Fix SNMP v3 implementation for best practices?

mikebutash

I was setting up monitoring for the device using SNMP v3, and was sad at your implementation that insists on using the same password as the encryption key as well counter to best practices for SNMP.

As defined in the best practices guide defined here at snmp.com, section 4.1:

"Each human operator should also have unique pass phrases for authentication and privacy. These pass phrases should be different from those used for server logins. Also, these pass phrases should be different for each authentication and privacy protocol. "

While not psirt worthy, you only got half of the intended use correct in your implementation. Auth hash and encryption keys should to be different.

You're not the only vendor to get the implementation wrong either at least (cough, Meraki), but would be nice to get on the road map a proper fix to allow for separate username, auth hash, and priv encryption keys separate as the best practices intend.

Zyxel_Judy

Hi @mikebutash ,

Thank you for your feedback.

At the present, the pass phrase can be configured different from each user, however it is the same for authentication and privacy. For best practices, we would like to propose pass phrases should be different for each authentication and privacy as an idea for evaluation. You can find the link to the idea section below:

SNMPv3: Pass phrases should be different for each authentication and privacy. — Zyxel Community

Thank you for using Zyxel product. We appreciate your feedback and suggestions to help us improve our product.