OK, I'll give you that it might be insecure, but if you are going to yell "insecure" then why even accept the Engine ID from initial query? If someone is monitoring traffic (man in the middle) is it not just as likely they can give you the wrong Engine ID too.
Regards, Brian On Aug 10, 2010, at 3:54 PM, Jochen Katz wrote: > Hi, > > please see Franks recent response with subject "Initial SNMPv3 handshake > extra step?" > >> Can SNMP4J be configured to have similar behavior? Not only is the >> Net-SNMP behavior more efficient > > but also it is insecure! If you are using SNMPv3 without authentication, > the NET-SNMP behaviour is ok, as everybody who is able to sniff and > insert packets can send valid responses. > > But if you are using authentication, the NET-SNMP behaviour allows an > attacker to prevent all communication between agent and manager. He just > has to answer with an unknownEngineID report with very high boot > counter. If the manager accepts this unauthenicated report it won't be > able to communicate with the agent. > > Regards, > Jochen > _______________________________________________ > SNMP4J mailing list > [email protected] > http://lists.agentpp.org/mailman/listinfo/snmp4j _______________________________________________ SNMP4J mailing list [email protected] http://lists.agentpp.org/mailman/listinfo/snmp4j
