That's interesting, thanks! AES192C and AES256C are clearly present in the
code
<https://github.com/prometheus/snmp_exporter/blob/v0.25.0/config/config.go#L152-L165>,
but the documentation in generator/README.md omits to mention them.
>From gosnmp's source (v3_usm.go):
// Changed: AES192, AES256, AES192C, AES256C added
const (
NoPriv SnmpV3PrivProtocol = 1
DES SnmpV3PrivProtocol = 2
AES SnmpV3PrivProtocol = 3
AES192 SnmpV3PrivProtocol = 4 // Blumenthal-AES192
AES256 SnmpV3PrivProtocol = 5 // Blumenthal-AES256
AES192C SnmpV3PrivProtocol = 6 // Reeder-AES192
AES256C SnmpV3PrivProtocol = 7 // Reeder-AES256
)
Some background here:
https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763
https://github.com/markabrahams/node-net-snmp/issues/154#issuecomment-757456861
Personally, I'd suggest using the more standard AES(128) instead. I note
that in its implementation of TLS versions <1.3, Go prefers AES over AES256
<https://github.com/golang/go/blob/go1.21.6/src/crypto/tls/cipher_suites.go#L260-L265>
when
negotiating ciphers:
// - AES-128 comes before AES-256
//
// The only potential advantages of AES-256 are better multi-target
// margins, and hypothetical post-quantum properties. Neither apply to
// TLS, and AES-256 is slower due to its four extra rounds (which don't
// contribute to the advantages above).
On Wednesday 10 January 2024 at 11:40:57 UTC Alexander Wilke wrote:
> If you use Cisco devices then you have to use a "C" at the end of the
> privacy protocol because it seems Cisco has specific impelementation.
>
> I use
>
> *priv_protocol: AES256C*
>
> for Cisco IOS and IOS XE devices running 17.x.y version.
>
>
> Brian Candler schrieb am Mittwoch, 10. Januar 2024 um 12:32:08 UTC+1:
>
>> > Please list the SNMP V3 instance configuration in generator.yml. I want
>> to know where the configuration error is!
>>
>> It's in the documentation:
>>
>> https://github.com/prometheus/snmp_exporter/blob/main/generator/README.md#file-format
>>
>> However, you don't need to compile anything to get started. Just use the
>> supplied snmp.yml, and edit the section under "auths" so it looks like this:
>>
>> auths:
>> public_v1:
>> community: public
>> security_level: noAuthNoPriv
>> auth_protocol: MD5
>> priv_protocol: DES
>> version: 1
>> public_v2:
>> community: public
>> security_level: noAuthNoPriv
>> auth_protocol: MD5
>> priv_protocol: DES
>> version: 2
>>
>>
>>
>>
>>
>>
>>
>> * prod_v3: version: 3 security_level: authPriv username: admin
>> auth_protocol: SHA password: XXXXXXX priv_protocol: AES
>> priv_password: YYYYYYY*
>>
>> And you're done.
>>
>> The next simplest option is to load multiple config files. This means you
>> can use the existing snmp.yml completely unchanged, and a separate yml file
>> that has just your auth(s) in it. I use the following:
>>
>> *snmp_exporter --config.file=/etc/prometheus/snmp.d/*.yml*
>>
>> Then I have /etc/prometheus/snmp.d/auth.yml (which is mine)
>> and /etc/prometheus/snmp.d/snmp.yml (which is the standard one).
>>
>> You only need to use the generator if you want to scrape MIBs other than
>> the supplied example ones. You can do this by starting with the supplied
>> generator.yml
>> <https://github.com/prometheus/snmp_exporter/blob/main/generator/generator.yml>
>>
>> and modifying it. But if all you want to do is change the auths, I wouldn't
>> bother, since the generator essentially just copies the auths from its
>> input to its output.
>>
>> On Wednesday 10 January 2024 at 10:36:09 UTC Awemnhd wrote:
>>
>>> I tried using snmp_exporter-0.25.0, using SNMP v3 mode, SHA and AES
>>> still not successful, and I have to recompile the generator.yml file,
>>> otherwise using the default snmp.yml file will have no effect!
>>>
>>> Please list the SNMP V3 instance configuration in generator.yml. I want
>>> to know where the configuration error is!
>>>
>>> 在2024年1月9日星期二 UTC+8 22:54:36<Brian Candler> 写道:
>>>
>>>> > Why is SNMP v3 so difficult to implement?
>>>>
>>>> It's not. It's dead easy. Do you have a working snmpwalk command line
>>>> which talks to your device? Then you just transfer the settings to your
>>>> snmp_exporter configuration.
>>>>
>>>> This has been made easier since snmp_exporter v0.23.0
>>>> <https://github.com/prometheus/snmp_exporter/releases/tag/v0.23.0>,
>>>> because the "modules" which define the OID walking and the "auths" which
>>>> provide the credentials have been made orthogonal. You can add new auths,
>>>> without touching modules. You can also put them in separate files.
>>>>
>>>> So you end up with e.g.
>>>>
>>>> auths:
>>>> prod_v3:
>>>> version: 3
>>>> security_level: authPriv
>>>> username: admin
>>>> auth_protocol: SHA
>>>> password: XXXXXXX
>>>> priv_protocol: AES
>>>> priv_password: YYYYYYY
>>>>
>>>> then you call /snmp?target=x.x.x.x&module=if_mib&auth=prod_v3
>>>>
>>>> The default is indeed still public_v2. The only other option would be
>>>> to have no default, i.e. snmp_exporter would fail unless you provide an
>>>> explicit set of credentials.
>>>>
>>>> Hence I'd definitely recommend moving to snmp_exporter 0.25.0. If you
>>>> can't do that, then there is a YAML trick you can do to make adding new
>>>> auths easier:
>>>>
>>>> modules:
>>>> if_mib: *&if_mib*
>>>> .... etc
>>>>
>>>> # Append to end of file
>>>>
>>>> *if_mib_prod_v3: <<: *if_mib*
>>>> version: 3
>>>> timeout: 3s
>>>> retries: 3
>>>> auth:
>>>> security_level: authPriv
>>>> username: admin
>>>> auth_protocol: SHA
>>>> password: XXXXXXXX
>>>> ... etc
>>>>
>>>> This effectively "clones" the if_mib module under a new module
>>>> "if_mib_prod_v3", and then overrides parts of it.
>>>>
>>>> On Tuesday 9 January 2024 at 10:04:57 UTC Awemnhd wrote:
>>>>
>>>>> see
>>>>> https://github.com/prometheus/snmp_exporter/tree/main/generator#file-format
>>>>>
>>>>> Tried various ways to achieve some parameter passing
>>>>> username:
>>>>> security_level:
>>>>> password: SHA
>>>>> auth_protocol: AES
>>>>> priv_protocol:
>>>>> priv_password:
>>>>>
>>>>> As a result, when the service is started, the default access method is
>>>>> community: public_v2!
>>>>>
>>>>> Why is SNMP v3 so difficult to implement? Why are they all in SNMP V2
>>>>> mode? Why?
>>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/69fb1d48-4619-4705-8345-68b4df2ad16bn%40googlegroups.com.
