SNMPv3 Configuration: Authentication and Encryption
Moving from SNMPv2c to SNMPv3 for secure monitoring. User-based security model, authentication protocols, and privacy settings.
Why SNMPv3?
SNMPv1 and v2c transmit community strings in plaintext. Anyone with network access can capture these credentials and gain read or write access to your devices. SNMPv3 adds authentication and encryption.
SNMPv1/v2c
- - Plaintext community strings
- - No encryption
- - No message integrity
SNMPv3 noAuthNoPriv
- - Username-based
- - No encryption
- - No authentication
SNMPv3 authPriv
- - Username-based
- - Encrypted payload
- - Message authentication
Note: Always use authPriv level in production. noAuthNoPriv provides no real security benefit over v2c.
Security Levels Explained
SNMPv3 defines three security levels. Each adds protection over the previous.
noAuthNoPriv
Uses username for access control but no cryptographic protection. Messages can be viewed and modified in transit.
authNoPriv
Adds message authentication using HMAC. Ensures messages haven't been tampered with and come from the expected source. Content is still visible.
authPriv
Adds encryption on top of authentication. Message content is protected from eavesdropping. This is the recommended level.
Authentication Protocols
Authentication verifies the sender and ensures message integrity. Two protocol families are available.
| Protocol | Hash Size | Status |
|---|---|---|
| MD5 | 128-bit | Deprecated |
| SHA-1 | 160-bit | Legacy |
| SHA-224 | 224-bit | Acceptable |
| SHA-256 | 256-bit | Recommended |
| SHA-384 | 384-bit | Recommended |
| SHA-512 | 512-bit | Recommended |
Use SHA-256 or higher. MD5 has known weaknesses and SHA-1 is considered weak for new deployments. Check device support - older hardware may only support MD5/SHA-1.
Privacy (Encryption) Protocols
Privacy protocols encrypt the SNMP payload, preventing eavesdropping.
| Protocol | Key Size | Status |
|---|---|---|
| DES | 56-bit | Deprecated |
| 3DES | 168-bit (112 effective) | Legacy |
| AES-128 | 128-bit | Recommended |
| AES-192 | 192-bit | Recommended |
| AES-256 | 256-bit | Recommended |
DES is trivially broken with modern hardware. Use AES-128 at minimum, AES-256 for sensitive environments. Performance difference is negligible on modern devices.
Configuration Example
Setting up SNMPv3 on a Cisco device and configuring the monitoring system to connect.
snmp-server group MONITORS v3 priv snmp-server user netgraph MONITORS v3 auth sha256 AuthPass123! priv aes 256 PrivPass456!
snmp: credentials: - name: secure-v3 version: 3 security_level: authPriv username: netgraph auth_protocol: SHA256 auth_password: ${SNMP_AUTH_PASS} priv_protocol: AES256 priv_password: ${SNMP_PRIV_PASS}
Migration Strategy
Migrating from v2c to v3 across many devices takes planning. Here's a practical approach.
- 1 Inventory device support: Check which devices support v3 and which auth/priv protocols they implement.
- 2 Configure v3 alongside v2c: Add v3 users while keeping v2c enabled. Test v3 connectivity.
- 3 Update monitoring to use v3: Switch your collectors to v3 credentials. Verify metrics flow correctly.
- 4 Disable v2c: Remove community strings from devices. Monitor for any tools still trying v2c.
Common Issues
"Authentication failure"
Username, auth password, or auth protocol mismatch. Verify all three match exactly between device and monitoring system.
"Decryption error"
Privacy password or protocol mismatch. Some devices use different AES key derivation methods - check vendor documentation.
"Unknown user"
SNMPv3 usernames are case-sensitive and must be created on the device before use. Engine ID may also need synchronization.
"Time not synchronized"
SNMPv3 uses timestamps to prevent replay attacks. Large time differences between device and monitoring system cause failures. Use NTP.