[SNMP4J] AuthenticationFailure notification with invalid V3 query

Vivi Zhang vzhang at anuesystems.com
Tue Nov 17 22:43:34 CET 2009 

Frank:

Thanks for your response.

I am curious why you took the generation of the authenticationFailure 
trap away for V3, but not V2 nor V1 authentication failure 
notification.  I downloaded the latest agent code SNMP4J-Agent1.3.2. 
Seems it still supports V1 and V2c authenticationFailure.   Should we 
let user choose if he wants to have authentication failure notification?

 From coding point of view,
The api MPv3::prepareDataElements() associates detail error code  with 
the msgId so that it can be put in response pdu, returns 
SnmpConstants.SNMP_MP_USM_ERROR  in case the variable "status" is not 
SNMPv3_USM_OK.  If the api returns error code in variable "status" back 
to its caller,  the MessageDispatcherImpl::dispatchMessage() can fire 
authentication failure event when status are not  
SNMPv3_USM_UNKNOWN_ENGINEID            nor SNMPv3_USM_NOT_IN_TIME_WINDOW :
 switch (status) {
        case SnmpConstants.SNMP_MP_UNSUPPORTED_SECURITY_MODEL:
        case SnmpConstants.SNMPv3_USM_UNSUPPORTED_SECURITY_LEVEL:
        case SnmpConstants.SNMPv3_USM_UNKNOWN_SECURITY_NAME :
        case SnmpConstants.SNMPv3_USM_ENCRYPTION_ERROR :
        case SnmpConstants.SNMPv3_USM_DECRYPTION_ERROR :
        case SnmpConstants.SNMPv3_USM_AUTHENTICATION_ERROR :
        case SnmpConstants.SNMPv3_USM_AUTHENTICATION_FAILURE :
        {
          AuthenticationFailureEvent event =
              new AuthenticationFailureEvent(this, incomingAddress,
                                             sourceTransport, status,
                                             wholeMessage);
          fireAuthenticationFailure(event);
          break;
        }
The switch statement does not list unknown engine id nor timeliness 
error since we don't want send out an authentication failure trap for 
discovery.

Of course, we need implement authentication failure event listener 
registering, and calling authentication notification as we receive the 
event.

Would this help us handling the authentication failure notification?

Vivi

Frank Fock wrote:
> Hi Vivi,
>
> I have removed the generation of the authenticationFailure
> trap in SNMP4J-Agent 1.3.1 to be more robust against DoS
> attacks. There is no benefit from having generated these
> traps.
>
> Regards,
> Frank
>
> Vivi Zhang wrote:
>> Frank:
>>
>> The email was send Oct 28.  I have not seen reply yet. Guess it got 
>> lost. Let me try it again.
>>
>> I am trying to verify that SNMP4J will send out an authentication 
>> failure notification when it receives an query with bad user name, or 
>> bad password. Is there a way to verify the notification works with 
>> SNMP4j test agent?
>>
>> I found a thread of conversation between you and Marek on: 
>> http://fixunix.com/snmp/64320-wrong-authorization-alarm-trap-usm.html./
>> "Indeed, AGENT++ did not generate authenticationFailure notifications
>> on usmWrongDigest and usmNotInTimeWindow failures. I have fixed that bug
>> and you can download the new version
>> <http://fixunix.com/#> from http://www.agentpp.com" 
>> <http://www.agentpp.com>/
>>
>> I am using AgenPro 2.7.2, SNMP4J is version 1.9.3c, and SNMP4JAgent 
>> is version 1.2.1d.  Does this version contain your fix? Or this 
>> version contains this bug?  Is there any option I can choose during 
>> code generation phase to make authentication failure notification?
>>
>> Could you explain which error codes will trigger the notification?
>>
>> Thanks for your help in advance.
>>
>> Vivi
>>
>> Vivi Zhang wrote:
>>> Frank:
>>>
>>> I wonder how to make a notification recipient receive an 
>>> authenticationFailure notification when an agent received an query 
>>> with bad user name or bad password. When agent receives a v2 query 
>>> with bad community string, the api SNMPv2Mib:: incrementCounter() 
>>> calls notify api and send out notifications.   But when the agent 
>>> receives a v3 query with bad username,  no notification is send out.
>>>
>>> I am using : SNMP4J is version 1.9.3c, and SNMP4JAgent is version 
>>> 1.2.1d.
>>>
>>> This is second question. According to CHANGES.txt on snmp4j site:
>>>
>>> [2009-07-30] v1.3.1 (Requires SNMP4J v1.10.1)
>>> ....
>>> * Improved: Authentication failure traps are no longer
>>>  sent on usmNotInTimeWindow and usmUnknownEngineID
>>>  reports.
>>>
>>> I am wondering why?  If a user has a bad username, would that cause 
>>> usmNotInTimeWindow error since the second part of discovery requires 
>>> user credential?
>>>
>>> Thanks.
>>>
>>> Vivi
>>>
>>>
>>>
>>
>

More information about the SNMP4J mailing list