net-snmp-coders — Discussion of internal project coding (Please use this OR -users, NOT both!)

RE: SNMPv3 DES issue

[Vincent G. <vin...@ov...>]

Hi Martijn and Niels,

Thanks both for your ideas, it allows me to sort out my problem !

Niels : indeed you’re right, it appears using only rouser/rwuser without access/group/view directives is not enough for user to be correcty created. Online help seems to say so, but it didn’t work. Anyway, I changed this and create proper access directives for my users.

Martijn : tanks for your research, they help me to find out that I need to populate the /var/net-snmp/snmpv3d.conf with my own createUser directive (for this, online help tells a “should”, for in my case it’s a “must”).
It appears net-snmp fill this file itself if it doesn’t exist, and so net-snmp take another path for creating the user. This is different if this file exists, because in this case net-snmp let this file as it is.
I don’t have too many time to dig further and fine tune this currently, so it’s OK for a first.

Kind regards,

Vincent

De : Martijn van Duren <ne...@li...>
Envoyé : mardi 30 janvier 2024 12:33
À : Vincent Gilson <vin...@ov...>
Cc : net...@li...
Objet : Re: SNMPv3 DES issue

[You don't often get email from ne...@li.... Learn why this is important at https://aka.ms/LearnAboutSend͏​​‌͏
[External email]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b8de80253a8cb0905d310d&lang=en>
[Contains topics of a financial nature]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b8de80253a8cb0905d310d&lang=en>


[You don't often get email from ne...@li...<mailto:ne...@li...>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]



I've tried to read up on net-snmp's USM internals and match it to your

log, but everything I see suggests that the user is created with the

correct privacy protocol. So unless you accidentally edited the file

before stopping your daemon I'm out of my league here.



Maybe you can add your own logging to snmplib/snmpusm.c and try to

figure out where the privProtocol changes or where a faulty usmUser

is written to /var/net-snmp/snmpv3d.conf.



Martijn



On Tue, 2024-01-30 at 10:12 +0000, Vincent Gilson wrote:

>

>

>

>

> Hi Martijn,

>

> Yes, it helps, thanks ! It teaches me things (I’m brand new to the world of SNMP/net-snmp), and it clearly confirms that I’ve a problem with the creation of my user.

>

> I would like to keep the creation inside the conf file, but… well…

> I tried to play with different combinations inside my conf file -regarding the order- of createUser/group/view/access/rwuser, and nothing seems to work, and it seems/var/net-snmp/snmpv3d.conf is still building its file with “10.1.2.1" withusmNoPrivProtocol OID, even after having deleted it manually as you suggested.

>

> I didn’t try snmpusm, I didn’t build it (yet).

>

> ----

> agentAddress udp:161

>

> createUser vincent SHA "myPassPhrase" DES "myPrivAuthPhrase"

> group grouptboxusmv3 usm vincent

> view viewalltboxmibs included .1

> access grouptboxusmv3 "" any priv exact viewalltboxmibs viewalltboxmibs none

> rwuser -s usm vincent priv -V viewalltboxmibs

>

>

>

>

>

>

> De : Martijn van Duren <ne...@li...<mailto:ne...@li...>>

> Envoyé : lundi 29 janvier 2024 18:28

> À : Vincent Gilson <vin...@ov...<mailto:vin...@ov...>>

> Cc : net...@li...<mailto:net...@li...>

> Objet : Re: SNMPv3 DES issue

>

>

>

>

> [You don't often get email from ne...@li...<mailto:ne...@li...>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

>

> Hello Vincent,

>

> Small disclaimer: I'm the maintainer of OpenBSD's snmp stack and not

> too familiar with the net-snmp's quirks.

>

> That out of the way I think I have a decent idea where the problem

> comes from and would be more clear if you load the

> SNMP-USER-BASED-SM-MIB for more human readable output.

>

> If you look at the following line from the highlights you'll find:

> > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2,

> > User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1

> Where SNMPv2-SMI::snmpModules.10.1.2.1 is

> SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol. This means that your user

> is created without a privacy option.

> Looking a bit up we find:

> > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1

> > 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL

> > .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38

> > .1.3.6.1.6.3.10.1.2.1 0x 0x

> Where the last OID is the same usmNoPrivProtocol.

>

> So here's my speculation: I've always been told that using createUser

> inside the conf file works, but can cause problems. I think you've hit

> one of those problems and that you've created the user Vincent before

> without a privacy option and it doesn't update its internal definition.

> My solution (again, not sure if this is the best way) is to either

> manually remove the appropriate usmUser line from

> /var/net-snmp/snmpv3d.conf (after stopping the daemon), or try to

> remove it over the wire via snmpusm(1) (not sure if this works with

> your daemon) and restart your daemon.

>

> Hope this helps.

>

> Martijn

>

> On Mon, 2024-01-29 at 13:08 +0000, Vincent Gilson wrote:

> >

> >

> >

> > Hi Martijn,

> >

> > Thanks for your feedback!

> >

> > I’m not using the snmpd command line daemon as I handle it in my own Linux application, so I couldn’t start it with -Dusm. But I’m guessing calling debug_enable_token_logs("usm"); in my application could do the trick… Anyway, I activated the (debug) logs, and the user ‘vincent’ seems to be created correctly, but I’m not sure.

> >

> > The request frame tells ‘unsupported security level’, which confirms it, but I still don’t know why.

> >

> > Any ideas ?

> >

> > ((( I put what seems important to me at first (see “highlights” below), but I may have missed something so I added more details (see “In details “) under it. )))

> >

> > Regards,

> > Vincent.

> >

> > =================================================================

> > Highlights :

> > ============

> >

> > -------------------------

> > Reading config file :

> > -------------------------

> >

> > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase

> > …

> > read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase

> > …

> > 9:usmUser: truncating privKeyLen from 20 to 16

> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:

> > usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65

> > …

> > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv

> > trace: run_config_handler(): read_config.c, 543:

> > read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv

> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:

> > rwuser: setting auth level: "priv"

> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:

> > rwuser: passing: group grpvincent usm "vincent"

> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:

> > rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_

> > …

> > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x

> > trace: run_config_handler(): read_config.c, 563:

> > 9:read_config:parser: usmUser handler not registered for this time

> > …

> >

> > -------------------------

> > Request handling :

> > -------------------------

> > usm: match on user vincent

> > trace: usm_check_secLevel(): snmpusm.c, 2738:

> > comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1

> > trace: usm_check_secLevel(): snmpusm.c, 2747:

> > usm: Level: 3

> > trace: usm_check_secLevel(): snmpusm.c, 2748:

> > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1

> > trace: usm_process_in_msg(): snmpusm.c, 2980:

> > usm: Unsupported Security Level (3).

> > trace: snmpv3_parse(): snmp_api.c, 3994:

> > dumph_recv:     ScopedPDU

> > trace: _snmp_parse(): snmp_api.c, 4401:

> > snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)

> >

> >

> >

> > =================================================================

> > =================================================================

> > =================================================================

> > In details :

> > ============

> >

> > trace: read_config(): read_config.c, 853:

> > 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase

> > trace: read_config(): read_config.c, 981:

> > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase

> > trace: run_config_handler(): read_config.c, 543:

> > read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase

> > trace: sc_get_auth_oid(): scapi.c, 417:

> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> > trace: sc_get_authtype(): scapi.c, 341:

> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> > trace: sc_get_openssl_hashfn(): scapi.c, 634:

> > trace: sc_get_authtype(): scapi.c, 341:

> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> > trace: sc_get_authtype(): scapi.c, 341:

> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> > trace: sc_hash(): scapi.c, 889:

> > trace: sc_get_authtype(): scapi.c, 341:

> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> > trace: sc_hash_type(): scapi.c, 942:

> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> > trace: sc_get_openssl_hashfn(): scapi.c, 634:

> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4655:

> > 9:usmUser: privProtocol DES

> > trace: sc_get_priv_alg_bytype(): scapi.c, 248:

> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4662:

> > 9:usmUser: pai usmDESPrivProtocol

> > trace: sc_get_authtype(): scapi.c, 341:

> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> > trace: sc_get_openssl_hashfn(): scapi.c, 634:

> > trace: sc_get_authtype(): scapi.c, 341:

> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> > trace: sc_hash(): scapi.c, 889:

> > trace: sc_get_authtype(): scapi.c, 341:

> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> > trace: sc_hash_type(): scapi.c, 942:

> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> > trace: sc_get_openssl_hashfn(): scapi.c, 634:

> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4779:

> > 9:usmUser: truncating privKeyLen from 20 to 16

> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:

> > usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65

> > trace: read_config(): read_config.c, 853:

> > 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv

> > trace: read_config(): read_config.c, 981:

> > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv

> > trace: run_config_handler(): read_config.c, 543:

> > read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv

> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:

> > rwuser: setting auth level: "priv"

> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:

> > rwuser: passing: group grpvincent usm "vincent"

> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:

> > rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_

> >

> > …

> >

> > 9:read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x

> > trace: read_config(): read_config.c, 981:

> > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x

> > trace: run_config_handler(): read_config.c, 563:

> > 9:read_config:parser: usmUser handler not registered for this time

> >

> > …

> >

> > usm: match on user vincent

> > trace: usm_check_secLevel(): snmpusm.c, 2738:

> > comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1

> > trace: usm_check_secLevel(): snmpusm.c, 2747:

> > usm: Level: 3

> > trace: usm_check_secLevel(): snmpusm.c, 2748:

> > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1

> > trace: usm_process_in_msg(): snmpusm.c, 2980:

> > usm: Unsupported Security Level (3).

> > trace: snmpv3_parse(): snmp_api.c, 3994:

> > dumph_recv:     ScopedPDU

> > trace: _snmp_parse(): snmp_api.c, 4401:

> > snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)

> >

> >

> >

> >

> >

> >

> >

> >

> >

> > De : Martijn van Duren <ne...@li...<mailto:ne...@li...>>

> > Envoyé : samedi 27 janvier 2024 10:33

> > À : Vincent Gilson <vin...@ov...<mailto:vin...@ov...>>; net...@li...<mailto:net...@li...>

> > Objet : Re: SNMPv3 DES issue

> >

> >

> >

> >

> > [You don't often get email from ne...@li...<mailto:ne...@li...>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

> >

> > ATTENTION : cet email a été envoyé par une source externe à notre enterprise. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes si vous ne connaissez pas l'expéditeur et n'êtes pas sûrs du contenu.

> >

> >

> > Nothing stands out to me at a first glance. What does running snmpd with

> > -Dusm give you for extra information?

> >

> > Sincerely,

> >

> > Martijn van Duren

> >

> > On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote:

> > >

> > >

> > >

> > > Hello !

> > >

> > > I’m working on a net-snmp agent integrated into an industrial embedded system (ARM-based).

> > > The agent is working perfectly for v1 and v2c, and also with v3 and ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.

> > > But SHA and DES/AES is not working :

> > >

> > > My snmpd.conf :

> > >

> > > # Listening connections :

> > > agentAddress udp:161

> > > #

> > > # User list :

> > > createUser myuser MD5 authpass

> > > rouser myuser

> > > createUser vincent SHA authpass DES privauthpass

> > > rwuser vincent priv

> > >

> > > GET an integer with SNMPv3 is working for user “myuser” (configured with ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for user “vincent" (configured with ‘authPriv’ in SnmpB)  : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.

> > >

> > > Why is it not supported ?

> > > I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add it at the end of ‘rwuser’

> > > I didn’t see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.

> > >

> > > I don’t know what I’m missing. Could you help me please ?

> > > Many thanks !

> > >

> > > Vincent.

> > >

> > > ----->>>

> > >

> > > Some useful resources :

> > >

> > > My install switches :

> > >

> > > ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \

> > > --disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \

> > > --enable-reentrant \

> > > --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \

> > > --with-openssl=$(LIB_DIRS) \

> > > --without-rpm \

> > > --with-logfile="/tmp/var/snmpd.log" \

> > > --with-default-snmp-version="3" \

> > > --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \

> > > --with-sys-contact="vin...@ov...<mailto:vin...@ov...>" \

> > > --with-sys-location="Ovarro" \

> > > --with-persistent-directory="/var/net-snmp" \

> > > --enable-shared=yes --enable-static=no --enable-tagCC-libtool

> > >

> > > Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :

> > >

> > > No.     Time           Source                Destination           Protocol Length Info

> > >      4488 49.862297      10.65.84.14           172.25.110.169        SNMP     183    encryptedPDU: privKey Unknown

> > >

> > > Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0

> > > Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)

> > > Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169

> > > User Datagram Protocol, Src Port: 49987, Dst Port: 161

> > > Simple Network Management Protocol

> > >       msgVersion: snmpv3 (3)

> > >       msgGlobalData

> > >           msgID: 1572876

> > >           msgMaxSize: 4096

> > >           msgFlags: 07

> > >               .... .1.. = Reportable: Set

> > >               .... ..1. = Encrypted: Set

> > >               .... ...1 = Authenticated: Set

> > >           msgSecurityModel: USM (3)

> > >       msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665

> > >           1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

> > >           Engine Enterprise ID: net-snmp (8072)

> > >           Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

> > >           Engine ID Data: 1cfa4220

> > >           Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

> > >       msgAuthoritativeEngineBoots: 17

> > >       msgAuthoritativeEngineTime: 67315

> > >       msgUserName: vincent

> > >       msgAuthenticationParameters: 90d824057790ccf09d9cdf94

> > >       msgPrivacyParameters: 000000110000904f

> > >       msgData: encryptedPDU (1)

> > >           encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…

> > >

> > > No.     Time           Source                Destination           Protocol Length Info

> > >      4496 49.945101      172.25.110.169        10.65.84.14           SNMP     154    report 1.3.6.1.6.3.15.1.1.1.0

> > >

> > > Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0

> > > Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)

> > > Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14

> > > User Datagram Protocol, Src Port: 161, Dst Port: 49987

> > > Simple Network Management Protocol

> > >       msgVersion: snmpv3 (3)

> > >       msgGlobalData

> > >           msgID: 1572876

> > >           msgMaxSize: 65507

> > >           msgFlags: 00

> > >               .... .0.. = Reportable: Not set

> > >               .... ..0. = Encrypted: Not set

> > >               .... ...0 = Authenticated: Not set

> > >           msgSecurityModel: USM (3)

> > >       msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665

> > >           1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

> > >           Engine Enterprise ID: net-snmp (8072)

> > >           Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

> > >           Engine ID Data: 1cfa4220

> > >           Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

> > >       msgAuthoritativeEngineBoots: 17

> > >       msgAuthoritativeEngineTime: 67315

> > >       msgUserName: vincent

> > >       msgAuthenticationParameters: <MISSING>

> > >       msgPrivacyParameters: <MISSING>

> > >       msgData: plaintext (0)

> > >           plaintext

> > >               contextEngineID: 80001f88801cfa42209b6fa665

> > >                   1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

> > >                   Engine Enterprise ID: net-snmp (8072)

> > >                   Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

> > >                   Engine ID Data: 1cfa4220

> > >                   Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

> > >               contextName:

> > >               data: report (8)

> > >                   report

> > >                       request-id: 0

> > >                       error-status: noError (0)

> > >                       error-index: 0

> > >                       variable-bindings: 1 item

> > >                           1.3.6.1.6.3.15.1.1.1.0: 10

> > >                               Object Name:

> > >

> > >    (iso.3.6.1.6.3.15.1.1.1.0)

> > >                               Value (Counter32): 10

> > >

> > >

> > > _______________________________________________

> > > Net-snmp-coders mailing list

> > > Net...@li...<mailto:Net...@li...>

> > > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

> >

>

Re: SNMPv3 DES issue

[Martijn v. D. <ne...@li...>]

I've tried to read up on net-snmp's USM internals and match it to your
log, but everything I see suggests that the user is created with the
correct privacy protocol. So unless you accidentally edited the file
before stopping your daemon I'm out of my league here.

Maybe you can add your own logging to snmplib/snmpusm.c and try to
figure out where the privProtocol changes or where a faulty usmUser
is written to /var/net-snmp/snmpv3d.conf.

Martijn

On Tue, 2024-01-30 at 10:12 +0000, Vincent Gilson wrote:
> 
> 
> 
>  
> Hi Martijn,
>  
> Yes, it helps, thanks ! It teaches me things (I’m brand new to the world of SNMP/net-snmp), and it clearly confirms that I’ve a problem with the creation of my user.
>  
> I would like to keep the creation inside the conf file, but… well…
> I tried to play with different combinations inside my conf file -regarding the order- of createUser/group/view/access/rwuser, and nothing seems to work, and it seems/var/net-snmp/snmpv3d.conf is still building its file with “10.1.2.1" withusmNoPrivProtocol OID, even after having deleted it manually as you suggested.
>  
> I didn’t try snmpusm, I didn’t build it (yet).
>  
> ----
> agentAddress udp:161
>  
> createUser vincent SHA "myPassPhrase" DES "myPrivAuthPhrase"
> group grouptboxusmv3 usm vincent
> view viewalltboxmibs included .1
> access grouptboxusmv3 "" any priv exact viewalltboxmibs viewalltboxmibs none
> rwuser -s usm vincent priv -V viewalltboxmibs
>  
>  
> 
> 
> 
> 
> De : Martijn van Duren <ne...@li...>
> Envoyé : lundi 29 janvier 2024 18:28
> À : Vincent Gilson <vin...@ov...>
> Cc : net...@li...
> Objet : Re: SNMPv3 DES issue
>  
> 
> 
>  
> [You don't often get email from ne...@li.... Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>  
> Hello Vincent,
>  
> Small disclaimer: I'm the maintainer of OpenBSD's snmp stack and not
> too familiar with the net-snmp's quirks.
>  
> That out of the way I think I have a decent idea where the problem
> comes from and would be more clear if you load the
> SNMP-USER-BASED-SM-MIB for more human readable output.
>  
> If you look at the following line from the highlights you'll find:
> > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2,
> > User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
> Where SNMPv2-SMI::snmpModules.10.1.2.1 is
> SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol. This means that your user
> is created without a privacy option.
> Looking a bit up we find:
> > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1
> > 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL
> > .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38
> > .1.3.6.1.6.3.10.1.2.1 0x 0x
> Where the last OID is the same usmNoPrivProtocol.
>  
> So here's my speculation: I've always been told that using createUser
> inside the conf file works, but can cause problems. I think you've hit
> one of those problems and that you've created the user Vincent before
> without a privacy option and it doesn't update its internal definition.
> My solution (again, not sure if this is the best way) is to either
> manually remove the appropriate usmUser line from
> /var/net-snmp/snmpv3d.conf (after stopping the daemon), or try to
> remove it over the wire via snmpusm(1) (not sure if this works with
> your daemon) and restart your daemon.
>  
> Hope this helps.
>  
> Martijn
>  
> On Mon, 2024-01-29 at 13:08 +0000, Vincent Gilson wrote:
> >  
> >  
> >  
> > Hi Martijn,
> >  
> > Thanks for your feedback!
> >  
> > I’m not using the snmpd command line daemon as I handle it in my own Linux application, so I couldn’t start it with -Dusm. But I’m guessing calling debug_enable_token_logs("usm"); in my application could do the trick… Anyway, I activated the (debug) logs, and the user ‘vincent’ seems to be created correctly, but I’m not sure.
> >  
> > The request frame tells ‘unsupported security level’, which confirms it, but I still don’t know why.
> >  
> > Any ideas ?
> >  
> > ((( I put what seems important to me at first (see “highlights” below), but I may have missed something so I added more details (see “In details “) under it. )))
> >  
> > Regards,
> > Vincent.
> >  
> > =================================================================
> > Highlights :
> > ============
> >  
> > -------------------------
> > Reading config file :
> > -------------------------
> >  
> > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
> > …
> > read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase
> > …
> > 9:usmUser: truncating privKeyLen from 20 to 16
> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
> > usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
> > …
> > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
> > trace: run_config_handler(): read_config.c, 543:
> > read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv
> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
> > rwuser: setting auth level: "priv"
> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
> > rwuser: passing: group grpvincent usm "vincent"
> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
> > rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
> > …
> > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
> > trace: run_config_handler(): read_config.c, 563:
> > 9:read_config:parser: usmUser handler not registered for this time
> > …
> >  
> > -------------------------
> > Request handling :
> > -------------------------
> > usm: match on user vincent
> > trace: usm_check_secLevel(): snmpusm.c, 2738:
> > comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
> > trace: usm_check_secLevel(): snmpusm.c, 2747:
> > usm: Level: 3
> > trace: usm_check_secLevel(): snmpusm.c, 2748:
> > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
> > trace: usm_process_in_msg(): snmpusm.c, 2980:
> > usm: Unsupported Security Level (3).
> > trace: snmpv3_parse(): snmp_api.c, 3994:
> > dumph_recv:     ScopedPDU
> > trace: _snmp_parse(): snmp_api.c, 4401:
> > snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)
> >  
> >  
> >  
> > =================================================================
> > =================================================================
> > =================================================================
> > In details :
> > ============
> >  
> > trace: read_config(): read_config.c, 853:
> > 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
> > trace: read_config(): read_config.c, 981:
> > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
> > trace: run_config_handler(): read_config.c, 543:
> > read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase
> > trace: sc_get_auth_oid(): scapi.c, 417:
> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> > trace: sc_get_authtype(): scapi.c, 341:
> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> > trace: sc_get_openssl_hashfn(): scapi.c, 634:
> > trace: sc_get_authtype(): scapi.c, 341:
> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> > trace: sc_get_authtype(): scapi.c, 341:
> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> > trace: sc_hash(): scapi.c, 889:
> > trace: sc_get_authtype(): scapi.c, 341:
> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> > trace: sc_hash_type(): scapi.c, 942:
> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> > trace: sc_get_openssl_hashfn(): scapi.c, 634:
> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4655:
> > 9:usmUser: privProtocol DES
> > trace: sc_get_priv_alg_bytype(): scapi.c, 248:
> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4662:
> > 9:usmUser: pai usmDESPrivProtocol
> > trace: sc_get_authtype(): scapi.c, 341:
> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> > trace: sc_get_openssl_hashfn(): scapi.c, 634:
> > trace: sc_get_authtype(): scapi.c, 341:
> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> > trace: sc_hash(): scapi.c, 889:
> > trace: sc_get_authtype(): scapi.c, 341:
> > trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> > trace: sc_hash_type(): scapi.c, 942:
> > trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> > trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> > trace: sc_get_openssl_hashfn(): scapi.c, 634:
> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4779:
> > 9:usmUser: truncating privKeyLen from 20 to 16
> > trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
> > usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
> > trace: read_config(): read_config.c, 853:
> > 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
> > trace: read_config(): read_config.c, 981:
> > read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
> > trace: run_config_handler(): read_config.c, 543:
> > read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv
> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
> > rwuser: setting auth level: "priv"
> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
> > rwuser: passing: group grpvincent usm "vincent"
> > trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
> > rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
> >  
> > …
> >  
> > 9:read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
> > trace: read_config(): read_config.c, 981:
> > read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
> > trace: run_config_handler(): read_config.c, 563:
> > 9:read_config:parser: usmUser handler not registered for this time
> >  
> > …
> >  
> > usm: match on user vincent
> > trace: usm_check_secLevel(): snmpusm.c, 2738:
> > comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
> > trace: usm_check_secLevel(): snmpusm.c, 2747:
> > usm: Level: 3
> > trace: usm_check_secLevel(): snmpusm.c, 2748:
> > usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
> > trace: usm_process_in_msg(): snmpusm.c, 2980:
> > usm: Unsupported Security Level (3).
> > trace: snmpv3_parse(): snmp_api.c, 3994:
> > dumph_recv:     ScopedPDU
> > trace: _snmp_parse(): snmp_api.c, 4401:
> > snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> > De : Martijn van Duren <ne...@li...>
> > Envoyé : samedi 27 janvier 2024 10:33
> > À : Vincent Gilson <vin...@ov...>; net...@li...
> > Objet : Re: SNMPv3 DES issue
> >  
> >  
> >  
> >  
> > [You don't often get email from ne...@li.... Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> >  
> > ATTENTION : cet email a été envoyé par une source externe à notre enterprise. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes si vous ne connaissez pas l'expéditeur et n'êtes pas sûrs du contenu.
> >  
> >  
> > Nothing stands out to me at a first glance. What does running snmpd with
> > -Dusm give you for extra information?
> >  
> > Sincerely,
> >  
> > Martijn van Duren
> >  
> > On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote:
> > > 
> > > 
> > > 
> > > Hello !
> > > 
> > > I’m working on a net-snmp agent integrated into an industrial embedded system (ARM-based).
> > > The agent is working perfectly for v1 and v2c, and also with v3 and ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.
> > > But SHA and DES/AES is not working :
> > > 
> > > My snmpd.conf :
> > > 
> > > # Listening connections :
> > > agentAddress udp:161
> > > #
> > > # User list :
> > > createUser myuser MD5 authpass
> > > rouser myuser
> > > createUser vincent SHA authpass DES privauthpass
> > > rwuser vincent priv
> > > 
> > > GET an integer with SNMPv3 is working for user “myuser” (configured with ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for user “vincent" (configured with ‘authPriv’ in SnmpB)  : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.
> > > 
> > > Why is it not supported ?
> > > I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add it at the end of ‘rwuser’
> > > I didn’t see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.
> > > 
> > > I don’t know what I’m missing. Could you help me please ?
> > > Many thanks !
> > > 
> > > Vincent.
> > > 
> > > ----->>>
> > > 
> > > Some useful resources :
> > > 
> > > My install switches :
> > > 
> > > ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
> > > --disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \
> > > --enable-reentrant \
> > > --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
> > > --with-openssl=$(LIB_DIRS) \
> > > --without-rpm \
> > > --with-logfile="/tmp/var/snmpd.log" \
> > > --with-default-snmp-version="3" \
> > > --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \
> > > --with-sys-contact="vin...@ov..." \
> > > --with-sys-location="Ovarro" \
> > > --with-persistent-directory="/var/net-snmp" \
> > > --enable-shared=yes --enable-static=no --enable-tagCC-libtool
> > > 
> > > Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :
> > > 
> > > No.     Time           Source                Destination           Protocol Length Info
> > >      4488 49.862297      10.65.84.14           172.25.110.169        SNMP     183    encryptedPDU: privKey Unknown
> > > 
> > > Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> > > Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)
> > > Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
> > > User Datagram Protocol, Src Port: 49987, Dst Port: 161
> > > Simple Network Management Protocol
> > >       msgVersion: snmpv3 (3)
> > >       msgGlobalData
> > >           msgID: 1572876
> > >           msgMaxSize: 4096
> > >           msgFlags: 07
> > >               .... .1.. = Reportable: Set
> > >               .... ..1. = Encrypted: Set
> > >               .... ...1 = Authenticated: Set
> > >           msgSecurityModel: USM (3)
> > >       msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
> > >           1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> > >           Engine Enterprise ID: net-snmp (8072)
> > >           Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> > >           Engine ID Data: 1cfa4220
> > >           Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> > >       msgAuthoritativeEngineBoots: 17
> > >       msgAuthoritativeEngineTime: 67315
> > >       msgUserName: vincent
> > >       msgAuthenticationParameters: 90d824057790ccf09d9cdf94
> > >       msgPrivacyParameters: 000000110000904f
> > >       msgData: encryptedPDU (1)
> > >           encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…
> > > 
> > > No.     Time           Source                Destination           Protocol Length Info
> > >      4496 49.945101      172.25.110.169        10.65.84.14           SNMP     154    report 1.3.6.1.6.3.15.1.1.1.0
> > > 
> > > Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> > > Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)
> > > Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
> > > User Datagram Protocol, Src Port: 161, Dst Port: 49987
> > > Simple Network Management Protocol
> > >       msgVersion: snmpv3 (3)
> > >       msgGlobalData
> > >           msgID: 1572876
> > >           msgMaxSize: 65507
> > >           msgFlags: 00
> > >               .... .0.. = Reportable: Not set
> > >               .... ..0. = Encrypted: Not set
> > >               .... ...0 = Authenticated: Not set
> > >           msgSecurityModel: USM (3)
> > >       msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
> > >           1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> > >           Engine Enterprise ID: net-snmp (8072)
> > >           Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> > >           Engine ID Data: 1cfa4220
> > >           Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> > >       msgAuthoritativeEngineBoots: 17
> > >       msgAuthoritativeEngineTime: 67315
> > >       msgUserName: vincent
> > >       msgAuthenticationParameters: <MISSING>
> > >       msgPrivacyParameters: <MISSING>
> > >       msgData: plaintext (0)
> > >           plaintext
> > >               contextEngineID: 80001f88801cfa42209b6fa665
> > >                   1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> > >                   Engine Enterprise ID: net-snmp (8072)
> > >                   Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> > >                   Engine ID Data: 1cfa4220
> > >                   Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> > >               contextName:
> > >               data: report (8)
> > >                   report
> > >                       request-id: 0
> > >                       error-status: noError (0)
> > >                       error-index: 0
> > >                       variable-bindings: 1 item
> > >                           1.3.6.1.6.3.15.1.1.1.0: 10
> > >                               Object Name:
> > > 
> > >    (iso.3.6.1.6.3.15.1.1.1.0)
> > >                               Value (Counter32): 10
> > > 
> > > 
> > > _______________________________________________
> > > Net-snmp-coders mailing list
> > > Net...@li...
> > > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
> >  
>  

RE: SNMPv3 DES issue

[Vincent G. <vin...@ov...>]

Hi Martijn,

Yes, it helps, thanks ! It teaches me things (I’m brand new to the world of SNMP/net-snmp), and it clearly confirms that I’ve a problem with the creation of my user.

I would like to keep the creation inside the conf file, but… well…
I tried to play with different combinations inside my conf file -regarding the order- of createUser/group/view/access/rwuser, and nothing seems to work, and it seems /var/net-snmp/snmpv3d.conf is still building its file with “10.1.2.1" with usmNoPrivProtocol OID, even after having deleted it manually as you suggested.

I didn’t try snmpusm, I didn’t build it (yet).

----
agentAddress udp:161

createUser vincent SHA "myPassPhrase" DES "myPrivAuthPhrase"
group grouptboxusmv3 usm vincent
view viewalltboxmibs included .1
access grouptboxusmv3 "" any priv exact viewalltboxmibs viewalltboxmibs none
rwuser -s usm vincent priv -V viewalltboxmibs


De : Martijn van Duren <ne...@li...>
Envoyé : lundi 29 janvier 2024 18:28
À : Vincent Gilson <vin...@ov...>
Cc : net...@li...
Objet : Re: SNMPv3 DES issue

[You don't often get email from ne...@li.... Learn why this is important at https://aka.ms/LearnAboutSend͏​​‌͏
[External email]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b7e03ff85fcc9575c14257&lang=en>
[Contains topics of a financial nature]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b7e03ff85fcc9575c14257&lang=en>


[You don't often get email from ne...@li...<mailto:ne...@li...>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]



Hello Vincent,



Small disclaimer: I'm the maintainer of OpenBSD's snmp stack and not

too familiar with the net-snmp's quirks.



That out of the way I think I have a decent idea where the problem

comes from and would be more clear if you load the

SNMP-USER-BASED-SM-MIB for more human readable output.



If you look at the following line from the highlights you'll find:

> usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2,

> User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1

Where SNMPv2-SMI::snmpModules.10.1.2.1 is

SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol. This means that your user

is created without a privacy option.

Looking a bit up we find:

> read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1

> 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL

> .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38

> .1.3.6.1.6.3.10.1.2.1 0x 0x

Where the last OID is the same usmNoPrivProtocol.



So here's my speculation: I've always been told that using createUser

inside the conf file works, but can cause problems. I think you've hit

one of those problems and that you've created the user Vincent before

without a privacy option and it doesn't update its internal definition.

My solution (again, not sure if this is the best way) is to either

manually remove the appropriate usmUser line from

/var/net-snmp/snmpv3d.conf (after stopping the daemon), or try to

remove it over the wire via snmpusm(1) (not sure if this works with

your daemon) and restart your daemon.



Hope this helps.



Martijn



On Mon, 2024-01-29 at 13:08 +0000, Vincent Gilson wrote:

>

>

>

> Hi Martijn,

>

> Thanks for your feedback!

>

> I’m not using the snmpd command line daemon as I handle it in my own Linux application, so I couldn’t start it with -Dusm. But I’m guessing calling debug_enable_token_logs("usm"); in my application could do the trick… Anyway, I activated the (debug) logs, and the user ‘vincent’ seems to be created correctly, but I’m not sure.

>

> The request frame tells ‘unsupported security level’, which confirms it, but I still don’t know why.

>

> Any ideas ?

>

> ((( I put what seems important to me at first (see “highlights” below), but I may have missed something so I added more details (see “In details “) under it. )))

>

> Regards,

> Vincent.

>

> =================================================================

> Highlights :

> ============

>

> -------------------------

> Reading config file :

> -------------------------

>

> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase

> …

> read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase

> …

> 9:usmUser: truncating privKeyLen from 20 to 16

> trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:

> usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65

> …

> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv

> trace: run_config_handler(): read_config.c, 543:

> read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv

> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:

> rwuser: setting auth level: "priv"

> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:

> rwuser: passing: group grpvincent usm "vincent"

> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:

> rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_

> …

> read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x

> trace: run_config_handler(): read_config.c, 563:

> 9:read_config:parser: usmUser handler not registered for this time

> …

>

> -------------------------

> Request handling :

> -------------------------

> usm: match on user vincent

> trace: usm_check_secLevel(): snmpusm.c, 2738:

> comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1

> trace: usm_check_secLevel(): snmpusm.c, 2747:

> usm: Level: 3

> trace: usm_check_secLevel(): snmpusm.c, 2748:

> usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1

> trace: usm_process_in_msg(): snmpusm.c, 2980:

> usm: Unsupported Security Level (3).

> trace: snmpv3_parse(): snmp_api.c, 3994:

> dumph_recv:     ScopedPDU

> trace: _snmp_parse(): snmp_api.c, 4401:

> snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)

>

>

>

> =================================================================

> =================================================================

> =================================================================

> In details :

> ============

>

> trace: read_config(): read_config.c, 853:

> 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase

> trace: read_config(): read_config.c, 981:

> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase

> trace: run_config_handler(): read_config.c, 543:

> read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase

> trace: sc_get_auth_oid(): scapi.c, 417:

> trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> trace: sc_get_authtype(): scapi.c, 341:

> trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> trace: sc_get_openssl_hashfn(): scapi.c, 634:

> trace: sc_get_authtype(): scapi.c, 341:

> trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> trace: sc_get_authtype(): scapi.c, 341:

> trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> trace: sc_hash(): scapi.c, 889:

> trace: sc_get_authtype(): scapi.c, 341:

> trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> trace: sc_hash_type(): scapi.c, 942:

> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> trace: sc_get_openssl_hashfn(): scapi.c, 634:

> trace: usm_create_usmUser_from_string(): snmpusm.c, 4655:

> 9:usmUser: privProtocol DES

> trace: sc_get_priv_alg_bytype(): scapi.c, 248:

> trace: usm_create_usmUser_from_string(): snmpusm.c, 4662:

> 9:usmUser: pai usmDESPrivProtocol

> trace: sc_get_authtype(): scapi.c, 341:

> trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> trace: sc_get_openssl_hashfn(): scapi.c, 634:

> trace: sc_get_authtype(): scapi.c, 341:

> trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> trace: sc_hash(): scapi.c, 889:

> trace: sc_get_authtype(): scapi.c, 341:

> trace: sc_find_auth_alg_byoid(): scapi.c, 269:

> trace: sc_hash_type(): scapi.c, 942:

> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:

> trace: sc_find_auth_alg_bytype(): scapi.c, 316:

> trace: sc_get_openssl_hashfn(): scapi.c, 634:

> trace: usm_create_usmUser_from_string(): snmpusm.c, 4779:

> 9:usmUser: truncating privKeyLen from 20 to 16

> trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:

> usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65

> trace: read_config(): read_config.c, 853:

> 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv

> trace: read_config(): read_config.c, 981:

> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv

> trace: run_config_handler(): read_config.c, 543:

> read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv

> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:

> rwuser: setting auth level: "priv"

> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:

> rwuser: passing: group grpvincent usm "vincent"

> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:

> rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_

>

> …

>

> 9:read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x

> trace: read_config(): read_config.c, 981:

> read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x

> trace: run_config_handler(): read_config.c, 563:

> 9:read_config:parser: usmUser handler not registered for this time

>

> …

>

> usm: match on user vincent

> trace: usm_check_secLevel(): snmpusm.c, 2738:

> comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1

> trace: usm_check_secLevel(): snmpusm.c, 2747:

> usm: Level: 3

> trace: usm_check_secLevel(): snmpusm.c, 2748:

> usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1

> trace: usm_process_in_msg(): snmpusm.c, 2980:

> usm: Unsupported Security Level (3).

> trace: snmpv3_parse(): snmp_api.c, 3994:

> dumph_recv:     ScopedPDU

> trace: _snmp_parse(): snmp_api.c, 4401:

> snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)

>

>

>

>

>

>

>

>

>

> De : Martijn van Duren <ne...@li...<mailto:ne...@li...>>

> Envoyé : samedi 27 janvier 2024 10:33

> À : Vincent Gilson <vin...@ov...<mailto:vin...@ov...>>; net...@li...<mailto:net...@li...>

> Objet : Re: SNMPv3 DES issue

>

>

>

>

> [You don't often get email from ne...@li...<mailto:ne...@li...>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

>

> ATTENTION : cet email a été envoyé par une source externe à notre enterprise. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes si vous ne connaissez pas l'expéditeur et n'êtes pas sûrs du contenu.

>

>

> Nothing stands out to me at a first glance. What does running snmpd with

> -Dusm give you for extra information?

>

> Sincerely,

>

> Martijn van Duren

>

> On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote:

> >

> >

> >

> > Hello !

> >

> > I’m working on a net-snmp agent integrated into an industrial embedded system (ARM-based).

> > The agent is working perfectly for v1 and v2c, and also with v3 and ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.

> > But SHA and DES/AES is not working :

> >

> > My snmpd.conf :

> >

> > # Listening connections :

> > agentAddress udp:161

> > #

> > # User list :

> > createUser myuser MD5 authpass

> > rouser myuser

> > createUser vincent SHA authpass DES privauthpass

> > rwuser vincent priv

> >

> > GET an integer with SNMPv3 is working for user “myuser” (configured with ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for user “vincent" (configured with ‘authPriv’ in SnmpB)  : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.

> >

> > Why is it not supported ?

> > I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add it at the end of ‘rwuser’

> > I didn’t see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.

> >

> > I don’t know what I’m missing. Could you help me please ?

> > Many thanks !

> >

> > Vincent.

> >

> > ----->>>

> >

> > Some useful resources :

> >

> > My install switches :

> >

> > ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \

> > --disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \

> > --enable-reentrant \

> > --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \

> > --with-openssl=$(LIB_DIRS) \

> > --without-rpm \

> > --with-logfile="/tmp/var/snmpd.log" \

> > --with-default-snmp-version="3" \

> > --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \

> > --with-sys-contact="vin...@ov...<mailto:vin...@ov...>" \

> > --with-sys-location="Ovarro" \

> > --with-persistent-directory="/var/net-snmp" \

> > --enable-shared=yes --enable-static=no --enable-tagCC-libtool

> >

> > Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :

> >

> > No.     Time           Source                Destination           Protocol Length Info

> >     4488 49.862297      10.65.84.14           172.25.110.169        SNMP     183    encryptedPDU: privKey Unknown

> >

> > Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0

> > Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)

> > Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169

> > User Datagram Protocol, Src Port: 49987, Dst Port: 161

> > Simple Network Management Protocol

> >      msgVersion: snmpv3 (3)

> >      msgGlobalData

> >          msgID: 1572876

> >          msgMaxSize: 4096

> >          msgFlags: 07

> >              .... .1.. = Reportable: Set

> >              .... ..1. = Encrypted: Set

> >              .... ...1 = Authenticated: Set

> >          msgSecurityModel: USM (3)

> >      msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665

> >          1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

> >          Engine Enterprise ID: net-snmp (8072)

> >          Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

> >          Engine ID Data: 1cfa4220

> >          Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

> >      msgAuthoritativeEngineBoots: 17

> >      msgAuthoritativeEngineTime: 67315

> >      msgUserName: vincent

> >      msgAuthenticationParameters: 90d824057790ccf09d9cdf94

> >      msgPrivacyParameters: 000000110000904f

> >      msgData: encryptedPDU (1)

> >          encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…

> >

> > No.     Time           Source                Destination           Protocol Length Info

> >     4496 49.945101      172.25.110.169        10.65.84.14           SNMP     154    report 1.3.6.1.6.3.15.1.1.1.0

> >

> > Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0

> > Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)

> > Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14

> > User Datagram Protocol, Src Port: 161, Dst Port: 49987

> > Simple Network Management Protocol

> >      msgVersion: snmpv3 (3)

> >      msgGlobalData

> >          msgID: 1572876

> >          msgMaxSize: 65507

> >          msgFlags: 00

> >              .... .0.. = Reportable: Not set

> >              .... ..0. = Encrypted: Not set

> >              .... ...0 = Authenticated: Not set

> >          msgSecurityModel: USM (3)

> >      msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665

> >          1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

> >          Engine Enterprise ID: net-snmp (8072)

> >          Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

> >          Engine ID Data: 1cfa4220

> >          Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

> >      msgAuthoritativeEngineBoots: 17

> >      msgAuthoritativeEngineTime: 67315

> >      msgUserName: vincent

> >      msgAuthenticationParameters: <MISSING>

> >      msgPrivacyParameters: <MISSING>

> >      msgData: plaintext (0)

> >          plaintext

> >              contextEngineID: 80001f88801cfa42209b6fa665

> >                  1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

> >                  Engine Enterprise ID: net-snmp (8072)

> >                  Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

> >                  Engine ID Data: 1cfa4220

> >                  Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

> >              contextName:

> >              data: report (8)

> >                  report

> >                      request-id: 0

> >                      error-status: noError (0)

> >                      error-index: 0

> >                      variable-bindings: 1 item

> >                          1.3.6.1.6.3.15.1.1.1.0: 10

> >                              Object Name:

> >

> >   (iso.3.6.1.6.3.15.1.1.1.0)

> >                              Value (Counter32): 10

> >

> >

> > _______________________________________________

> > Net-snmp-coders mailing list

> > Net...@li...<mailto:Net...@li...>

> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

>

RE: SNMPv3 DES issue

[Vincent G. <vin...@ov...>]

Thanks Niels,

Currently, here’s my full conf file :

agentAddress udp:161

createUser vincent SHA "myPassPhrase" DES "myPrivAuthPhrase"
group grouptboxusmv3 usm vincent
view viewalltboxmibs included .1
access grouptboxusmv3 "" any priv exact viewalltboxmibs viewalltboxmibs none
rwuser -s usm vincent priv -V viewalltboxmibs

I tried to create user after group/view/access config, tried also to not use rwuser, and different combinations but nothing works …
Any ideas ?


De : Niels Baggesen <ni...@ba...>
Envoyé : lundi 29 janvier 2024 20:29
À : net-snmp-coders <net...@li...>
Objet : Fwd: SNMPv3 DES issue

You don't often get email from ni...@ba.... Learn why this is important ATTENTION : cet email a été envoyé par u͏​​‌͏
[Graymail]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b7fc9e3f3f81aa696b2fdd&lang=en>
[External email]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b7fc9e3f3f81aa696b2fdd&lang=en>
[First time sender]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b7fc9e3f3f81aa696b2fdd&lang=en>
[This email shows signs of phishing]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b7fc9e3f3f81aa696b2fdd&lang=en>

You don't often get email from ni...@ba...<mailto:ni...@ba...>. Learn why this is important<https://links.uk.defend.egress.com/Warning?crId=65b7fc9e3f3f81aa696b2fdd&Domain=ovarro.com&Lang=en&Base64Url=eNrLKCkpKLbS10_MTtTLLdb3SU0synNMyi8tCU7NS0kt8kxJzSvJTMtMTizJzM8DAH5uES4%3D>
ATTENTION : cet email a été envoyé par une source externe à notre enterprise. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes si vous ne connaissez pas l'expéditeur et n'êtes pas sûrs du contenu.
I dont know snmpb, and it is seems non-trivial to install.

Have you tried with the Net-SNMP tools?

Besides the createUser to create the uer, you need an access and view entry to define how it is used. How did you configure that?

/Niels
Den 26-01-2024 kl. 11:10 skrev Vincent Gilson via Net-snmp-coders:
Hello !

I’m working on a net-snmp agent integrated into an industrial embedded system (ARM-based).
The agent is working perfectly for v1 and v2c, and also with v3 and ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.
But SHA and DES/AES is not working :


My snmpd.conf :

# Listening connections :
agentAddress udp:161
#
# User list :
createUser myuser MD5 authpass
rouser myuser
createUser vincent SHA authpass DES privauthpass
rwuser vincent priv

GET an integer with SNMPv3 is working for user “myuser” (configured with ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for user “vincent" (configured with ‘authPriv’ in SnmpB)  : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.

Why is it not supported ?
I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add it at the end of ‘rwuser’
I didn’t see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.

I don’t know what I’m missing. Could you help me please ?
Many thanks !

Vincent.


----->>>

Some useful resources :

My install switches :

./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
--disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \
--enable-reentrant \
--with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
--with-openssl=$(LIB_DIRS) \
--without-rpm \
--with-logfile="/tmp/var/snmpd.log" \
--with-default-snmp-version="3" \
--with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \
--with-sys-contact="vin...@ov..."<mailto:vin...@ov...> \
--with-sys-location="Ovarro" \
--with-persistent-directory="/var/net-snmp" \
--enable-shared=yes --enable-static=no --enable-tagCC-libtool

Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :

No.     Time           Source                Destination           Protocol Length Info
   4488 49.862297      10.65.84.14           172.25.110.169        SNMP     183    encryptedPDU: privKey Unknown

Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)
Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
User Datagram Protocol, Src Port: 49987, Dst Port: 161
Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1572876
        msgMaxSize: 4096
        msgFlags: 07
            .... .1.. = Reportable: Set
            .... ..1. = Encrypted: Set
            .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
        1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
        Engine Enterprise ID: net-snmp (8072)
        Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
        Engine ID Data: 1cfa4220
        Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
    msgAuthoritativeEngineBoots: 17
    msgAuthoritativeEngineTime: 67315
    msgUserName: vincent
    msgAuthenticationParameters: 90d824057790ccf09d9cdf94
    msgPrivacyParameters: 000000110000904f
    msgData: encryptedPDU (1)
        encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…

No.     Time           Source                Destination           Protocol Length Info
   4496 49.945101      172.25.110.169        10.65.84.14           SNMP     154    report 1.3.6.1.6.3.15.1.1.1.0

Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)
Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
User Datagram Protocol, Src Port: 161, Dst Port: 49987
Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1572876
        msgMaxSize: 65507
        msgFlags: 00
            .... .0.. = Reportable: Not set
            .... ..0. = Encrypted: Not set
            .... ...0 = Authenticated: Not set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
        1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
        Engine Enterprise ID: net-snmp (8072)
        Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
        Engine ID Data: 1cfa4220
        Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
    msgAuthoritativeEngineBoots: 17
    msgAuthoritativeEngineTime: 67315
    msgUserName: vincent
    msgAuthenticationParameters: <MISSING>
    msgPrivacyParameters: <MISSING>
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001f88801cfa42209b6fa665
                1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
                Engine Enterprise ID: net-snmp (8072)
                Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
                Engine ID Data: 1cfa4220
                Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
            contextName:
            data: report (8)
                report
                    request-id: 0
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 1 item
                        1.3.6.1.6.3.15.1.1.1.0: 10
                            Object Name: 1.3.6.1.6.3.15.1.1.1.0 (iso.3.6.1.6.3.15.1.1.1.0)
                            Value (Counter32): 10






_______________________________________________

Net-snmp-coders mailing list

Net...@li...<mailto:Net...@li...>

https://lists.sourceforge.net/lists/listinfo/net-snmp-coders<https://links.uk.defend.egress.com/Warning?crId=65b7fc9e3f3f81aa696b2fdd&Domain=ovarro.com&Lang=en&Base64Url=eNolyEEOwCAIBMAXCfd-h2I1UTAs_r9NvcxhWubCxTw6EgTfIVo9HiXTPPvbrTp_VWBzFfFbAy_DEhdF>

--

Niels Baggesen -- @home -- Århus -- Denmark -- ni...@ba...<mailto:ni...@ba...>

The purpose of computing is insight, not numbers  --  R W Hamming

--

Niels Baggesen -- @home -- Århus -- Denmark -- ni...@ba...<mailto:ni...@ba...>

The purpose of computing is insight, not numbers  --  R W Hamming

Fwd: SNMPv3 DES issue

[Niels B. <ni...@ba...>]

I dont know snmpb, and it is seems non-trivial to install.

Have you tried with the Net-SNMP tools?

Besides the createUser to create the uer, you need an access and view 
entry to define how it is used. How did you configure that?

/Niels

Den 26-01-2024 kl. 11:10 skrev Vincent Gilson via Net-snmp-coders:
>
> Hello !
>
> I’m working on a net-snmp agent integrated into an industrial embedded 
> system (ARM-based).
>
> The agent is working perfectly for v1 and v2c, and also with v3 and 
> ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.
>
> But SHA and DES/AES is not working :
>
> _My snmpd.conf :_
>
> # Listening connections :
>
> agentAddress udp:161
>
> #
>
> # User list :
>
> createUser myuser MD5 authpass
>
> rouser myuser
>
> createUser vincent SHA authpass DES privauthpass
>
> rwuser vincent priv
>
>
> GET an integer with SNMPv3 is working for user “myuser” (configured 
> with ‘authNoPriv’ and empty context info in SnmpB) , but that is not 
> working for user “vincent" (configured with ‘authPriv’ in SnmpB)  : 
> embedded agent returns me the security level is not supported (oid 
> 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem 
> occurs with AES.
>
> Why is it not supported ?
> I tried different combinations with ‘createUser’ adding ‘priv’ on it, 
> or add it at the end of ‘rwuser’
>
> I didn’t see something relevant into the snmpd.log, so I guess the 
> openssl is correctly loaded.
>
> I don’t know what I’m missing. Could you help me please ?
> Many thanks !
>
> Vincent.
>
> ----->>>
>
> _Some useful resources :_
>
> _My install switches :_
>
> ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
>
> --disable-applications --enable-debugging --disable-embedded-perl 
> --without-perl-modules \
>
> --enable-reentrant \
>
> --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) 
> --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
>
> --with-openssl=$(LIB_DIRS) \
>
> --without-rpm \
>
> --with-logfile="/tmp/var/snmpd.log" \
>
> --with-default-snmp-version="3" \
>
> --with-transports="UDP,TCP,DTLSUDP,TLSTCP" 
> --with-security-modules="usm,tsm" \
>
> --with-sys-contact="vin...@ov..." \
>
> --with-sys-location="Ovarro" \
>
> --with-persistent-directory="/var/net-snmp" \
>
> --enable-shared=yes --enable-static=no --enable-tagCC-libtool
>
> _Wireshark capture (request of SnmpB, followed by answer from embedded 
> net-snmp agent) :_
>
> No. Time           Source                Destination Protocol Length Info
>
>    4488 49.862297      10.65.84.14           172.25.110.169 SNMP     
> 183    encryptedPDU: privKey Unknown
>
> Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 
> bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, 
> id 0
>
> Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: 
> CIMSYS_33:44:55 (00:11:22:33:44:55)
>
> Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
>
> User Datagram Protocol, Src Port: 49987, Dst Port: 161
>
> Simple Network Management Protocol
>
> msgVersion: snmpv3 (3)
>
> msgGlobalData
>
> msgID: 1572876
>
> msgMaxSize: 4096
>
> msgFlags: 07
>
> .... .1.. = Reportable: Set
>
> .... ..1. = Encrypted: Set
>
> .... ...1 = Authenticated: Set
>
> msgSecurityModel: USM (3)
>
> msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
>
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
>
> Engine Enterprise ID: net-snmp (8072)
>
> Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
>
> Engine ID Data: 1cfa4220
>
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
>
> msgAuthoritativeEngineBoots: 17
>
> msgAuthoritativeEngineTime: 67315
>
> msgUserName: vincent
>
> msgAuthenticationParameters: 90d824057790ccf09d9cdf94
>
> msgPrivacyParameters: 000000110000904f
>
> msgData: encryptedPDU (1)
>
> encryptedPDU: 
> 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…
>
> No. Time           Source                Destination Protocol Length Info
>
>    4496 49.945101      172.25.110.169        10.65.84.14 SNMP     
> 154    report 1.3.6.1.6.3.15.1.1.1.0
>
> Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 
> bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, 
> id 0
>
> Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: 
> Cisco_3c:7a:00 (00:05:9a:3c:7a:00)
>
> Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
>
> User Datagram Protocol, Src Port: 161, Dst Port: 49987
>
> Simple Network Management Protocol
>
> msgVersion: snmpv3 (3)
>
> msgGlobalData
>
> msgID: 1572876
>
> msgMaxSize: 65507
>
> msgFlags: 00
>
> .... .0.. = Reportable: Not set
>
> .... ..0. = Encrypted: Not set
>
> .... ...0 = Authenticated: Not set
>
> msgSecurityModel: USM (3)
>
> msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
>
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
>
> Engine Enterprise ID: net-snmp (8072)
>
> Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
>
> Engine ID Data: 1cfa4220
>
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
>
> msgAuthoritativeEngineBoots: 17
>
> msgAuthoritativeEngineTime: 67315
>
> msgUserName: vincent
>
> msgAuthenticationParameters: <MISSING>
>
> msgPrivacyParameters: <MISSING>
>
> msgData: plaintext (0)
>
> plaintext
>
> contextEngineID: 80001f88801cfa42209b6fa665
>
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
>
> Engine Enterprise ID: net-snmp (8072)
>
> Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
>
> Engine ID Data: 1cfa4220
>
> Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
>
> contextName:
>
>             data: report (8)
>
> report
>
> request-id: 0
>
> error-status: noError (0)
>
> error-index: 0
>
> variable-bindings: 1 item
>
> 1.3.6.1.6.3.15.1.1.1.0: 10
>
> Object Name: 1.3.6.1.6.3.15.1.1.1.0 (iso.3.6.1.6.3.15.1.1.1.0)
>
> Value (Counter32): 10
>
>
>
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

-- 
Niels Baggesen -- @home -- Århus -- Denmark --...@ba...
The purpose of computing is insight, not numbers  --  R W Hamming

-- 
Niels Baggesen -- @home -- Århus -- Denmark --...@ba...
The purpose of computing is insight, not numbers  --  R W Hamming

Re: SNMPv3 DES issue

[Martijn v. D. <ne...@li...>]

Hello Vincent,

Small disclaimer: I'm the maintainer of OpenBSD's snmp stack and not
too familiar with the net-snmp's quirks.

That out of the way I think I have a decent idea where the problem
comes from and would be more clear if you load the
SNMP-USER-BASED-SM-MIB for more human readable output.

If you look at the following line from the highlights you'll find:
> usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2,
> User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
Where SNMPv2-SMI::snmpModules.10.1.2.1 is
SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol. This means that your user
is created without a privacy option.
Looking a bit up we find:
> read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1
> 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL
> .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38
> .1.3.6.1.6.3.10.1.2.1 0x 0x
Where the last OID is the same usmNoPrivProtocol.

So here's my speculation: I've always been told that using createUser
inside the conf file works, but can cause problems. I think you've hit
one of those problems and that you've created the user Vincent before
without a privacy option and it doesn't update its internal definition.
My solution (again, not sure if this is the best way) is to either
manually remove the appropriate usmUser line from
/var/net-snmp/snmpv3d.conf (after stopping the daemon), or try to
remove it over the wire via snmpusm(1) (not sure if this works with
your daemon) and restart your daemon.

Hope this helps.

Martijn

On Mon, 2024-01-29 at 13:08 +0000, Vincent Gilson wrote:
> 
> 
> 
> Hi Martijn,
>  
> Thanks for your feedback!
>  
> I’m not using the snmpd command line daemon as I handle it in my own Linux application, so I couldn’t start it with -Dusm. But I’m guessing calling debug_enable_token_logs("usm"); in my application could do the trick… Anyway, I activated the (debug) logs, and the user ‘vincent’ seems to be created correctly, but I’m not sure.
> 
> The request frame tells ‘unsupported security level’, which confirms it, but I still don’t know why.
>  
> Any ideas ?
> 
> ((( I put what seems important to me at first (see “highlights” below), but I may have missed something so I added more details (see “In details “) under it. )))
> 
> Regards,
> Vincent.
>  
> =================================================================
> Highlights :
> ============
>  
> -------------------------
> Reading config file :
> -------------------------
>  
> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
> …
> read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase
> …
> 9:usmUser: truncating privKeyLen from 20 to 16
> trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
> usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
> …
> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
> trace: run_config_handler(): read_config.c, 543:
> read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
> rwuser: setting auth level: "priv"
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
> rwuser: passing: group grpvincent usm "vincent"
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
> rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
> …
> read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
> trace: run_config_handler(): read_config.c, 563:
> 9:read_config:parser: usmUser handler not registered for this time
> …
>  
> -------------------------
> Request handling :
> -------------------------
> usm: match on user vincent
> trace: usm_check_secLevel(): snmpusm.c, 2738:
> comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
> trace: usm_check_secLevel(): snmpusm.c, 2747:
> usm: Level: 3
> trace: usm_check_secLevel(): snmpusm.c, 2748:
> usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
> trace: usm_process_in_msg(): snmpusm.c, 2980:
> usm: Unsupported Security Level (3).
> trace: snmpv3_parse(): snmp_api.c, 3994:
> dumph_recv:     ScopedPDU
> trace: _snmp_parse(): snmp_api.c, 4401:
> snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)
>  
>  
>  
> =================================================================
> =================================================================
> =================================================================
> In details :
> ============
>  
> trace: read_config(): read_config.c, 853:
> 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
> trace: read_config(): read_config.c, 981:
> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
> trace: run_config_handler(): read_config.c, 543:
> read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase
> trace: sc_get_auth_oid(): scapi.c, 417:
> trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> trace: sc_get_authtype(): scapi.c, 341:
> trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> trace: sc_get_openssl_hashfn(): scapi.c, 634:
> trace: sc_get_authtype(): scapi.c, 341:
> trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> trace: sc_get_authtype(): scapi.c, 341:
> trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> trace: sc_hash(): scapi.c, 889:
> trace: sc_get_authtype(): scapi.c, 341:
> trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> trace: sc_hash_type(): scapi.c, 942:
> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> trace: sc_get_openssl_hashfn(): scapi.c, 634:
> trace: usm_create_usmUser_from_string(): snmpusm.c, 4655:
> 9:usmUser: privProtocol DES
> trace: sc_get_priv_alg_bytype(): scapi.c, 248:
> trace: usm_create_usmUser_from_string(): snmpusm.c, 4662:
> 9:usmUser: pai usmDESPrivProtocol
> trace: sc_get_authtype(): scapi.c, 341:
> trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> trace: sc_get_openssl_hashfn(): scapi.c, 634:
> trace: sc_get_authtype(): scapi.c, 341:
> trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> trace: sc_hash(): scapi.c, 889:
> trace: sc_get_authtype(): scapi.c, 341:
> trace: sc_find_auth_alg_byoid(): scapi.c, 269:
> trace: sc_hash_type(): scapi.c, 942:
> trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
> trace: sc_find_auth_alg_bytype(): scapi.c, 316:
> trace: sc_get_openssl_hashfn(): scapi.c, 634:
> trace: usm_create_usmUser_from_string(): snmpusm.c, 4779:
> 9:usmUser: truncating privKeyLen from 20 to 16
> trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
> usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
> trace: read_config(): read_config.c, 853:
> 9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
> trace: read_config(): read_config.c, 981:
> read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
> trace: run_config_handler(): read_config.c, 543:
> read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
> rwuser: setting auth level: "priv"
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
> rwuser: passing: group grpvincent usm "vincent"
> trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
> rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
>  
> …
>  
> 9:read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
> trace: read_config(): read_config.c, 981:
> read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
> trace: run_config_handler(): read_config.c, 563:
> 9:read_config:parser: usmUser handler not registered for this time
>  
> …
>  
> usm: match on user vincent
> trace: usm_check_secLevel(): snmpusm.c, 2738:
> comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
> trace: usm_check_secLevel(): snmpusm.c, 2747:
> usm: Level: 3
> trace: usm_check_secLevel(): snmpusm.c, 2748:
> usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
> trace: usm_process_in_msg(): snmpusm.c, 2980:
> usm: Unsupported Security Level (3).
> trace: snmpv3_parse(): snmp_api.c, 3994:
> dumph_recv:     ScopedPDU
> trace: _snmp_parse(): snmp_api.c, 4401:
> snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)
>  
>  
>  
>  
>  
> 
> 
> 
> 
> De : Martijn van Duren <ne...@li...>
> Envoyé : samedi 27 janvier 2024 10:33
> À : Vincent Gilson <vin...@ov...>; net...@li...
> Objet : Re: SNMPv3 DES issue
>  
> 
> 
>  
> [You don't often get email from ne...@li.... Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>  
> ATTENTION : cet email a été envoyé par une source externe à notre enterprise. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes si vous ne connaissez pas l'expéditeur et n'êtes pas sûrs du contenu.
>  
>  
> Nothing stands out to me at a first glance. What does running snmpd with
> -Dusm give you for extra information?
>  
> Sincerely,
>  
> Martijn van Duren
>  
> On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote:
> >  
> >  
> >  
> > Hello !
> >  
> > I’m working on a net-snmp agent integrated into an industrial embedded system (ARM-based).
> > The agent is working perfectly for v1 and v2c, and also with v3 and ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.
> > But SHA and DES/AES is not working :
> >  
> > My snmpd.conf :
> >  
> > # Listening connections :
> > agentAddress udp:161
> > #
> > # User list :
> > createUser myuser MD5 authpass
> > rouser myuser
> > createUser vincent SHA authpass DES privauthpass
> > rwuser vincent priv
> >  
> > GET an integer with SNMPv3 is working for user “myuser” (configured with ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for user “vincent" (configured with ‘authPriv’ in SnmpB)  : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.
> >  
> > Why is it not supported ?
> > I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add it at the end of ‘rwuser’
> > I didn’t see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.
> >  
> > I don’t know what I’m missing. Could you help me please ?
> > Many thanks !
> >  
> > Vincent.
> >  
> > ----->>>
> >  
> > Some useful resources :
> >  
> > My install switches :
> >  
> > ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
> > --disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \
> > --enable-reentrant \
> > --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
> > --with-openssl=$(LIB_DIRS) \
> > --without-rpm \
> > --with-logfile="/tmp/var/snmpd.log" \
> > --with-default-snmp-version="3" \
> > --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \
> > --with-sys-contact="vin...@ov..." \
> > --with-sys-location="Ovarro" \
> > --with-persistent-directory="/var/net-snmp" \
> > --enable-shared=yes --enable-static=no --enable-tagCC-libtool
> >  
> > Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :
> >  
> > No.     Time           Source                Destination           Protocol Length Info
> >     4488 49.862297      10.65.84.14           172.25.110.169        SNMP     183    encryptedPDU: privKey Unknown
> >  
> > Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> > Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)
> > Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
> > User Datagram Protocol, Src Port: 49987, Dst Port: 161
> > Simple Network Management Protocol
> >      msgVersion: snmpv3 (3)
> >      msgGlobalData
> >          msgID: 1572876
> >          msgMaxSize: 4096
> >          msgFlags: 07
> >              .... .1.. = Reportable: Set
> >              .... ..1. = Encrypted: Set
> >              .... ...1 = Authenticated: Set
> >          msgSecurityModel: USM (3)
> >      msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
> >          1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> >          Engine Enterprise ID: net-snmp (8072)
> >          Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> >          Engine ID Data: 1cfa4220
> >          Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> >      msgAuthoritativeEngineBoots: 17
> >      msgAuthoritativeEngineTime: 67315
> >      msgUserName: vincent
> >      msgAuthenticationParameters: 90d824057790ccf09d9cdf94
> >      msgPrivacyParameters: 000000110000904f
> >      msgData: encryptedPDU (1)
> >          encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…
> >  
> > No.     Time           Source                Destination           Protocol Length Info
> >     4496 49.945101      172.25.110.169        10.65.84.14           SNMP     154    report 1.3.6.1.6.3.15.1.1.1.0
> >  
> > Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> > Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)
> > Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
> > User Datagram Protocol, Src Port: 161, Dst Port: 49987
> > Simple Network Management Protocol
> >      msgVersion: snmpv3 (3)
> >      msgGlobalData
> >          msgID: 1572876
> >          msgMaxSize: 65507
> >          msgFlags: 00
> >              .... .0.. = Reportable: Not set
> >              .... ..0. = Encrypted: Not set
> >              .... ...0 = Authenticated: Not set
> >          msgSecurityModel: USM (3)
> >      msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
> >          1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> >          Engine Enterprise ID: net-snmp (8072)
> >          Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> >          Engine ID Data: 1cfa4220
> >          Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> >      msgAuthoritativeEngineBoots: 17
> >      msgAuthoritativeEngineTime: 67315
> >      msgUserName: vincent
> >      msgAuthenticationParameters: <MISSING>
> >      msgPrivacyParameters: <MISSING>
> >      msgData: plaintext (0)
> >          plaintext
> >              contextEngineID: 80001f88801cfa42209b6fa665
> >                  1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> >                  Engine Enterprise ID: net-snmp (8072)
> >                  Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
> >                  Engine ID Data: 1cfa4220
> >                  Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
> >              contextName:
> >              data: report (8)
> >                  report
> >                      request-id: 0
> >                      error-status: noError (0)
> >                      error-index: 0
> >                      variable-bindings: 1 item
> >                          1.3.6.1.6.3.15.1.1.1.0: 10
> >                              Object Name:
> >  
> >   (iso.3.6.1.6.3.15.1.1.1.0)
> >                              Value (Counter32): 10
> >  
> >  
> > _______________________________________________
> > Net-snmp-coders mailing list
> > Net...@li...
> > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>  

RE: SNMPv3 DES issue

[Vincent G. <vin...@ov...>]

Hi Martijn,

Thanks for your feedback!

I’m not using the snmpd command line daemon as I handle it in my own Linux application, so I couldn’t start it with -Dusm. But I’m guessing calling debug_enable_token_logs("usm"); in my application could do the trick… Anyway, I activated the (debug) logs, and the user ‘vincent’ seems to be created correctly, but I’m not sure.

The request frame tells ‘unsupported security level’, which confirms it, but I still don’t know why.

Any ideas ?

((( I put what seems important to me at first (see “highlights” below), but I may have missed something so I added more details (see “In details “) under it. )))

Regards,
Vincent.

=================================================================
Highlights :
============

-------------------------
Reading config file :
-------------------------

read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
…
read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase
…
9:usmUser: truncating privKeyLen from 20 to 16
trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
…
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
trace: run_config_handler(): read_config.c, 543:
read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
rwuser: setting auth level: "priv"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
rwuser: passing: group grpvincent usm "vincent"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_
…
read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
trace: run_config_handler(): read_config.c, 563:
9:read_config:parser: usmUser handler not registered for this time
…

-------------------------
Request handling :
-------------------------
usm: match on user vincent
trace: usm_check_secLevel(): snmpusm.c, 2738:
comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_check_secLevel(): snmpusm.c, 2747:
usm: Level: 3
trace: usm_check_secLevel(): snmpusm.c, 2748:
usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_process_in_msg(): snmpusm.c, 2980:
usm: Unsupported Security Level (3).
trace: snmpv3_parse(): snmp_api.c, 3994:
dumph_recv:     ScopedPDU
trace: _snmp_parse(): snmp_api.c, 4401:
snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)



=================================================================
=================================================================
=================================================================
In details :
============

trace: read_config(): read_config.c, 853:
9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
trace: read_config(): read_config.c, 981:
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:8 examining: createUser vincent SHA myauthpw DES myPrivAuthPhrase
trace: run_config_handler(): read_config.c, 543:
read_config:parser: Found a parser.  Calling it: createUser / vincent SHA myauthpw DES myPrivAuthPhrase
trace: sc_get_auth_oid(): scapi.c, 417:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_hash(): scapi.c, 889:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_hash_type(): scapi.c, 942:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: usm_create_usmUser_from_string(): snmpusm.c, 4655:
9:usmUser: privProtocol DES
trace: sc_get_priv_alg_bytype(): scapi.c, 248:
trace: usm_create_usmUser_from_string(): snmpusm.c, 4662:
9:usmUser: pai usmDESPrivProtocol
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_hash(): scapi.c, 889:
trace: sc_get_authtype(): scapi.c, 341:
trace: sc_find_auth_alg_byoid(): scapi.c, 269:
trace: sc_hash_type(): scapi.c, 942:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 398:
trace: sc_find_auth_alg_bytype(): scapi.c, 316:
trace: sc_get_openssl_hashfn(): scapi.c, 634:
trace: usm_create_usmUser_from_string(): snmpusm.c, 4779:
9:usmUser: truncating privKeyLen from 20 to 16
trace: usm_create_usmUser_from_string(): snmpusm.c, 4792:
usmUser: created a new user vincent at 80 00 1F 88 80 1C FA 42 20 9B 6F A6 65
trace: read_config(): read_config.c, 853:
9:read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
trace: read_config(): read_config.c, 981:
read_config:line: /usr/local/etc/snmp//snmpv3d.conf:9 examining: rwuser -s usm vincent priv
trace: run_config_handler(): read_config.c, 543:
read_config:parser: Found a parser.  Calling it: rwuser / -s usm vincent priv
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 871:
rwuser: setting auth level: "priv"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1013:
rwuser: passing: group grpvincent usm "vincent"
trace: vacm_create_simple(): mibgroup/mibII/vacm_conf.c, 1052:
rwuser: passing: access grpvincent "" usm priv prefix _all_ _all_ _all_

…

9:read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
trace: read_config(): read_config.c, 981:
read_config:line: /var/net-snmp/snmpv3d.conf:33 examining: usmUser 1 3 0x80001f88801cfa42209b6fa665 "vincent" "vincent" NULL .1.3.6.1.6.3.10.1.1.2 0xf6347e2fe5f1ce6ff9b539870dfa3b38 .1.3.6.1.6.3.10.1.2.1 0x 0x
trace: run_config_handler(): read_config.c, 563:
9:read_config:parser: usmUser handler not registered for this time

…

usm: match on user vincent
trace: usm_check_secLevel(): snmpusm.c, 2738:
comparex: Comparing: 1 3 SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_check_secLevel(): snmpusm.c, 2747:
usm: Level: 3
trace: usm_check_secLevel(): snmpusm.c, 2748:
usm: User (vincent) Auth Protocol: SNMPv2-SMI::snmpModules.10.1.1.2, User Priv Protocol: SNMPv2-SMI::snmpModules.10.1.2.1
trace: usm_process_in_msg(): snmpusm.c, 2980:
usm: Unsupported Security Level (3).
trace: snmpv3_parse(): snmp_api.c, 3994:
dumph_recv:     ScopedPDU
trace: _snmp_parse(): snmp_api.c, 4401:
snmp_parse: Parsed SNMPv3 message (secName:vincent, secLevel:authPriv): USM unsupported security level (this user has not been configured for that level of security)





De : Martijn van Duren <ne...@li...>
Envoyé : samedi 27 janvier 2024 10:33
À : Vincent Gilson <vin...@ov...>; net...@li...
Objet : Re: SNMPv3 DES issue

[You don't often get email from ne...@li.... Learn why this is important at https://aka.ms/LearnAboutSend͏​​‌͏
[External email]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b4cdc76a52a97d6e20f16a&lang=en>
[First time sender]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b4cdc76a52a97d6e20f16a&lang=en>
[This email shows signs of phishing]<https://summary.uk.defend.egress.com/v3/summary?ref=email&crId=65b4cdc76a52a97d6e20f16a&lang=en>


[You don't often get email from ne...@li...<mailto:ne...@li...>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]



ATTENTION : cet email a été envoyé par une source externe à notre enterprise. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes si vous ne connaissez pas l'expéditeur et n'êtes pas sûrs du contenu.





Nothing stands out to me at a first glance. What does running snmpd with

-Dusm give you for extra information?



Sincerely,



Martijn van Duren



On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote:

>

>

>

> Hello !

>

> I’m working on a net-snmp agent integrated into an industrial embedded system (ARM-based).

> The agent is working perfectly for v1 and v2c, and also with v3 and ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.

> But SHA and DES/AES is not working :

>

> My snmpd.conf :

>

> # Listening connections :

> agentAddress udp:161

> #

> # User list :

> createUser myuser MD5 authpass

> rouser myuser

> createUser vincent SHA authpass DES privauthpass

> rwuser vincent priv

>

> GET an integer with SNMPv3 is working for user “myuser” (configured with ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for user “vincent" (configured with ‘authPriv’ in SnmpB)  : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.

>

> Why is it not supported ?

> I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add it at the end of ‘rwuser’

> I didn’t see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.

>

> I don’t know what I’m missing. Could you help me please ?

> Many thanks !

>

> Vincent.

>

> ----->>>

>

> Some useful resources :

>

> My install switches :

>

> ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \

> --disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \

> --enable-reentrant \

> --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \

> --with-openssl=$(LIB_DIRS) \

> --without-rpm \

> --with-logfile="/tmp/var/snmpd.log" \

> --with-default-snmp-version="3" \

> --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \

> --with-sys-contact="vin...@ov...<mailto:vin...@ov...>" \

> --with-sys-location="Ovarro" \

> --with-persistent-directory="/var/net-snmp" \

> --enable-shared=yes --enable-static=no --enable-tagCC-libtool

>

> Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :

>

> No.     Time           Source                Destination           Protocol Length Info

>    4488 49.862297      10.65.84.14           172.25.110.169        SNMP     183    encryptedPDU: privKey Unknown

>

> Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0

> Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)

> Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169

> User Datagram Protocol, Src Port: 49987, Dst Port: 161

> Simple Network Management Protocol

>     msgVersion: snmpv3 (3)

>     msgGlobalData

>         msgID: 1572876

>         msgMaxSize: 4096

>         msgFlags: 07

>             .... .1.. = Reportable: Set

>             .... ..1. = Encrypted: Set

>             .... ...1 = Authenticated: Set

>         msgSecurityModel: USM (3)

>     msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665

>         1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

>         Engine Enterprise ID: net-snmp (8072)

>         Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

>         Engine ID Data: 1cfa4220

>         Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

>     msgAuthoritativeEngineBoots: 17

>     msgAuthoritativeEngineTime: 67315

>     msgUserName: vincent

>     msgAuthenticationParameters: 90d824057790ccf09d9cdf94

>     msgPrivacyParameters: 000000110000904f

>     msgData: encryptedPDU (1)

>         encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…

>

> No.     Time           Source                Destination           Protocol Length Info

>    4496 49.945101      172.25.110.169        10.65.84.14           SNMP     154    report 1.3.6.1.6.3.15.1.1.1.0

>

> Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0

> Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)

> Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14

> User Datagram Protocol, Src Port: 161, Dst Port: 49987

> Simple Network Management Protocol

>     msgVersion: snmpv3 (3)

>     msgGlobalData

>         msgID: 1572876

>         msgMaxSize: 65507

>         msgFlags: 00

>             .... .0.. = Reportable: Not set

>             .... ..0. = Encrypted: Not set

>             .... ...0 = Authenticated: Not set

>         msgSecurityModel: USM (3)

>     msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665

>         1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

>         Engine Enterprise ID: net-snmp (8072)

>         Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

>         Engine ID Data: 1cfa4220

>         Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

>     msgAuthoritativeEngineBoots: 17

>     msgAuthoritativeEngineTime: 67315

>     msgUserName: vincent

>     msgAuthenticationParameters: <MISSING>

>     msgPrivacyParameters: <MISSING>

>     msgData: plaintext (0)

>         plaintext

>             contextEngineID: 80001f88801cfa42209b6fa665

>                 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)

>                 Engine Enterprise ID: net-snmp (8072)

>                 Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random

>                 Engine ID Data: 1cfa4220

>                 Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid

>             contextName:

>             data: report (8)

>                 report

>                     request-id: 0

>                     error-status: noError (0)

>                     error-index: 0

>                     variable-bindings: 1 item

>                         1.3.6.1.6.3.15.1.1.1.0: 10

>                             Object Name:

>

>  (iso.3.6.1.6.3.15.1.1.1.0)

>                             Value (Counter32): 10

>

>

> _______________________________________________

> Net-snmp-coders mailing list

> Net...@li...<mailto:Net...@li...>

> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: SNMPv3 DES issue

[Martijn v. D. <ne...@li...>]

Nothing stands out to me at a first glance. What does running snmpd with
-Dusm give you for extra information?

Sincerely,

Martijn van Duren

On Fri, 2024-01-26 at 10:10 +0000, Vincent Gilson via Net-snmp-coders wrote:
> 
> 
> 
> Hello !
>  
> I’m working on a net-snmp agent integrated into an industrial embedded system (ARM-based).
> The agent is working perfectly for v1 and v2c, and also with v3 and ‘AuthNoPriv’ mode. I’m doing my tests with SnmpB software as a client.
> But SHA and DES/AES is not working :
> 
> My snmpd.conf :
>  
> # Listening connections :
> agentAddress udp:161
> #
> # User list :
> createUser myuser MD5 authpass
> rouser myuser
> createUser vincent SHA authpass DES privauthpass
> rwuser vincent priv
> 
> GET an integer with SNMPv3 is working for user “myuser” (configured with ‘authNoPriv’ and empty context info in SnmpB) , but that is not working for user “vincent" (configured with ‘authPriv’ in SnmpB)  : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.
>  
> Why is it not supported ?
> I tried different combinations with ‘createUser’ adding ‘priv’ on it, or add it at the end of ‘rwuser’
> I didn’t see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.
>  
> I don’t know what I’m missing. Could you help me please ?
> Many thanks !
>  
> Vincent.
> 
> ----->>>
>  
> Some useful resources :
>  
> My install switches :
>  
> ./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
> --disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \
> --enable-reentrant \
> --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
> --with-openssl=$(LIB_DIRS) \
> --without-rpm \
> --with-logfile="/tmp/var/snmpd.log" \
> --with-default-snmp-version="3" \
> --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \
> --with-sys-contact="vin...@ov..." \
> --with-sys-location="Ovarro" \
> --with-persistent-directory="/var/net-snmp" \
> --enable-shared=yes --enable-static=no --enable-tagCC-libtool
>  
> Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :
>  
> No.     Time           Source                Destination           Protocol Length Info
>    4488 49.862297      10.65.84.14           172.25.110.169        SNMP     183    encryptedPDU: privKey Unknown
>  
> Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)
> Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
> User Datagram Protocol, Src Port: 49987, Dst Port: 161
> Simple Network Management Protocol
>     msgVersion: snmpv3 (3)
>     msgGlobalData
>         msgID: 1572876
>         msgMaxSize: 4096
>         msgFlags: 07
>             .... .1.. = Reportable: Set
>             .... ..1. = Encrypted: Set
>             .... ...1 = Authenticated: Set
>         msgSecurityModel: USM (3)
>     msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
>         1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
>         Engine Enterprise ID: net-snmp (8072)
>         Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
>         Engine ID Data: 1cfa4220
>         Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
>     msgAuthoritativeEngineBoots: 17
>     msgAuthoritativeEngineTime: 67315
>     msgUserName: vincent
>     msgAuthenticationParameters: 90d824057790ccf09d9cdf94
>     msgPrivacyParameters: 000000110000904f
>     msgData: encryptedPDU (1)
>         encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f…
>  
> No.     Time           Source                Destination           Protocol Length Info
>    4496 49.945101      172.25.110.169        10.65.84.14           SNMP     154    report 1.3.6.1.6.3.15.1.1.1.0
>  
> Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
> Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)
> Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
> User Datagram Protocol, Src Port: 161, Dst Port: 49987
> Simple Network Management Protocol
>     msgVersion: snmpv3 (3)
>     msgGlobalData
>         msgID: 1572876
>         msgMaxSize: 65507
>         msgFlags: 00
>             .... .0.. = Reportable: Not set
>             .... ..0. = Encrypted: Not set
>             .... ...0 = Authenticated: Not set
>         msgSecurityModel: USM (3)
>     msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
>         1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
>         Engine Enterprise ID: net-snmp (8072)
>         Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
>         Engine ID Data: 1cfa4220
>         Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
>     msgAuthoritativeEngineBoots: 17
>     msgAuthoritativeEngineTime: 67315
>     msgUserName: vincent
>     msgAuthenticationParameters: <MISSING>
>     msgPrivacyParameters: <MISSING>
>     msgData: plaintext (0)
>         plaintext
>             contextEngineID: 80001f88801cfa42209b6fa665
>                 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
>                 Engine Enterprise ID: net-snmp (8072)
>                 Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
>                 Engine ID Data: 1cfa4220
>                 Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
>             contextName:
>             data: report (8)
>                 report
>                     request-id: 0
>                     error-status: noError (0)
>                     error-index: 0
>                     variable-bindings: 1 item
>                         1.3.6.1.6.3.15.1.1.1.0: 10
>                             Object Name: 
> 
>  (iso.3.6.1.6.3.15.1.1.1.0)
>                             Value (Counter32): 10
>  
>  
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

SNMPv3 DES issue

[Vincent G. <vin...@ov...>]

Hello !

I'm working on a net-snmp agent integrated into an industrial embedded system (ARM-based).
The agent is working perfectly for v1 and v2c, and also with v3 and 'AuthNoPriv' mode. I'm doing my tests with SnmpB software as a client.
But SHA and DES/AES is not working :

My snmpd.conf :

# Listening connections :
agentAddress udp:161
#
# User list :
createUser myuser MD5 authpass
rouser myuser
createUser vincent SHA authpass DES privauthpass
rwuser vincent priv

GET an integer with SNMPv3 is working for user "myuser" (configured with 'authNoPriv' and empty context info in SnmpB) , but that is not working for user "vincent" (configured with 'authPriv' in SnmpB)  : embedded agent returns me the security level is not supported (oid 1.3.6.1.6.3.15.1.1.1.0, see wireshark trace below) . Same problem occurs with AES.

Why is it not supported ?
I tried different combinations with 'createUser' adding 'priv' on it, or add it at the end of 'rwuser'
I didn't see something relevant into the snmpd.log, so I guess the openssl is correctly loaded.

I don't know what I'm missing. Could you help me please ?
Many thanks !

Vincent.

----->>>

Some useful resources :

My install switches :

./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
--disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \
--enable-reentrant \
--with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
--with-openssl=$(LIB_DIRS) \
--without-rpm \
--with-logfile="/tmp/var/snmpd.log" \
--with-default-snmp-version="3" \
--with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \
--with-sys-contact="vin...@ov..." \
--with-sys-location="Ovarro" \
--with-persistent-directory="/var/net-snmp" \
--enable-shared=yes --enable-static=no --enable-tagCC-libtool

Wireshark capture (request of SnmpB, followed by answer from embedded net-snmp agent) :

No.     Time           Source                Destination           Protocol Length Info
   4488 49.862297      10.65.84.14           172.25.110.169        SNMP     183    encryptedPDU: privKey Unknown

Frame 4488: 183 bytes on wire (1464 bits), 183 bytes captured (1464 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
Ethernet II, Src: Cisco_3c:7a:00 (00:05:9a:3c:7a:00), Dst: CIMSYS_33:44:55 (00:11:22:33:44:55)
Internet Protocol Version 4, Src: 10.65.84.14, Dst: 172.25.110.169
User Datagram Protocol, Src Port: 49987, Dst Port: 161
Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1572876
        msgMaxSize: 4096
        msgFlags: 07
            .... .1.. = Reportable: Set
            .... ..1. = Encrypted: Set
            .... ...1 = Authenticated: Set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
        1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
        Engine Enterprise ID: net-snmp (8072)
        Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
        Engine ID Data: 1cfa4220
        Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
    msgAuthoritativeEngineBoots: 17
    msgAuthoritativeEngineTime: 67315
    msgUserName: vincent
    msgAuthenticationParameters: 90d824057790ccf09d9cdf94
    msgPrivacyParameters: 000000110000904f
    msgData: encryptedPDU (1)
        encryptedPDU: 6ca45160f625888a5d5578eab7db81b466dc8d98901c8a706eee1031ca939c6e1a825c7f...

No.     Time           Source                Destination           Protocol Length Info
   4496 49.945101      172.25.110.169        10.65.84.14           SNMP     154    report 1.3.6.1.6.3.15.1.1.1.0

Frame 4496: 154 bytes on wire (1232 bits), 154 bytes captured (1232 bits) on interface \Device\NPF_{71745524-1B4D-4E06-8D78-0E258F5FBAED}, id 0
Ethernet II, Src: CIMSYS_33:44:55 (00:11:22:33:44:55), Dst: Cisco_3c:7a:00 (00:05:9a:3c:7a:00)
Internet Protocol Version 4, Src: 172.25.110.169, Dst: 10.65.84.14
User Datagram Protocol, Src Port: 161, Dst Port: 49987
Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1572876
        msgMaxSize: 65507
        msgFlags: 00
            .... .0.. = Reportable: Not set
            .... ..0. = Encrypted: Not set
            .... ...0 = Authenticated: Not set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001f88801cfa42209b6fa665
        1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
        Engine Enterprise ID: net-snmp (8072)
        Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
        Engine ID Data: 1cfa4220
        Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
    msgAuthoritativeEngineBoots: 17
    msgAuthoritativeEngineTime: 67315
    msgUserName: vincent
    msgAuthenticationParameters: <MISSING>
    msgPrivacyParameters: <MISSING>
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001f88801cfa42209b6fa665
                1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
                Engine Enterprise ID: net-snmp (8072)
                Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
                Engine ID Data: 1cfa4220
                Engine ID Data: Creation Time: Jan 16, 2024 12:59:23 Paris, Madrid
            contextName:
            data: report (8)
                report
                    request-id: 0
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 1 item
                        1.3.6.1.6.3.15.1.1.1.0: 10
                            Object Name: 1.3.6.1.6.3.15.1.1.1.0 (iso.3.6.1.6.3.15.1.1.1.0)
                            Value (Counter32): 10

Inclusion of UCD MIBs in other projects

[Martijn v. D. <ne...@li...>]

hello coders@,

First let me introduce myself. I'm ma...@op... and the current
maintainer of OpenBSD's own snmp stack.

I would like to include UCD-DISKIO-MIB and it's dependency UCD-SNMP-MIB
into OpenBSD base and would like explicit permission before doing so.

My motivation for this is that in OpenBSD the name<->OID translations
are hardcoded in mib.h, which is limiting and error-prone in multiple
ways. To this end I've written (intial) SMIv2 support for snmpd(8)[0]
and would like to include the MIBs (partially) supported native by
OpenBSD's base system. Most of these are by IETF/IANA and to the best of
my knowledge can be included without any problems. However, OpenBSD also
partially supports the UCD-DISKIO-MIB metrics, of which I'm not sure.

Thanks in advance.

Sincerely,

Martijn van Duren

[0] https://marc.info/?l=openbsd-tech&m=170386489813398&w=2
    https://marc.info/?l=openbsd-tech&m=170386526013565&w=2
    https://marc.info/?l=openbsd-tech&m=170386517313548&w=2
    https://marc.info/?l=openbsd-tech&m=170386524813562&w=2
    https://marc.info/?l=openbsd-tech&m=170386531513578&w=2

Re: Delayed notification when using IP-MIB::ipAddressTable instead of IP-MIB::ipAddressTable

[Niels B. <ni...@ba...>]

Den 11-01-2024 kl. 14:25 skrev Christophe Leroy via Net-snmp-coders:
> When using IP-MIB::ipAddrTable the manager is notified immediately but
> when using IP-MIB::ipAddressTable the notification is delayed several
> seconds and after investigation it looks like it is because the content
> of IP-MIB::ipAddressTable is cached for 30 seconds.
>
> What should be done in order to restore the same behaviour as with
> IP-MIB::ipAddrTable and get an immediate notification ?

You can check the cache timeout by checking:

snmpget host nsCacheTimeout.1.3.6.1.2.1.4.34

and, if you have write access to the agent, change it by snmpset:

snmpset host nsCacheTimeout.1.3.6.1.2.1.4.34 = 1

(dont set it to 0, then it will default to 5)

/Niels

-- 
Niels Baggesen -- @home -- Århus -- Denmark -- ni...@ba...
The purpose of computing is insight, not numbers  --  R W Hamming

Delayed notification when using IP-MIB::ipAddressTable instead of IP-MIB::ipAddressTable

[Christophe L. <chr...@cs...>]

Hi,

I'm actually in the process of upgrading a former IPv4-only system into 
IPv6.

As part of it, we have to use the new table IP-MIB::ipAddressTable 
instead of IP-MIB::ipAddrTable which can only contain IPv4 addresses.

Our system uses this table together with DISMAN to monitor IP addresses 
assigned to interfaces and/or creation/deletion of interfaces, and we 
have a requirement that the manager gets notified within a few seconds.

Using Net-SNMP version 5.9.3

When using IP-MIB::ipAddrTable the manager is notified immediately but 
when using IP-MIB::ipAddressTable the notification is delayed several 
seconds and after investigation it looks like it is because the content 
of IP-MIB::ipAddressTable is cached for 30 seconds.

What should be done in order to restore the same behaviour as with 
IP-MIB::ipAddrTable and get an immediate notification ?

Thanks
Christophe

Re: SIGHUP for changing SNMP agent Port

[Feroz <fer...@gm...>]

IMO we need to revert this patch, as it would cause issues in production.
This is a partial fix.

-Feroz

On Tue, Jan 9, 2024 at 2:35 PM Vivek Aditya <viv...@gm...> wrote:

> Thanks for quick response
>
> I am working on this feature and able to achieve partial success. There is
> one use case where it does not work. It's a pretty small code
> change. Please take a look at the commit message for the logic and to
> understand the exact use-case where it isn't working. Any help or
> suggestion is appreciated.
>
> review link - https://github.com/net-snmp/net-snmp/pull/769
>
>
> On Mon, 8 Jan 2024 at 22:52, Wes Hardaker <har...@us...>
> wrote:
>
>> Vivek Aditya <viv...@gm...> writes:
>>
>> > I want the SNMP to start listening on a new agent port without restart.
>> > Just sending SIGHUP to snmpd does not work.
>> >
>> > Is there a way to do it or has this issue already been fixed? Any help
>> > would be appreciated.
>>
>> That's a good feature request, but I don't think we handle that now
>> you're right.
>> --
>> Wes Hardaker
>> Please mail all replies to net...@li...
>>
>
>
> --
> Warm Regards,
> Vivek Aditya
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>


-- 
Regards,
Feroz Ahmed

SIGHUP for changing snmpv3 context

[Vivek A. <viv...@gm...>]

Hi Team,

I want the snmpv3 context to change without snmpd restart. When I checked
with SIGHUP, looks like adding a new snmpv3 context, SIGHUP works; But
deleting the context and sending a SIGHUP, the context does not get deleted
and still able to perform walk with that context.

Is there a way to do it or has this issue already been resolved? Any help
would be appreciated

-- 
Warm Regards,
Vivek Aditya

Re: SIGHUP for changing SNMP agent Port

[Vivek A. <viv...@gm...>]

Thanks for quick response

I am working on this feature and able to achieve partial success. There is
one use case where it does not work. It's a pretty small code
change. Please take a look at the commit message for the logic and to
understand the exact use-case where it isn't working. Any help or
suggestion is appreciated.

review link - https://github.com/net-snmp/net-snmp/pull/769


On Mon, 8 Jan 2024 at 22:52, Wes Hardaker <har...@us...>
wrote:

> Vivek Aditya <viv...@gm...> writes:
>
> > I want the SNMP to start listening on a new agent port without restart.
> > Just sending SIGHUP to snmpd does not work.
> >
> > Is there a way to do it or has this issue already been fixed? Any help
> > would be appreciated.
>
> That's a good feature request, but I don't think we handle that now
> you're right.
> --
> Wes Hardaker
> Please mail all replies to net...@li...
>


-- 
Warm Regards,
Vivek Aditya

Re: SIGHUP for changing SNMP agent Port

[Wes H. <har...@us...>]

Vivek Aditya <viv...@gm...> writes:

> I want the SNMP to start listening on a new agent port without restart.
> Just sending SIGHUP to snmpd does not work. 
> 
> Is there a way to do it or has this issue already been fixed? Any help
> would be appreciated.

That's a good feature request, but I don't think we handle that now
you're right.
-- 
Wes Hardaker
Please mail all replies to net...@li...

SIGHUP for changing SNMP agent Port

[Vivek A. <viv...@gm...>]

Hi Team,

I want the SNMP to start listening on a new agent port without restart.
Just sending SIGHUP to snmpd does not work.

Is there a way to do it or has this issue already been fixed? Any help
would be appreciated.
-- 
Warm Regards,
Vivek Aditya

Re: Core dump generated in snmp_alarm.c

[Wes H. <har...@us...>]

Venkateswarlu K <ven...@gm...> writes:

> We are using net-snmp version 5.7.3 in our ARM based Access Point. Recently we
> are observing snmp core in snmp_alarm.c file with below bt.

Based on the image, we'd need to see in a debugger what the 'a'
structure looks like.  I'm not sure how the alarm stack got corrupted.
Do you have private code loaded into the agent as well?  Or is this
stock net-snmp code without modifications?  Either way, you should
upgrade to the latest net-snmp release as 5.7.3 was quite a while ago.
-- 
Wes Hardaker
Please mail all replies to net...@li...

Re: ipv4 index encoded as ascii poor form or am i stuck in the past

[Denis H. <den...@gm...>]

On Wed, Jan 03, 2024 at 09:54:58AM +0000, Stuart Henderson wrote:
> On 2024/01/02 19:48, Denis Hainsworth wrote:
> > Apologies if this is terribly off topic.  However its a very niche
> > mib/snmp question I'm hoping someone can guide me on as to if a vendor
> > is right or not.
<snip> 
> > Are they simply equally valid? Or could one format be considered more
> > valid.  
> 
> They're doing it wrong, the inetAddressType is ipv4, so this applies
> 
> InetAddressIPv4 ::= TEXTUAL-CONVENTION
>     DISPLAY-HINT "1d.1d.1d.1d"
>     STATUS       current
>     DESCRIPTION
>         "Represents an IPv4 network address:
> 
>            Octets   Contents         Encoding
>             1-4     IPv4 address     network-byte order
> 
>          The corresponding InetAddressType value is ipv4(1).
> 
>          This textual convention SHOULD NOT be used directly in object
>          definitions, as it restricts addresses to a specific format.
>          However, if it is used, it MAY be used either on its own or in
>          conjunction with InetAddressType, as a pair."
>     SYNTAX       OCTET STRING (SIZE (4))

I appreciate the double check Stuart.  That seemed right to me but the
snmp RFCs are dense enough I'm never 100% sure I'm reading them right :) 

-denis


-- 
__________________________
Denis Alan Hainsworth     
den...@gm...

Re: ipv4 index encoded as ascii poor form or am i stuck in the past

[Stuart H. <st...@sp...>]

On 2024/01/02 19:48, Denis Hainsworth wrote:
> Apologies if this is terribly off topic.  However its a very niche
> mib/snmp question I'm hoping someone can guide me on as to if a vendor
> is right or not.
> 
> Up till now all vendors I know have implemented the index for 
> .iso.org.dod.internet.mgmt.mib-2.ip.ipAddressTable.ipAddressEntry.ipAddressIfIndex.ipv4
> or
> 1.3.6.1.2.1.4.34.1.3 
> 
> as quad dotted decimal so type .ipv4. index is readable in the OID and for
> .ipv6.  it is 16 dotted decimal conversion of the hex.
> 
> examples
> iso.3.6.1.2.1.4.34.1.3.1.4.127.0.0.1 = INTEGER: 21
> iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.0.0.255.254.0.0.4 = INTEGER: 18
> 
> a new whitebox router vendor drivenets is returning both as ascii
> encoded values like so which snmptranslate does a fine job handling
> 
> snmptranslate -M /usr/share/snmp/mibs/ -Of 1.3.6.1.2.1.4.34.1.3.1.7.49.46.49.46.49.46.49
> .iso.org.dod.internet.mgmt.mib-2.ip.ipAddressTable.ipAddressEntry.ipAddressIfIndex.ipv4."1.1.1.1"
> 
> What for the life of me I cant follow are the MIB RFCs to the point of
> telling if they did it in an annnoying but not illegal way or if this is
> the cool new way the RFCs suggest should be used.  I'm stuck a lot on
> the wording of INET-ADDRESS-MIB.txt for things like InetAddressIPv4 as
> well as https://datatracker.ietf.org/doc/html/rfc2578#section-7.7
> 
> Anyone have an informed opinion as to if I should push back on that kind
> of ascii encoded formatting of the index of the ipAddressTable.
> 
> Are they simply equally valid? Or could one format be considered more
> valid.  

They're doing it wrong, the inetAddressType is ipv4, so this applies

InetAddressIPv4 ::= TEXTUAL-CONVENTION
    DISPLAY-HINT "1d.1d.1d.1d"
    STATUS       current
    DESCRIPTION
        "Represents an IPv4 network address:

           Octets   Contents         Encoding
            1-4     IPv4 address     network-byte order

         The corresponding InetAddressType value is ipv4(1).

         This textual convention SHOULD NOT be used directly in object
         definitions, as it restricts addresses to a specific format.
         However, if it is used, it MAY be used either on its own or in
         conjunction with InetAddressType, as a pair."
    SYNTAX       OCTET STRING (SIZE (4))

ipv4 index encoded as ascii poor form or am i stuck in the past

[Denis H. <den...@gm...>]

Apologies if this is terribly off topic.  However its a very niche
mib/snmp question I'm hoping someone can guide me on as to if a vendor
is right or not.

Up till now all vendors I know have implemented the index for 
.iso.org.dod.internet.mgmt.mib-2.ip.ipAddressTable.ipAddressEntry.ipAddressIfIndex.ipv4
or
1.3.6.1.2.1.4.34.1.3 

as quad dotted decimal so type .ipv4. index is readable in the OID and for
.ipv6.  it is 16 dotted decimal conversion of the hex.

examples
iso.3.6.1.2.1.4.34.1.3.1.4.127.0.0.1 = INTEGER: 21
iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.0.0.255.254.0.0.4 = INTEGER: 18

a new whitebox router vendor drivenets is returning both as ascii
encoded values like so which snmptranslate does a fine job handling

snmptranslate -M /usr/share/snmp/mibs/ -Of 1.3.6.1.2.1.4.34.1.3.1.7.49.46.49.46.49.46.49
.iso.org.dod.internet.mgmt.mib-2.ip.ipAddressTable.ipAddressEntry.ipAddressIfIndex.ipv4."1.1.1.1"

What for the life of me I cant follow are the MIB RFCs to the point of
telling if they did it in an annnoying but not illegal way or if this is
the cool new way the RFCs suggest should be used.  I'm stuck a lot on
the wording of INET-ADDRESS-MIB.txt for things like InetAddressIPv4 as
well as https://datatracker.ietf.org/doc/html/rfc2578#section-7.7

Anyone have an informed opinion as to if I should push back on that kind
of ascii encoded formatting of the index of the ipAddressTable.

Are they simply equally valid? Or could one format be considered more
valid.  

If this is too wildly off topic for the list please ignore me with my
apologies.

thanks
-denis

-- 
__________________________
Denis Alan Hainsworth     
den...@gm...

Re: Missing root disk in MIB - Bisected to commit e3fc76e0ae ("CHANGES: snmpd: Make UCD-SNMP::dskTable dynamic if includeAllDisks is set.")

[Christophe L. <chr...@cs...>]

Le 26/12/2023 à 03:01, Bart Van Assche a écrit :
> [Some people who received this message don't often get email from 
> bva...@ac.... Learn why this is important at 
> https://aka.ms/LearnAboutSenderIdentification ]
> 
> On 12/17/23 09:51, Christophe Leroy wrote:
>> While upgrading from NETsnmp 5.7.3 to 5.9.3 I encounter a problem which
>> is that root(/) filesystem is missing from UCD-SNMP-MIB disk table:
> 
> Is https://github.com/net-snmp/net-snmp/pull/764 perhaps intended as a
> fix for this issue?
> 

Yes the issue disappears with that patch applied.

However I'm not sure the change of behaviour introducted by commit 
e3fc76e0ae ("CHANGES: snmpd: Make UCD-SNMP::dskTable dynamic if 
includeAllDisks is set.") was intended, based on the commit message.

Thanks,
Christophe

Re: Missing root disk in MIB - Bisected to commit e3fc76e0ae ("CHANGES: snmpd: Make UCD-SNMP::dskTable dynamic if includeAllDisks is set.")

[Bart V. A. <bva...@ac...>]

On 12/17/23 09:51, Christophe Leroy wrote:
> While upgrading from NETsnmp 5.7.3 to 5.9.3 I encounter a problem which
> is that root(/) filesystem is missing from UCD-SNMP-MIB disk table:

Is https://github.com/net-snmp/net-snmp/pull/764 perhaps intended as a
fix for this issue?

Thanks,

Bart.

Missing root disk in MIB - Bisected to commit e3fc76e0ae ("CHANGES: snmpd: Make UCD-SNMP::dskTable dynamic if includeAllDisks is set.")

[Christophe L. <chr...@cs...>]

Hello All,

While upgrading from NETsnmp 5.7.3 to 5.9.3 I encounter a problem which 
is that root(/) filesystem is missing from UCD-SNMP-MIB disk table:

# snmpwalk -v1 -c public localhost 1.3.6.1.4.1.2021.9
UCD-SNMP-MIB::dskIndex.2 = INTEGER: 2
UCD-SNMP-MIB::dskIndex.3 = INTEGER: 3
UCD-SNMP-MIB::dskPath.2 = STRING: /tmp
UCD-SNMP-MIB::dskPath.3 = STRING: /var
UCD-SNMP-MIB::dskDevice.2 = STRING: none
UCD-SNMP-MIB::dskDevice.3 = STRING: none

While with 5.7.3 I get

# snmpwalk -v1 -c public localhost 1.3.6.1.4.1.2021.9
UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1
UCD-SNMP-MIB::dskIndex.2 = INTEGER: 2
UCD-SNMP-MIB::dskIndex.3 = INTEGER: 3
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /tmp
UCD-SNMP-MIB::dskPath.3 = STRING: /var
UCD-SNMP-MIB::dskDevice.1 = STRING: ubi0:rootfs
UCD-SNMP-MIB::dskDevice.2 = STRING: none
UCD-SNMP-MIB::dskDevice.3 = STRING: none

In snmpd.conf I have:

disk /
disk /tmp
disk /var

Mounted filestems are:

# cat /proc/mounts
ubi0:rootfs / ubifs rw,sync,relatime,assert=read-only,ubi=0,vol=0 0 0
none /dev devtmpfs rw,relatime,size=64k,nr_inodes=3496,mode=755 0 0
none /proc proc rw,relatime 0 0
none /sys sysfs rw,relatime 0 0
none /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
none /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=1024k 0 0
none /var tmpfs rw,nosuid,nodev,noexec,relatime,size=4096k,mode=755 0 0
none /tmp tmpfs rw,nosuid,nodev,noexec,relatime,size=28112k 0 0
none /mnt/hugetlbfs hugetlbfs rw,relatime,pagesize=512K 0 0

The problem doesn't exist in NETsnmp v5.7, it appears in v5.8

Bisection identified commit e3fc76e0ae ("CHANGES: snmpd: Make 
UCD-SNMP::dskTable dynamic if includeAllDisks is set.") as the first bad 
commit.

Reverting this commit on top of v5.8 or v5.9 or v5.9.1 fixes the issue.

Can't revert on top of v5.9.2 nor v5.9.3, several non trivial conflicts 
occur in agent/mibgroup/ucd-snmp/disk_hw.c

Can you help fix the issue ?

Thanks
Christophe

creation of table entry for mib2c.iterate.conf

[Prankur C. <pra...@gm...>]

Dear All,

I have used the mib2c.iterate.conf file to auto generate code for my simple
table.
My question is I can read a text file to initialize the table and use
table_createEntry to create the entry.

After creation I also wanted to "netsnmp_insert_iterator_context( NULL,
wgEntry );" like it was done in MODE_SET_RESERVE2. But it seems it is not
required ?

Please check the MIB file and also the c code

-- 
Cheers
Prankur