Menu
▾
▴
Re: SNMPv3 DES issue
|
From: Martijn v. D. <ne...@li...> - 2024-01-27 09:33:01
|
Nothing stands out to me at a first glance. What does running snmpd with
-Dusm give you for extra information?
Sincerely,
Martijn van Duren
On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote:
>
>
>
> Hello !
>
> I’m working on a net-snmp agent integrated into an industrial embedded system (ARM-based).
> The agent is working perfectly for v1 and v2c, and also with v3 and ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.
> But SHA and DES/AES is not working :
>
> My snmpd.conf :
>
> # Listening connections :
> agentAddress udp:161
> #
> # User list :
> createUser myuser MD5 authpass
> rouser myuser
> createUser vincent SHA authpass DES privauthpass
> rwuser vincent priv
>
> GET an integer with SNMPv3 is working for user “myuser” (configured with ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for user “vincent" (configured with ‘authPriv’ in SnmpB) : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.
>
> Why is it not supported ?
> I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add it at the end of ‘rwuser’
> I didn’t see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.
>
> I don’t know what I’m missing. Could you help me please ?
> Many thanks !
>
> Vincent.
>
> ----->>>
>
> Some useful resources :
>
> My install switches :
>
> ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
> --disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \
> --enable-reentrant \
> --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
> --with-openssl=$(LIB_DIRS) \
> --without-rpm \
> --with-logfile="/tmp/var/snmpd.log" \
> --with-default-snmp-version="3" \
> --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \
> --with-sys-contact="vin...@ov..." \
> --with-sys-location="Ovarro" \
> --with-persistent-directory="/var/net-snmp" \
> --enable-shared=yes --enable-static=no --enable-tagCC-libtool
>
> Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :
>
> No. Time Source Destination Protocol Length Info
> 4488 49.862297 10.65.84.14 172.25.110.169 SNMP 183 encryptedPDU: privKey Unknown
>
> Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)
> Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
> User Datagram Protocol, Src Port: 49987, Dst Port: 161
> Simple Network Management Protocol
> msgVersion: snmpv3 (3)
> msgGlobalData
> msgID: 1572876
> msgMaxSize: 4096
> msgFlags: 07
> .... .1.. = Reportable: Set
> .... ..1. = Encrypted: Set
> .... ...1 = Authenticated: Set
> msgSecurityModel: USM (3)
> msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: net-snmp (8072)
> Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> Engine ID Data: 1cfa4220
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> msgAuthoritativeEngineBoots: 17
> msgAuthoritativeEngineTime: 67315
> msgUserName: vincent
> msgAuthenticationParameters: 90d824057790ccf09d9cdf94
> msgPrivacyParameters: 000000110000904f
> msgData: encryptedPDU (1)
> encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…
>
> No. Time Source Destination Protocol Length Info
> 4496 49.945101 172.25.110.169 10.65.84.14 SNMP 154 report 1.3.6.1.6.3.15.1.1.1.0
>
> Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)
> Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
> User Datagram Protocol, Src Port: 161, Dst Port: 49987
> Simple Network Management Protocol
> msgVersion: snmpv3 (3)
> msgGlobalData
> msgID: 1572876
> msgMaxSize: 65507
> msgFlags: 00
> .... .0.. = Reportable: Not set
> .... ..0. = Encrypted: Not set
> .... ...0 = Authenticated: Not set
> msgSecurityModel: USM (3)
> msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: net-snmp (8072)
> Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> Engine ID Data: 1cfa4220
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> msgAuthoritativeEngineBoots: 17
> msgAuthoritativeEngineTime: 67315
> msgUserName: vincent
> msgAuthenticationParameters: <MISSING>
> msgPrivacyParameters: <MISSING>
> msgData: plaintext (0)
> plaintext
> contextEngineID: 80001f88801cfa42209b6fa665
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: net-snmp (8072)
> Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> Engine ID Data: 1cfa4220
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> contextName:
> data: report (8)
> report
> request-id: 0
> error-status: noError (0)
> error-index: 0
> variable-bindings: 1 item
> 1.3.6.1.6.3.15.1.1.1.0: 10
> Object Name:
>
> (iso.3.6.1.6.3.15.1.1.1.0)
> Value (Counter32): 10
>
>
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
|
