Manualshelf

Addendum

ManualsBrandsDell ManualsComputer equipmentForce10 Z9000
251252253254255256257258259260
17
Simple Network Management Protocol
(SNMP)
This chapter describes the SNMP enhancements and contains the following sections:
FIPS Compatibility Support for SNMPv3
SNMPv3 Compliance With FIPS
This functionality is supported on the S4810, S4820T, S6000, Z9000, I/O Aggregator, and MXL platforms.
SNMPv3 is compliant with the Federal information processing standard (FIPS) cryptography standard. The
Advanced Encryption Standard (AES) Cipher Feedback (CFB) 128-bit encryption algorithm is in
compliance with RFC 3826. SNMPv3 provides multiple authentication and privacy options for user
configuration. A subset of these are FIPS-approved algorithms: HMAC-SHA1-96 for authentication and
AES128-CFB for privacy. The other options are not FIPS-approved algorithms because of known security
weaknesses. Starting with Dell Networking OS Release 9.3(0.0), the AES128-CFB privacy option is
supported and it is compliant with RFC 3826.
Starting with the Dell Networking OS Release 9.3.0.0, the SNMPv3 feature also uses a FIPS-validated
cryptographic module for all of its cryptographic operations when the system is configured with the fips
mode enable in Global Configuration mode. When FIPS mode is enabled on the system, SNMPv3
operates in a FIPS-compliant manner, and only the FIPS-approved algorithm options are available for
SNMPv3 user configuration. When FIPS mode is disabled on the system, all options are available for
SNMPv3 user configuration.
The following table describes the authentication and privacy options that can be configured when FIPS
mode is enabled or disabled:
FIPS Mode Privacy Options Authentication Options
Disabled des56 (DES56-CBC)
aes128 (AES128-CFB)
md5 (HMAC-MD5-96)
sha (HMAC-SHA1-96)
Enabled aes128 (AES128-CFB) sha (HMAC-SHA1-96)
To enable robust, effective protection and security for SNMP packets transferred between the server and
the client, you can use the snmp-server user username group groupname 3 auth
authentication-type auth-password priv aes128 priv-password command to specify that
AES-CFB 128 encryption algorithm needs to be used.
Dell(conf)#snmp-server user snmpguy snmpmon 3 auth sha AArt61wq priv aes128
jntRR59a
In this example, for a specified user and a group, the AES128-CFB algorithm is configured, and the
authentication password to enable the server receive packets from the host and the privacy password to
encode the message contents are configured.
Simple Network Management Protocol (SNMP)
253