Hi Brian, Well, why are you using SNMPv3 then? Without security, SNMPv1 is sufficient. The Engine ID Discovery can be disabled in SNMP4J to not accidentially learn a wrong engine ID.
Best regards, Frank Am 10.08.2010 um 22:13 schrieb Brian Weaver <[email protected]>: > OK, I'll give you that it might be insecure, but if you are going to > yell "insecure" then why even accept the Engine ID from initial > query? If someone is monitoring traffic (man in the middle) is it > not just as likely they can give you the wrong Engine ID too. > > Regards, > > Brian > > On Aug 10, 2010, at 3:54 PM, Jochen Katz wrote: > >> Hi, >> >> please see Franks recent response with subject "Initial SNMPv3 >> handshake >> extra step?" >> >>> Can SNMP4J be configured to have similar behavior? Not only is the >>> Net-SNMP behavior more efficient >> >> but also it is insecure! If you are using SNMPv3 without >> authentication, >> the NET-SNMP behaviour is ok, as everybody who is able to sniff and >> insert packets can send valid responses. >> >> But if you are using authentication, the NET-SNMP behaviour allows an >> attacker to prevent all communication between agent and manager. He >> just >> has to answer with an unknownEngineID report with very high boot >> counter. If the manager accepts this unauthenicated report it won't >> be >> able to communicate with the agent. >> >> Regards, >> Jochen >> _______________________________________________ >> SNMP4J mailing list >> [email protected] >> http://lists.agentpp.org/mailman/listinfo/snmp4j > > _______________________________________________ > SNMP4J mailing list > [email protected] > http://lists.agentpp.org/mailman/listinfo/snmp4j _______________________________________________ SNMP4J mailing list [email protected] http://lists.agentpp.org/mailman/listinfo/snmp4j
