SNMP v3 support.

[o1crimson1o]

Will v3 support ever be included?

[fboaventura]

Using v3 wasn't on my radar, but it can be included. :)

[fboaventura]

Adding support for SNMPv3 may be more complex than I first anticipated. It has to be well evaluated because there are multiple ways of passing authentication to cfgmaker. Quoting from the documentation

User-based Security Model Arguments The User-based Security Model (USM) used by SNMPv3 requires that a securityName be specified using the --username argument. The creation of a Net::SNMP object with the version set to SNMPv3 will fail if the --username argument is not present. The --username argument expects a string 1 to 32 octets in length.

Different levels of security are allowed by the User-based Security Model which address authentication and privacy concerns. A SNMPv3 target will derive the security level (securityLevel) based on which of the following arguments are specified.

By default a securityLevel of 'noAuthNoPriv' is assumed. If the --authkey or --authpassword arguments are specified, the securityLevel becomes 'authNoPriv'. The --authpassword argument expects a string which is at least 1 octet in length. Optionally, the --authkey argument can be used so that a plain text password does not have to be specified in a script. The --authkey argument expects a hexadecimal string produced by localizing the password with the authoritativeEngineID for the specific destination device. The snmpkey utility included with the Net::SNMP distribution can be used to create the hexadecimal string (see snmpkey).

Two different hash algorithms are defined by SNMPv3 which can be used by the Security Model for authentication. These algorithms are HMAC-MD5-96 "MD5" (RFC 1321) and HMAC-SHA-96 "SHA-1" (NIST FIPS PUB 180-1). The default algorithm used by the module is HMAC-MD5-96. This behavior can be changed by using the --authprotocol argument. This argument expects either the string 'md5' or 'sha' to be passed to modify the hash algorithm.

By specifying the arguments --privkey or --privpassword the securityLevel associated with the object becomes 'authPriv'. According to SNMPv3, privacy requires the use of authentication. Therefore, if either of these two arguments are present and the --authkey or --authpassword arguments are missing, the creation of the object fails. The --privkey and --privpassword arguments expect the same input as the --authkey and --authpassword arguments respectively.

The User-based Security Model described in RFC 3414 defines a single encryption protocol to be used for privacy. This protocol, CBC-DES "DES" (NIST FIPS PUB 46-1), is used by default or if the string 'des' is passed to the --privprotocol argument. By working with the Extended Security Options Consortium http://www.snmp.com/eso/, the module also supports additional protocols which have been defined in draft specifications. The draft http://www.snmp.com/eso/draft-reeder-snmpv3-usm-3desede-00.txt defines the support of CBC-3DES-EDE "Triple-DES" (NIST FIPS 46-3) in the User-based Security Model. This protocol can be selected using the --privprotocol argument with the string '3desede'. The draft http://www.snmp.com/eso/draft-blumenthal-aes-usm-04.txt describes the use of CFB128-AES-128/192/256 "AES" (NIST FIPS PUB 197) in the USM. The three AES encryption protocols, differentiated by their key sizes, can be selected by passing 'aescfb128', 'aescfb192', or 'aescfb256' to the -privprotocol argument.

I need a way to keep things simple while supporting the diversity of authentication options. Let's see how it goes. I'm open to suggestions :)