SNMPv3

Secure SNMP with authentication and encryption.

Overview

SNMPv3 adds security features missing from v1/v2c:

Feature	v1/v2c	v3
Authentication	Community string (plaintext)	HMAC (MD5, SHA, SHA-256, SHA-384, SHA-512)
Encryption	None	DES-CBC, AES-128-CFB
Access Control	Community-based	User-based (USM)
Engine Discovery	N/A	Automatic

Security Levels

The security level is determined by which parameters you provide:


from snmpkit.manager import Manager
 
# noAuthNoPriv - username only, no security
mgr = Manager("192.168.1.1", version=3, user="admin")
 
# authNoPriv - authentication, no encryption
mgr = Manager("192.168.1.1", version=3,
    user="admin",
    auth_protocol="SHA256",
    auth_password="auth_pass",
)
 
# authPriv - authentication + encryption (recommended)
mgr = Manager("192.168.1.1", version=3,
    user="admin",
    auth_protocol="SHA256",
    auth_password="auth_pass",
    priv_protocol="AES",
    priv_password="priv_pass",
)

Always use authPriv in production. noAuthNoPriv provides no more security than v2c.

Authentication Protocols

Protocol	String	Security	Notes
HMAC-MD5-96	`"MD5"`	Weak	Legacy only, not recommended
HMAC-SHA-96	`"SHA"`	Moderate	SHA-1, being phased out
HMAC-SHA-224	`"SHA224"`	Good	Truncated SHA-256
HMAC-SHA-256	`"SHA256"`	Strong	Recommended default
HMAC-SHA-384	`"SHA384"`	Strong	High security
HMAC-SHA-512	`"SHA512"`	Strong	Maximum security

Privacy Protocols

Protocol	String	Key Size	Notes
DES-CBC	`"DES"`	56-bit	Legacy only
AES-128-CFB	`"AES"`	128-bit	Recommended

Privacy requires authentication. You cannot use priv_protocol without auth_protocol.

Complete Examples

authPriv


import asyncio
from snmpkit.manager import Manager
 
async def main():
    async with Manager(
        "192.168.1.1",
        version=3,
        user="snmpv3user",
        auth_protocol="SHA256",
        auth_password="auth_password_here",
        priv_protocol="AES",
        priv_password="priv_password_here",
    ) as mgr:
        descr = await mgr.get("1.3.6.1.2.1.1.1.0")
        print(f"Device: {descr}")
 
asyncio.run(main())

authNoPriv


import asyncio
from snmpkit.manager import Manager
 
async def main():
    async with Manager(
        "192.168.1.1",
        version=3,
        user="snmpv3user",
        auth_protocol="SHA256",
        auth_password="auth_password_here",
    ) as mgr:
        descr = await mgr.get("1.3.6.1.2.1.1.1.0")
        print(f"Device: {descr}")
 
asyncio.run(main())

noAuthNoPriv


import asyncio
from snmpkit.manager import Manager
 
async def main():
    async with Manager(
        "192.168.1.1",
        version=3,
        user="snmpv3user",
    ) as mgr:
        descr = await mgr.get("1.3.6.1.2.1.1.1.0")
        print(f"Device: {descr}")
 
asyncio.run(main())

Engine Discovery

SNMPv3 requires knowing the remote engine’s ID, boots counter, and time. snmpkit handles this automatically on connect():


async with Manager("192.168.1.1", version=3, user="admin",
                   auth_protocol="SHA256", auth_password="pass") as mgr:
    # Discovery happens automatically
    # All operations (get, set, walk, etc.) work with SNMPv3
    value = await mgr.get("1.3.6.1.2.1.1.1.0")

Key Derivation

snmpkit automatically handles RFC 3414 key derivation:

Password is hashed using the auth protocol (password_to_key)
Key is localized with the engine ID (localize_key)
Localized key is used for auth/priv operations

This happens transparently after engine discovery.

For advanced use, the low-level functions are available:


from snmpkit.core import password_to_key, localize_key, password_to_localized_key
 
# Step by step
master_key = password_to_key("my_password", "SHA256")
localized = localize_key(master_key, engine_id, "SHA256")
 
# Or all at once
localized = password_to_localized_key("my_password", engine_id, "SHA256")

Context

SNMPv3 supports contexts for accessing different MIB views:


async with Manager(
    "192.168.1.1",
    version=3,
    user="admin",
    auth_protocol="SHA256",
    auth_password="pass",
    context_name="vlan100",
) as mgr:
    value = await mgr.get("1.3.6.1.2.1.1.1.0")

SNMPv3 Traps

Send authenticated/encrypted traps and informs:


async with Manager(
    "192.168.1.100",
    port=162,
    version=3,
    user="trapuser",
    auth_protocol="SHA256",
    auth_password="auth_pass",
    priv_protocol="AES",
    priv_password="priv_pass",
) as mgr:
    await mgr.send_trap(
        trap_oid="1.3.6.1.4.1.12345.0.1",
        varbinds=[("1.3.6.1.4.1.12345.1.1.0", Value.Integer(42))],
    )

Security Best Practices

Always use authPriv — Authentication without encryption exposes data
Use SHA-256 or higher — MD5 and SHA-1 are considered weak
Use AES — DES is easily broken
Use strong passwords — Minimum 16 characters
Rotate credentials — Change passwords periodically
Use unique users — Don’t share credentials across devices

Device Configuration

Net-SNMP (snmpd.conf)


createUser snmpv3user SHA-256 "auth_password" AES "priv_password"
rouser snmpv3user priv

Cisco IOS


snmp-server group v3group v3 priv
snmp-server user snmpv3user v3group v3 auth sha256 auth_password priv aes 128 priv_password

Juniper Junos


set snmp v3 usm local-engine user snmpv3user authentication-sha256 authentication-password auth_password
set snmp v3 usm local-engine user snmpv3user privacy-aes128 privacy-password priv_password

Next Steps

Traps — Send and receive SNMPv3 traps
Operations — Full API reference