[AGENT++] SNMP++ library not compliant with RFC 3414 standards (Replay Protection)

[Jochen Katz]

Hello,

>   1.  First sync request : Engine ID not known so EngineBoots and EngineTime are set to 0 which is fine.

Ok.

>   1.  Agent then send its Engine ID along with EngineBoots and EngineTime
> .... ..0. = Encrypted: Not set
> .... ...0 = Authenticated: Not set

As the message is sent using securityLeven noAuthNoPriv, the time values
are dropped/ignored by snmp++.

>   1.  Now it is expected that for next subsequent request you will use given Engine ID along with EngineBoots and EngineTime. However library does not and hence next request Agent drops due to Replay Protection.

This is an error in the agent. The agent as authoritative SNMP entity
should reply with a not in time window report (as stated in
https://tools.ietf.org/html/rfc3414#page-28 step 7 a). This report can
be authenticated by snmp++ and then snmp++ will accept the time values
from the report and resend the request with the right time values.

> Is this known issue with library? If yes is there any fix available? If not can we get fix from library to handle this?

I know that other tools take the time values from the first report.
Until today I thought "ok, you can do that, but you are not forced to do
it". After re-reading the RFC I think, that snmp++ is right and the
others are doing it wrong:
- The time processing in step 7 is only done for authentic messages. The
unknownEngineId report is not an authentic message and therefore the
time values cannot be processed.
- The chapter "4. Discovery" states that time synchronization takes
place with an authenticated message and time values set to zero.

You might work around this, by adding the engineId of the agent to the
v3MP (add a call to v3MP::add_to_engine_id_table() to the command line
tools). If this does not help, you will have to use noAuthNoPriv
securityLevel until the agent has been fixed.

Regards,
  Jochen