[AGENT++] SNMP++ library not compliant with RFC 3414 standards (Replay Protection)

Frank Fock fock at agentpp.com
Fri Sep 28 22:43:24 CEST 2018 

Hello Saurabh,

As Jochen already pointed out (he was just a bit faster than me, but may be my comments still help to clarify the situation):

Please read RFC 3414 carefully. The SNMP++ library is conform, but it seems that the agent is not.
The first request sent by SNMP++ is for getting the engine ID (engine ID discovery).
The agent responds with engine boots and time, but this values cannot be trusted by the command generator because they are not authentic (no security name, no authentication key to verify).
Therefore the SNMP++ command responder is obliged to sent a new request with engine boots and time set to zero with the authentication key and corresponding security name.

The agent should respond with the correct engine time and boots value with authentication information and the matching security level.

From my point of view the agent should be fixed (or configured differently).

Best regards,
Frank

> On 28. Sep 2018, at 14:48, Thuse, Saurabh <Saurabh_Thuse at bmc.com> wrote:
> 
> Hello Team,
> 
> Recently we have observed that SNMP++ library is not compliant with RFC 3414 standards.
> 
> Please go through RFC standards for Replay Protection : https://tools.ietf.org/html/rfc3414#page-14
> 
> We have Network Devices which are configured for SNMP V3 with replay protection.
> 
> When we are doing testing of SNMP++ using library test utilities (snmpWalk , snmpGet, snmpBulk) result always fails.
> 
> Please refer below packet capture which shows issue that SNMP++ library not storing EngineBoots and EngineTime. This violets RFE standards.
> 
> Trace: Entuity <> FortiMailXX (SNMP server)
> 
> 
>  1.  First sync request : Engine ID not known so EngineBoots and EngineTime are set to 0 which is fine.
> 
> 
> 1 0.000000 62.134.223.3 10.209.150.141 SNMP 104 get-request
> Frame 1: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)
> Linux cooked capture
> Internet Protocol Version 4, Src: 62.134.223.3, Dst: 10.209.150.141
> User Datagram Protocol, Src Port: 55365, Dst Port: 161
> Simple Network Management Protocol
> msgVersion: snmpv3 (3)
> msgGlobalData
> msgID: 12158
> msgMaxSize: 65507
> msgFlags: 04
> .... .1.. = Reportable: Set
> .... ..0. = Encrypted: Not set
> .... ...0 = Authenticated: Not set
> msgSecurityModel: USM (3)
> msgAuthoritativeEngineID: <MISSING>
> msgAuthoritativeEngineBoots: 0
> msgAuthoritativeEngineTime: 0
> msgUserName:
> msgAuthenticationParameters: <MISSING>
> msgPrivacyParameters: <MISSING>
> msgData: plaintext (0)
> plaintext
> contextEngineID: <MISSING>
> contextName:
> data: get-request (0)
> get-request
> request-id: 4812
> error-status: noError (0)
> error-index: 0
> variable-bindings: 0 items
> 
> 
> 
>  1.  Agent then send its Engine ID along with EngineBoots and EngineTime
> 
> 
> 2 0.000113 10.209.150.141 62.134.223.3 SNMP 164 report 1.3.6.1.6.3.15.1.1.4.0
> Frame 2: 164 bytes on wire (1312 bits), 164 bytes captured (1312 bits)
> Linux cooked capture
> Internet Protocol Version 4, Src: 10.209.150.141, Dst: 62.134.223.3
> User Datagram Protocol, Src Port: 161, Dst Port: 55365
> Simple Network Management Protocol
> msgVersion: snmpv3 (3)
> msgGlobalData
> msgID: 12158
> msgMaxSize: 65507
> msgFlags: 00
> .... .0.. = Reportable: Not set
> .... ..0. = Encrypted: Not set
> .... ...0 = Authenticated: Not set
> msgSecurityModel: USM (3)
> msgAuthoritativeEngineID: 8000304404464534303043334d3133303030323239
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: Fortinet, Inc. (12356)
> Engine ID Format: Text, administratively assigned (4)
> Engine ID Data: Text: FE400C3M13000229
> msgAuthoritativeEngineBoots: 9
> msgAuthoritativeEngineTime: 771
> msgUserName:
> msgAuthenticationParameters: <MISSING>
> msgPrivacyParameters: <MISSING>
> msgData: plaintext (0)
> plaintext
> contextEngineID: 8000304404464534303043334d3133303030323239
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: Fortinet, Inc. (12356)
> Engine ID Format: Text, administratively assigned (4)
> Engine ID Data: Text: FE400C3M13000229
> contextName:
> data: report (8)
> report
> request-id: 4812
> error-status: noError (0)
> error-index: 0
> variable-bindings: 1 item
> 1.3.6.1.6.3.15.1.1.4.0: 0
> Object Name: 1.3.6.1.6.3.15.1.1.4.0 (iso.3.6.1.6.3.15.1.1.4.0)
> Value (Counter32): 0
> 
> 
> 
>  1.  Now it is expected that for next subsequent request you will use given Engine ID along with EngineBoots and EngineTime. However library does not and hence next request Agent drops due to Replay Protection.
> 
> 
> 3 0.023901 62.134.223.3 10.209.150.141 SNMP 198 get-request 1.3.6.1.2.1.1.2.0
> Frame 3: 198 bytes on wire (1584 bits), 198 bytes captured (1584 bits)
> Linux cooked capture
> Internet Protocol Version 4, Src: 62.134.223.3, Dst: 10.209.150.141
> User Datagram Protocol, Src Port: 55366, Dst Port: 161
> Simple Network Management Protocol
> msgVersion: snmpv3 (3)
> msgGlobalData
> msgID: 12159
> msgMaxSize: 65507
> msgFlags: 07
> .... .1.. = Reportable: Set
> .... ..1. = Encrypted: Set
> .... ...1 = Authenticated: Set
> msgSecurityModel: USM (3)
> msgAuthoritativeEngineID: 8000304404464534303043334d3133303030323239
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: Fortinet, Inc. (12356)
> Engine ID Format: Text, administratively assigned (4)
> Engine ID Data: Text: FE400C3M13000229
> msgAuthoritativeEngineBoots: 0 <--- should be "9"
> msgAuthoritativeEngineTime: 0 <--- should be "771"
> msgUserName: sa-entuity-snmp
> msgAuthenticationParameters: 62462e4b6e6da6b766bd0cf5
> [Authentication: OK]
> [Expert Info (Chat/Checksum): SNMP Authentication OK]
> [SNMP Authentication OK]
> [Severity level: Chat]
> [Group: Checksum]
> msgPrivacyParameters: dbb4416fc1f17b25
> msgData: encryptedPDU (1)
> encryptedPDU: 00caeb47d8ff0e20d50cb323e76b04ab1abdac831eb61c68...
> Decrypted ScopedPDU: 303504158000304404464534303043334d31333030303232...
> contextEngineID: 8000304404464534303043334d3133303030323239
> 1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
> Engine Enterprise ID: Fortinet, Inc. (12356)
> Engine ID Format: Text, administratively assigned (4)
> Engine ID Data: Text: FE400C3M13000229
> contextName:
> data: get-request (0)
> get-request
> request-id: 4813
> error-status: noError (0)
> error-index: 0
> variable-bindings: 1 item
> 1.3.6.1.2.1.1.2.0: Value (Null)
> Object Name: 1.3.6.1.2.1.1.2.0 (iso.3.6.1.2.1.1.2.0)
> Value (Null)
> 
> 
> Is this known issue with library? If yes is there any fix available? If not can we get fix from library to handle this?
> 
> 
> Thanks,
> Saurabh Thuse
> 
> _______________________________________________
> AGENTPP mailing list
> AGENTPP at agentpp.org
> https://oosnmp.net/mailman/listinfo/agentpp

More information about the AGENTPP mailing list