[AGENT++] SNMP++ library not compliant with RFC 3414 standards (Replay Protection)

Thuse, Saurabh Saurabh_Thuse at bmc.com
Fri Sep 28 14:48:18 CEST 2018 

Hello Team,

Recently we have observed that SNMP++ library is not compliant with RFC 3414 standards.

Please go through RFC standards for Replay Protection : https://tools.ietf.org/html/rfc3414#page-14

We have Network Devices which are configured for SNMP V3 with replay protection.

When we are doing testing of SNMP++ using library test utilities (snmpWalk , snmpGet, snmpBulk) result always fails.

Please refer below packet capture which shows issue that SNMP++ library not storing EngineBoots and EngineTime. This violets RFE standards.

Trace: Entuity <> FortiMailXX (SNMP server)


  1.  First sync request : Engine ID not known so EngineBoots and EngineTime are set to 0 which is fine.


1 0.000000 62.134.223.3 10.209.150.141 SNMP 104 get-request
Frame 1: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 62.134.223.3, Dst: 10.209.150.141
User Datagram Protocol, Src Port: 55365, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 12158
msgMaxSize: 65507
msgFlags: 04
.... .1.. = Reportable: Set
.... ..0. = Encrypted: Not set
.... ...0 = Authenticated: Not set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: <MISSING>
msgAuthoritativeEngineBoots: 0
msgAuthoritativeEngineTime: 0
msgUserName:
msgAuthenticationParameters: <MISSING>
msgPrivacyParameters: <MISSING>
msgData: plaintext (0)
plaintext
contextEngineID: <MISSING>
contextName:
data: get-request (0)
get-request
request-id: 4812
error-status: noError (0)
error-index: 0
variable-bindings: 0 items



  1.  Agent then send its Engine ID along with EngineBoots and EngineTime


2 0.000113 10.209.150.141 62.134.223.3 SNMP 164 report 1.3.6.1.6.3.15.1.1.4.0
Frame 2: 164 bytes on wire (1312 bits), 164 bytes captured (1312 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 10.209.150.141, Dst: 62.134.223.3
User Datagram Protocol, Src Port: 161, Dst Port: 55365
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 12158
msgMaxSize: 65507
msgFlags: 00
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...0 = Authenticated: Not set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 8000304404464534303043334d3133303030323239
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: Fortinet, Inc. (12356)
Engine ID Format: Text, administratively assigned (4)
Engine ID Data: Text: FE400C3M13000229
msgAuthoritativeEngineBoots: 9
msgAuthoritativeEngineTime: 771
msgUserName:
msgAuthenticationParameters: <MISSING>
msgPrivacyParameters: <MISSING>
msgData: plaintext (0)
plaintext
contextEngineID: 8000304404464534303043334d3133303030323239
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: Fortinet, Inc. (12356)
Engine ID Format: Text, administratively assigned (4)
Engine ID Data: Text: FE400C3M13000229
contextName:
data: report (8)
report
request-id: 4812
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
1.3.6.1.6.3.15.1.1.4.0: 0
Object Name: 1.3.6.1.6.3.15.1.1.4.0 (iso.3.6.1.6.3.15.1.1.4.0)
Value (Counter32): 0



  1.  Now it is expected that for next subsequent request you will use given Engine ID along with EngineBoots and EngineTime. However library does not and hence next request Agent drops due to Replay Protection.


3 0.023901 62.134.223.3 10.209.150.141 SNMP 198 get-request 1.3.6.1.2.1.1.2.0
Frame 3: 198 bytes on wire (1584 bits), 198 bytes captured (1584 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 62.134.223.3, Dst: 10.209.150.141
User Datagram Protocol, Src Port: 55366, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 12159
msgMaxSize: 65507
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 8000304404464534303043334d3133303030323239
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: Fortinet, Inc. (12356)
Engine ID Format: Text, administratively assigned (4)
Engine ID Data: Text: FE400C3M13000229
msgAuthoritativeEngineBoots: 0 <--- should be "9"
msgAuthoritativeEngineTime: 0 <--- should be "771"
msgUserName: sa-entuity-snmp
msgAuthenticationParameters: 62462e4b6e6da6b766bd0cf5
[Authentication: OK]
[Expert Info (Chat/Checksum): SNMP Authentication OK]
[SNMP Authentication OK]
[Severity level: Chat]
[Group: Checksum]
msgPrivacyParameters: dbb4416fc1f17b25
msgData: encryptedPDU (1)
encryptedPDU: 00caeb47d8ff0e20d50cb323e76b04ab1abdac831eb61c68...
Decrypted ScopedPDU: 303504158000304404464534303043334d31333030303232...
contextEngineID: 8000304404464534303043334d3133303030323239
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: Fortinet, Inc. (12356)
Engine ID Format: Text, administratively assigned (4)
Engine ID Data: Text: FE400C3M13000229
contextName:
data: get-request (0)
get-request
request-id: 4813
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
1.3.6.1.2.1.1.2.0: Value (Null)
Object Name: 1.3.6.1.2.1.1.2.0 (iso.3.6.1.2.1.1.2.0)
Value (Null)


Is this known issue with library? If yes is there any fix available? If not can we get fix from library to handle this?


Thanks,
Saurabh Thuse

More information about the AGENTPP mailing list