[SNMP4J] AuthenticationFailure notification with invalid V3 query
Vivi Zhang
vzhang at anuesystems.com
Tue Nov 17 22:43:34 CET 2009
Frank:
Thanks for your response.
I am curious why you took the generation of the authenticationFailure
trap away for V3, but not V2 nor V1 authentication failure
notification. I downloaded the latest agent code SNMP4J-Agent1.3.2.
Seems it still supports V1 and V2c authenticationFailure. Should we
let user choose if he wants to have authentication failure notification?
From coding point of view,
The api MPv3::prepareDataElements() associates detail error code with
the msgId so that it can be put in response pdu, returns
SnmpConstants.SNMP_MP_USM_ERROR in case the variable "status" is not
SNMPv3_USM_OK. If the api returns error code in variable "status" back
to its caller, the MessageDispatcherImpl::dispatchMessage() can fire
authentication failure event when status are not
SNMPv3_USM_UNKNOWN_ENGINEID nor SNMPv3_USM_NOT_IN_TIME_WINDOW :
switch (status) {
case SnmpConstants.SNMP_MP_UNSUPPORTED_SECURITY_MODEL:
case SnmpConstants.SNMPv3_USM_UNSUPPORTED_SECURITY_LEVEL:
case SnmpConstants.SNMPv3_USM_UNKNOWN_SECURITY_NAME :
case SnmpConstants.SNMPv3_USM_ENCRYPTION_ERROR :
case SnmpConstants.SNMPv3_USM_DECRYPTION_ERROR :
case SnmpConstants.SNMPv3_USM_AUTHENTICATION_ERROR :
case SnmpConstants.SNMPv3_USM_AUTHENTICATION_FAILURE :
{
AuthenticationFailureEvent event =
new AuthenticationFailureEvent(this, incomingAddress,
sourceTransport, status,
wholeMessage);
fireAuthenticationFailure(event);
break;
}
The switch statement does not list unknown engine id nor timeliness
error since we don't want send out an authentication failure trap for
discovery.
Of course, we need implement authentication failure event listener
registering, and calling authentication notification as we receive the
event.
Would this help us handling the authentication failure notification?
Vivi
Frank Fock wrote:
> Hi Vivi,
>
> I have removed the generation of the authenticationFailure
> trap in SNMP4J-Agent 1.3.1 to be more robust against DoS
> attacks. There is no benefit from having generated these
> traps.
>
> Regards,
> Frank
>
> Vivi Zhang wrote:
>> Frank:
>>
>> The email was send Oct 28. I have not seen reply yet. Guess it got
>> lost. Let me try it again.
>>
>> I am trying to verify that SNMP4J will send out an authentication
>> failure notification when it receives an query with bad user name, or
>> bad password. Is there a way to verify the notification works with
>> SNMP4j test agent?
>>
>> I found a thread of conversation between you and Marek on:
>> http://fixunix.com/snmp/64320-wrong-authorization-alarm-trap-usm.html./
>> "Indeed, AGENT++ did not generate authenticationFailure notifications
>> on usmWrongDigest and usmNotInTimeWindow failures. I have fixed that bug
>> and you can download the new version
>> <http://fixunix.com/#> from http://www.agentpp.com"
>> <http://www.agentpp.com>/
>>
>> I am using AgenPro 2.7.2, SNMP4J is version 1.9.3c, and SNMP4JAgent
>> is version 1.2.1d. Does this version contain your fix? Or this
>> version contains this bug? Is there any option I can choose during
>> code generation phase to make authentication failure notification?
>>
>> Could you explain which error codes will trigger the notification?
>>
>> Thanks for your help in advance.
>>
>> Vivi
>>
>> Vivi Zhang wrote:
>>> Frank:
>>>
>>> I wonder how to make a notification recipient receive an
>>> authenticationFailure notification when an agent received an query
>>> with bad user name or bad password. When agent receives a v2 query
>>> with bad community string, the api SNMPv2Mib:: incrementCounter()
>>> calls notify api and send out notifications. But when the agent
>>> receives a v3 query with bad username, no notification is send out.
>>>
>>> I am using : SNMP4J is version 1.9.3c, and SNMP4JAgent is version
>>> 1.2.1d.
>>>
>>> This is second question. According to CHANGES.txt on snmp4j site:
>>>
>>> [2009-07-30] v1.3.1 (Requires SNMP4J v1.10.1)
>>> ....
>>> * Improved: Authentication failure traps are no longer
>>> sent on usmNotInTimeWindow and usmUnknownEngineID
>>> reports.
>>>
>>> I am wondering why? If a user has a bad username, would that cause
>>> usmNotInTimeWindow error since the second part of discovery requires
>>> user credential?
>>>
>>> Thanks.
>>>
>>> Vivi
>>>
>>>
>>>
>>
>
More information about the SNMP4J
mailing list