[AGENT++] SNMP V3 get issue.

Frank Fock fock at agentpp.com
Fri May 4 00:00:45 CEST 2018 

Hi Christian,

For noAuth SNMPv3 messages one can do (implement) this shortcut without undermining security, because there is none. But that was not the case in your example.

For authNoPriv and authPriv security level, accepting the engine time and boots of the first response, could lead to successful replay attacks, because a non authenticated command responder (man-in-the-middle) could resend a previously captured packet as response. 

That is why SNMP++ (and SNMP4J by default) send a second, then authenticated, message if the first report is NOT authenticated. So the observed behaviour primarily depends on the command responder.  

The additional network load is in almost all cases not relevant (otherwise it would not have been defined in the SNMPv3 standard that way), because after the first payload PDU, the engine ID and time values are cached locally and do not need to be exchanged again, unless one of the SNMP entities are rebooted or the local times of those entities diverge more than 1.5 seconds.

Hope this helps anyway.

Best regards,
Frank
  

> On 3. May 2018, at 21:42, Cristian Saavedra <cristianpsg at gmail.com> wrote:
> 
> Hi Frank, community
> 
> I need your expertise with a snmp v3 request issue I'm facing.
> 
> I'm creating an application to poll multiple agents concurrently.
> 
> I noticed while sniffing the traffic that the library sents an extra get request with the right EngineId but with an empty EngineBoots: 0 and EngineTime: 0 after it has received the correct values with the usmStatsUnknownEngineIDs.0 packet, then the agent replies with a usmStatsNotInTimeWindows.0 packet and after that the library sends the well-formed get request.
> 
> I did the testing with the get console example, to make sure was not something produced by my code.
> 
> I also have done the same test with a net-snmp get command and it doesn't send this extra packet, It uses the values coming from usmStatsUnknownEngineIDs on the first reply to build the correct get request.
> 
> I'm just wondering at this point if this behavior can be changed, so the get request can be correctly built with the first  usmStatsUnknownEngineIDs information, my concern is that with the way is working it will flood the network with unnecessary packets, also this makes the process of retrieving the information slower, especially when the PDU load is big and the request gets split.
> 
> Any advice will be helpful.
> 
> 
> <image.png>
> 
> 
> 
> Best Regards,
> Cristian Saavedra

More information about the AGENTPP mailing list