Hi, don't know if it's a negotiation but I think need to have the engineID set in the inform message I have appended a tarball with messages, conf,logs and pcap from where I did run a similar test with snmpd and snmptrapd. The conf files includes a bunch of other stuff not needed for this case, but I have some other tests using this
Regarding the RFC's I have no clue Regards Anders Wallin On Thu, Feb 28, 2019 at 6:24 PM Dag Bakke <d...@bakke.com> wrote: > Hi Anders. > > Thank you for answering. > > Is the engineID actually ever *negotiated*? > I had the understanding this was unilaterally configured, either > statically or automatically. > Is my understanding of this mechanism incorrect? > > My reasoning for using informs in the first place was that the receiver > engineID is authoritative with v3 informs. > (As opposed to traps, where the sender engineID is authoritative.) > > I also noted that Junos does not send an engineID. > Do the relevant RFCs say anything about inform 'probes', such as these > used by Junos? > > Dag B > > > On 2/28/19 4:27 PM, Anders Wallin wrote: > > Hi Dag, > > > > try to not set the engineID in the snmptrapd.conf and let snmptrapd > > and Junos negotiate the engineID > > > > createUser -e 0x80001234 authpriv2 SHA xyzzy188 AES xazzza18 > > -> > > createUser authpriv2 SHA xyzzy188 AES xazzza18 > > > > Looking at the pcap file snmptrapd sends the engineid = 80001f88....., > > but Junos does not set it at all engineID= <MISSING> > > > > Regards > > Anders Wallin > > > > > > On Thu, Feb 28, 2019 at 2:02 PM Dag B <d...@bakke.com > > <mailto:d...@bakke.com>> wrote: > > > > Hi. > > > > I am trying to convince snmptrapd to receive snmp v3 informs from > > Junos > > (Juniper Networks' BSD-variant on switches and firewalls). The > > idea was > > to use informs rather than traps, so I could : > > - have encryption in place. > > - avoid having to update the snmptrapd config for every new device > > sending v3 traps > > > > When Junos starts its snmp process, it will send a few probes to > > snmptrapd to decide if the receiver is receptive to informs. If > > not, it > > stops sending informs. > > > > So far, I have not succeeded. snmptrapd appears unhappy, then > > Junos gets > > unhappy, takes the ball and goes home. > > I would like to know if my config and my understanding of the > > observations are correct. > > > > Config, observations and sample packet capture follows: > > > > > > > > > > Config: > > ------------- > > > > snmptrapd.conf: > > ------------------------ > > createUser -e 0x80001234 authpriv2 SHA xyzzy188 AES xazzza18 > > authUser log,execute authpriv2 > > > > running snmptrapd like this: > > ---------------------------------- > > snmptrapd -f -C -c /tmp/snmptrapd.conf -Le -Dusm,engine > > > > > > junos config: > > ----------------- > > set snmp v3 usm local-engine user authpriv authentication-sha > > authentication-password xyzzy188 > > set snmp v3 usm local-engine user authpriv privacy-aes128 > > privacy-password xazzza18 > > set snmp v3 usm remote-engine 0x80001234 user authpriv2 > > authentication-sha authentication-password xyzzy188 > > set snmp v3 usm remote-engine 0x80001234 user authpriv2 > > privacy-aes128 > > privacy-password xazzza18 > > set snmp v3 vacm security-to-group security-model usm security-name > > authpriv group myv3group > > set snmp v3 vacm security-to-group security-model usm security-name > > authpriv2 group notifygroup > > set snmp v3 vacm access group myv3group default-context-prefix > > security-model usm security-level authentication read-view myv3view > > set snmp v3 vacm access group myv3group default-context-prefix > > security-model usm security-level privacy read-view myv3view > > set snmp v3 vacm access group notifygroup default-context-prefix > > security-model usm security-level authentication notify-view myv3view > > set snmp v3 vacm access group notifygroup default-context-prefix > > security-model usm security-level privacy notify-view myv3view > > set snmp v3 target-address snmptrapd-server address 192.168.200.1 > > set snmp v3 target-address snmptrapd-server tag-list macnotify > > set snmp v3 target-address snmptrapd-server target-parameters > > targparms > > set snmp v3 target-parameters targparms parameters > > message-processing-model v3 > > set snmp v3 target-parameters targparms parameters security-model usm > > set snmp v3 target-parameters targparms parameters security-level > > privacy > > set snmp v3 target-parameters targparms parameters security-name > > authpriv2 > > set snmp v3 notify myv3notify type inform > > set snmp v3 notify myv3notify tag macnotify > > set snmp engine-id local 0x80006666 > > set snmp view myv3view oid iso include > > set ethernet-switching-options mac-notification > > > > > > Observations: > > -------------------- > > With this setup, I managed to get three probe failures in 'show snmp > > inform-statistics' after a switch reboot. > > > > root@ex2200c-lab2> show snmp inform-statistics > > Inform Request Statistics: > > Target name: snmptrapd-server Address: 192.168.200.1 > > Sent: 0, Pending: 0 > > Discarded: 1, Timeouts: 0, Probe failures: 3 > > > > > > snmptrapd says: > > --------------------- > > registered debug token usm, 1 > > registered debug token engine, 1 > > usmUser: created a new user authpriv2 at 80 00 12 34 > > NET-SNMP version 5.8 > > usm: USM processing begun... > > usm: Unknown Engine ID. > > usm: USM processing has begun (offset 56) > > usm: getting user > > usm: USM processing completed. > > [three more times, 4 packets in total] > > > > > > Not sure if the list allows for attachments? Packet capture attached, > > but I have added the decoded SNMP packet for the first two frames > > below. > > > > As far as I can tell, the probes sent from the Junos end are all > > unencrypted. And not using the configured user or engine ID. > > Is this a correct interpretation of the packet capture? Not expecting > > the list to validate my Junos config, by the way. > > > > There is also the "Data not conforming to RFC3411". Any comment on > > that? > > > > > > Thanks, > > > > > > Dag B > > > > > > Decoded packets: > > ------------------------- > > Simple Network Management Protocol > > msgVersion: snmpv3 (3) > > msgGlobalData > > msgID: 1610700309 > > msgMaxSize: 65507 > > msgFlags: 04 > > .... .1.. = Reportable: Set > > .... ..0. = Encrypted: Not set > > .... ...0 = Authenticated: Not set > > msgSecurityModel: USM (3) > > msgAuthoritativeEngineID: <MISSING> > > msgAuthoritativeEngineBoots: 0 > > msgAuthoritativeEngineTime: 0 > > msgUserName: > > msgAuthenticationParameters: <MISSING> > > msgPrivacyParameters: <MISSING> > > msgData: plaintext (0) > > plaintext > > contextEngineID: <MISSING> > > contextName: > > data: get-request (0) > > get-request > > request-id: 1679169514 > > error-status: noError (0) > > error-index: 0 > > variable-bindings: 0 items > > > > > > Simple Network Management Protocol > > msgVersion: snmpv3 (3) > > msgGlobalData > > msgID: 1610700309 > > msgMaxSize: 1472 > > msgFlags: 00 > > .... .0.. = Reportable: Not set > > .... ..0. = Encrypted: Not set > > .... ...0 = Authenticated: Not set > > msgSecurityModel: USM (3) > > msgAuthoritativeEngineID: 80001f88807d6dfe468a7d595c00000000 > > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > > Engine Enterprise ID: net-snmp (8072) > > Engine ID Format: Reserved/Enterprise-specific (128): > > Net-SNMP > > Random > > Data not conforming to RFC3411 > > [Expert Info (Warning/Protocol): Data not conforming to > > RFC3411] > > [Data not conforming to RFC3411] > > [Severity level: Warning] > > [Group: Protocol] > > msgAuthoritativeEngineBoots: 1 > > msgAuthoritativeEngineTime: 1870 > > msgUserName: > > msgAuthenticationParameters: <MISSING> > > msgPrivacyParameters: <MISSING> > > msgData: plaintext (0) > > plaintext > > contextEngineID: 80001f88807d6dfe468a7d595c00000000 > > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > > Engine Enterprise ID: net-snmp (8072) > > Engine ID Format: Reserved/Enterprise-specific > > (128): > > Net-SNMP Random > > Data not conforming to RFC3411 > > [Expert Info (Warning/Protocol): Data not > > conforming to RFC3411] > > [Data not conforming to RFC3411] > > [Severity level: Warning] > > [Group: Protocol] > > contextName: > > data: report (8) > > report > > request-id: 1679169514 > > error-status: noError (0) > > error-index: 0 > > variable-bindings: 1 item > > 1.3.6.1.6.3.15.1.1.4.0: 3 > > Object Name: 1.3.6.1.6.3.15.1.1.4.0 > > (iso.3.6.1.6.3.15.1.1.4.0) > > Value (Counter32): 3 > > > > _______________________________________________ > > Net-snmp-users mailing list > > Net-snmp-users@lists.sourceforge.net > > <mailto:Net-snmp-users@lists.sourceforge.net> > > Please see the following page to unsubscribe or change other options: > > https://lists.sourceforge.net/lists/listinfo/net-snmp-users > > > >
informtest.tgz
Description: application/compressed-tar
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
