisco-specific extensions to support Triple-Data Encryption Algorithm (3-DES) and AES 192-bit and 256-bit encryption have been added to the CISCO-SNMP-USM-MIB. Additional information can be found in the Internet-Draft titled Extension to the User-Based Security Model (USM) to Support Triple-DES EDE in "Outside" CBC Mode, which can be found at the following URL: http://www.snmp.com/eso/draft-reeder-snmpv3-usm-3desede-00.txt.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for AES and 3-DES Encryption Support for SNMP Version 3

  • The network management station (NMS) must support SNMP version 3 to use this feature of the SNMP agent.
  • This feature is available in Cisco IOS XE software images where encryption algorithms are supported.

Information About AES and 3-DES Encryption Support for SNMP Version 3

SNMP Architecture

The architecture for describing Internet Management Frameworks contained in RFC 3411 describes the SNMP engine as composed of the following components:

  • Dispatcher
  • Message Processing Subsystem
  • Security Subsystem
  • Access Control Subsystem

Applications make use of the services of these subsystems. It is important to understand the SNMP architecture and the terminology of the architecture to understand where the Security Model fits into the architecture and interacts with the other subsystems within the architecture. The information is contained in RFC 3411 and your are encouraged to review this RFC to obtain an understanding of the SNMP architecture and subsystem interactions.

Encryption Key Support

In the AES and 3-DES Encryption Support for SNMP Version 3 feature the Cipher Block Chaining/Data Encryption Standard (CBC-DES) is the privacy protocol. Originally only DES was supported (as per RFC 3414). This feature adds support for AES-128 (as per RFC 3826) and AES-192, AES-256 and 3-DES (as per CISCO-SNMP-USM-OIDS-MIB).

  • AES encryption uses the Cipher Feedback (CFB) mode with encryption key sizes of 128, 192, or 256 bits.
  • 3DES encryption uses the 168-bit key size for encryption.

The AES Cipher Algorithm in the SNMP User-based Security Model draft describes the use of AES with 128-bit key size. However, the other options are also implemented with the extension to use the USM. There is currently no standard for generating localized keys for 192- or 256-bit size keys for AES or for 168-bit size key for 3-DES. There is no authentication protocol available with longer keys.

Management Information Base Support

The AES and 3-DES Encryption Support for SNMP Version 3AES and 3-DES Encryption Support for SNMP Version 3 feature supports the selection of privacy protocols through the CLI and the Management Information Base (MIB). A new standard MIB, SNMP-USM-AES-MIB, provides support for the 128-bit key in AES. The extended options of AES with 192- or 256-bit keys and 3-DES are supported as extensions to the SNMP-USM-MIB, in the Cisco-specific MIB, CISCO-SNMP-USM-OIDS-MIB.

How to Configure AES and 3-DES Encryption Support for SNMP Version 3

Adding a New User to an SNMP Group

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    snmp-server user username group-name [remote host [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192 |256}} privpassword] [access [ipv6 nacl] {acl-number | acl-name}]

4.   exit


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Device> enable

 

Enters privileged EXEC mode.

  • Enter your password when prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
snmp-server user username group-name [remote host [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192 |256}} privpassword] [access [ipv6 nacl] {acl-number | acl-name}]


Example:

Device(config)# snmp-server user new-user new-group v3 auth md5 secureone priv aes 128 privatetwo access 2

 

Adds an SNMP user, specifies a group to which the user belongs, specifies the authorization algorithm to be used (MD5 or SHA), specifies the privacy algorithm to be used (DES, 3-DES, AES, AES-192, or AES-256), and specifies the password to be associated with this privacy protocol.

 
Step 4
exit


Example:

Device(config)# exit

 
Exits global configuration mode and returns to privileged EXEC mode.  

Verifying SNMP User Configuration

To display information about the configured characteristics of Simple Network Management Protocol (SNMP) users, use the show snmp user command in privileged EXEC mode.


Note


The show snmp user command displays all the users configured on the device. However, unlike other SNMP configurations, the snmp-server user command will not appear on the "show running" output.
SUMMARY STEPS

1.    enable

2.    show snmp user [username


DETAILED STEPS
Step 1   enable


Example:
Device> enable 

Enters privileged EXEC mode. Enter your password when prompted.

Step 2   show snmp user [username


Example:
Device# show snmp user
 abcd
User name: abcd 
Engine ID: 00000009020000000C025808 
storage-type: nonvolatile       active access-list: 10
Rowstatus: active 
Authentication Protocol: MD5
Privacy protocol: 3DES 
Group name: VacmGroupName 
Group name: VacmGroupName 

The above example specifies the username as abcd, the engine ID string as 00000009020000000C025808, and the storage type as nonvolatile:


Additional References

The following sections provide references related to the AES and 3-DES Encryption Support for SNMP Version 3 feature.

Related Documents

Related Topic

Document Title

SNMP commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS Network Management Command Reference

Cisco IOS XE commands

For information about Cisco IOS XE commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases , at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html.

MIBs

MIB

MIBs Link

  • SNMP-USM-AES-MIB
  • CISCO-SNMP-USM-OIDS-MIB

To locate and download MIBs for selected platforms, Cisco IOS XE releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

RFC 2574

User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)

RFC 3411

Architecture for Describing Internet Management Frameworks

RFC 3414

User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)

RFC 3826

The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for AES and 3-DES Encryption Support for SNMP Version 3

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for AES and 3-DES Encryption Support for SNMP Version 3

Feature Name

Releases

Feature Information

AES and 3-DES Encryption Support for SNMP Version 3

Cisco IOS XE Release 2.1

The AES and 3-DES Encryption Support for SNMP Version 3 feature enhances the encryption capabilities of SNMP version 3. This support for SNMP version 3 USM is complaint with RFC 3414, which defines DES as the only required method of message encryption for SNMP version 3 authPriv mode.

The AES and 3-DES Encryption Support for SNMP Version 3 feature adds AES 128-bit encryption in compliance with RFC 3826.

The following commands were introduced or modified by this feature:

show snmp user , snmp-server user

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2013 Cisco Systems, Inc. All rights reserved.