HI,
Here is what I was trying to achieve....
I put in SNMPv3 support in a product this spring, and I had
reports that authNoPriv and authPriv traps and informs were
not being received by the SNMPc package. I asked the user
to install net-snmp and run snmptrapd to get them so I could
see if there was a problem with "my system" or with SNMPc
(or maybe it's configuration). The user didn't have time,
so I tried to setup and test with NET-SNMP last week.
It didn't work. I couldn't figure out why. I sent messages.
By the way, I've run into problems with other packages
with informs, since they either didn't provide the value
of engineID of the inform receiver (so I could use it
when configuring users), or they didn't
increment engineBoots on each reboot of the inform
receiver. Also, I've run into API packages that
will not work due to not understanding that traps
and informs work differently for the "authoritative engine"
in SNMPv3/USM. (Please note: USM is only the first
security model. Other models may (and should) be
very different. I believe that the current NET-SNMP
code makes too many assumptions that only USM
is present with SNMPv3. Also, the code on my agent
use the community table found in RFC 3584 to map
between community string values and security name
and engineID. It doesn't appear to me that NET-SNMP
does this. Using this table changes how you look
at SNMP security!)
In the system I did, I simplified so that instead
of setting up 10 tables to send notifications
(5 for identity and access control, and 5 for
notifications and targets), that only 2 "tables"
needed entries.
Here are the configuration lines needed to send traps:
set snmp usm testuser snmp-engine-id local access notify-only
auth-type md5 auth-pass-phrase pw4testuser encrypt-type des
encrypt-pass-phrase pw4testuser
and
set snmp notify target 1 192.168.168.102:40162 usm trap user testuser
security encrypted
Here are the configuration lines for informs:
set snmp usm bobby snmp-engine-id hex 800007e580eb3cda468bf00743 access
notify-only auth-type md5 auth-pass-phrase socks2go encrypt-type none
and
set snmp notify target 2 192.168.168.102:40162 usm inform user bobby
snmp-engine-id hex 800007e580eb3cda468bf00743 security authenticated
NOTE: the 800007e580eb3cda468bf00743 is the engineID of the snmptrapd
program. I couldn't figure out how to set it, and found it hidden
in file /var/net-snmp/snmptrapd.conf. The -e option to set
the engineID on the utilities has another meaning for snmptrapd.
The man pages didn't say how to set the engineID for snmptrapd.
You got to have it to set up the USM table in the agent!!!!!!!!
With these config lines, the system would send traps using SNMPv3/USM
to 192.168.168.102:40162 with security level authPriv; and
the system would send informs using SNMPv3/USM
to 192.168.168.102:40162 with security level authNoPriv.
With the NET-SNMP snmptrapd, I set up file /etc/snmp/snmptrapd.conf
with the lines:
createUser bobby MD5 socks2go
createUser -e 0x00000063000000a1c0a8a842 testuser MD5 pw4testuser
DES pw4testuser
NOTE: the 0x00000063000000a1c0a8a842 is the engineID of "my"
SNMP agent. On my system the CLI command "show snmp status"
outputs the following:
SNMP agent (server snmpd) is enabled
SNMPv1 is enabled
SNMPv2c is disabled
SNMPv3/USM is enabled
SNMP minimum security is unsecured
System IP address: 192.168.168.66
System name: dtp-sim
System location: -- not set --
System contact: -- not set --
SNMP engine ID: 00000063000000a1c0a8a842 (IP 192.168.168.66:161)
SNMP engine boots: 1
SNMP engine time: 9032 seconds, which is 0 days, 2 hr, 30 min, 32 sec
SNMP max message size: 2048 octets
The engineID value is generated using the algorythm from SNMP research
(who has enterprise number 99 (hex 63)), and is based on the
UDP port (161, which is hex a1) and the IP address
(192.168.168.66a, which is hex c0a8a842).
I ran snmptrapd with the following command:
/usr/sbin/snmptrapd -Le -f -Dsnmpv3 -Dusm UDP:40162
So, I hope that the man pages and tutorials can be updated
to tell you what needs to be configured so that one can
use NET-SNMP snmptrapd for testing, and that
the program be modified to
1) not require entries for noAuthNoPriv
2) print what protocol of each trap or inform
3) print security level (unsecured (noAuthNoPriv),
authenticated(authNoPriv), or encrypted(authPriv)
4) print and indication as to the status (success, noSuchUser,
engineID/EngineClock discovery, outOfTimeWindow, authFail,
decryptionFail, etc)
Regards,
/david t. perkins
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
