Each Simple Network Management Protocol (SNMP) entity includes a single SNMP engine. An SNMP engine implements functions for sending and receiving messages, authenticating and encrypting/decrypting messages, and controlling access to managed objects. These functions are provided as services to one or more applications that are configured with the SNMP engine to form an SNMP entity. The RFC 3411 describes the SNMP engine as composed of the following components:
Cipher Block Chaining/Data Encryption Standard (CBC-DES) is the privacy protocol for the AES and 3-DES Encryption Support for SNMP Version 3 feature. Prior to the introduction of this feature, only DES was supported (as per RFC 3414). This feature adds support for AES-128 (as per RFC 3826) and AES-192, AES-256 and 3-DES (as per CISCO-SNMP-USM-OIDS-MIB). RFC 3826 extensions have been included in the SNMP-USM-AES-MIB. In addition, Cisco-specific extensions to support Triple-Data Encryption Algorithm (3-DES) and AES 192-bit and 256-bit encryption have been added to the CISCO-SNMP-USM-MIB. Additional information can be found in the Internet-Draft titled
Extension to the User-Based Security Model (USM) to Support Triple-DES EDE in "Outside" CBC Mode.
The encryption key sizes are:
AES encryption uses the Cipher Feedback (CFB) mode with encryption key sizes of 128, 192, or 256 bits.
3-DES encryption uses the 168-bit key size for encryption.
The AES Cipher Algorithm in the Simple Network Management Protocol (SNMP) User-based Security Model (USM) draft describes the use of AES with 128-bit key size. However, the other options are also implemented with the extension to use the USM. There is no standard for generating localized keys for 192- or 256-bit size keys for AES or for 168-bit size key for 3-DES. There is no authentication protocol available for longer keys.
Support for SNMP Version 3 USM is compliant with RFC 3414, which defines DES as the only required method of message encryption for SNMP Version 3 authPriv mode.
The AES and 3-DES Encryption Support for SNMP Version 3 feature supports the selection of privacy protocols through the CLI and the MIB. A new standard MIB, SNMP-USM-AES-MIB, provides support for the 128-bit key in the Advanced Encryption Standard (AES). The extended options of AES with 192- or 256-bit keys and 3-DES are supported as extensions to the SNMP-USM-MIB in the Cisco-specific MIB—CISCO-SNMP-USM-EXT-MIB.