Hi, I am putting this out in search engine space to hopefully prevent somebody from banging their head against this wall. This may be common knowledge to some, but was not to me.

Support for SNMPV3 AES192/256 encryption is specified via the draft standard:

https://tools.ietf.org/html/draft-blumenthal-aes-usm-04

This differs from RFC3826 (SNMPV3 AES 128) in that the locally generated private key has to be extended to actually be 192 or 256 bits. So, the key localization procedure for AES192/256 differs from AES-128.

Support for SNMPV3 3DES encryption is specified via the draft standard:

https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00

This does key localization different from AES192/256.

I recently discovered that Cisco SNMPV AES192/256 uses the key localization procedure for 3DES (reeder) and not that specified in the bluemental draft standard. I assume Cisco did this because they consider the 3DES key localization an improvement, but this is just a guess.

So, tools like SnmpGet (from SnmpSoft), Pysnmp, and SNMP++ library that support AES192/AES256 do not work with Ciscso devices for the AES192/AES256 privacy option. However, the SNMP MIB Browser from the Solar Winds Engineering toolset does work (so, they know about this). I recently changed the key localization method in my local copy of Pysnmp 4.3.2 to use the 3DES method, and then it worked with Cisco devices using SNMPV3 AES192/AES256 (tested under IOS 15.1, and 15.4).

My main question is this: Is the Cisco AES192/AES256 method now the 'de-facto' standard for AES192/AES256 privacy (since both bluementhal and reeder are both draft standards). I don't have any non-cisco devices myself that implement SNMPV3 AES192/AES256; my non-cisco devices only implement SNMPV3 AES128.