[SNMP4J] AuthenticationFailure notification with invalid V3 query

Frank Fock fock at agentpp.com
Tue Nov 17 22:49:21 CET 2009 

Vivi,

I have problems to follow your thoughts.
SNMP4J-Agent is already (and still) sending
out authenticationFailure traps on SNMPV3
USM errors other than unknownEngineID and
notInTimeWindow. As you wrote, these are
excluded because of discovery and to
impede DoS attacks.

So, where exactly is the problem?

Regards,
Frank

Vivi Zhang wrote:
> Frank:
> 
> Thanks for your response.
> 
> I am curious why you took the generation of the authenticationFailure 
> trap away for V3, but not V2 nor V1 authentication failure 
> notification.  I downloaded the latest agent code SNMP4J-Agent1.3.2. 
> Seems it still supports V1 and V2c authenticationFailure.   Should we 
> let user choose if he wants to have authentication failure notification?
> 
>  From coding point of view,
> The api MPv3::prepareDataElements() associates detail error code  with 
> the msgId so that it can be put in response pdu, returns 
> SnmpConstants.SNMP_MP_USM_ERROR  in case the variable "status" is not 
> SNMPv3_USM_OK.  If the api returns error code in variable "status" back 
> to its caller,  the MessageDispatcherImpl::dispatchMessage() can fire 
> authentication failure event when status are not  
> SNMPv3_USM_UNKNOWN_ENGINEID            nor SNMPv3_USM_NOT_IN_TIME_WINDOW :
> switch (status) {
>        case SnmpConstants.SNMP_MP_UNSUPPORTED_SECURITY_MODEL:
>        case SnmpConstants.SNMPv3_USM_UNSUPPORTED_SECURITY_LEVEL:
>        case SnmpConstants.SNMPv3_USM_UNKNOWN_SECURITY_NAME :
>        case SnmpConstants.SNMPv3_USM_ENCRYPTION_ERROR :
>        case SnmpConstants.SNMPv3_USM_DECRYPTION_ERROR :
>        case SnmpConstants.SNMPv3_USM_AUTHENTICATION_ERROR :
>        case SnmpConstants.SNMPv3_USM_AUTHENTICATION_FAILURE :
>        {
>          AuthenticationFailureEvent event =
>              new AuthenticationFailureEvent(this, incomingAddress,
>                                             sourceTransport, status,
>                                             wholeMessage);
>          fireAuthenticationFailure(event);
>          break;
>        }
> The switch statement does not list unknown engine id nor timeliness 
> error since we don't want send out an authentication failure trap for 
> discovery.
> 
> Of course, we need implement authentication failure event listener 
> registering, and calling authentication notification as we receive the 
> event.
> 
> Would this help us handling the authentication failure notification?
> 
> Vivi
> 
> Frank Fock wrote:
>> Hi Vivi,
>>
>> I have removed the generation of the authenticationFailure
>> trap in SNMP4J-Agent 1.3.1 to be more robust against DoS
>> attacks. There is no benefit from having generated these
>> traps.
>>
>> Regards,
>> Frank
>>
>> Vivi Zhang wrote:
>>> Frank:
>>>
>>> The email was send Oct 28.  I have not seen reply yet. Guess it got 
>>> lost. Let me try it again.
>>>
>>> I am trying to verify that SNMP4J will send out an authentication 
>>> failure notification when it receives an query with bad user name, or 
>>> bad password. Is there a way to verify the notification works with 
>>> SNMP4j test agent?
>>>
>>> I found a thread of conversation between you and Marek on: 
>>> http://fixunix.com/snmp/64320-wrong-authorization-alarm-trap-usm.html./
>>> "Indeed, AGENT++ did not generate authenticationFailure notifications
>>> on usmWrongDigest and usmNotInTimeWindow failures. I have fixed that bug
>>> and you can download the new version
>>> <http://fixunix.com/#> from http://www.agentpp.com" 
>>> <http://www.agentpp.com>/
>>>
>>> I am using AgenPro 2.7.2, SNMP4J is version 1.9.3c, and SNMP4JAgent 
>>> is version 1.2.1d.  Does this version contain your fix? Or this 
>>> version contains this bug?  Is there any option I can choose during 
>>> code generation phase to make authentication failure notification?
>>>
>>> Could you explain which error codes will trigger the notification?
>>>
>>> Thanks for your help in advance.
>>>
>>> Vivi
>>>
>>> Vivi Zhang wrote:
>>>> Frank:
>>>>
>>>> I wonder how to make a notification recipient receive an 
>>>> authenticationFailure notification when an agent received an query 
>>>> with bad user name or bad password. When agent receives a v2 query 
>>>> with bad community string, the api SNMPv2Mib:: incrementCounter() 
>>>> calls notify api and send out notifications.   But when the agent 
>>>> receives a v3 query with bad username,  no notification is send out.
>>>>
>>>> I am using : SNMP4J is version 1.9.3c, and SNMP4JAgent is version 
>>>> 1.2.1d.
>>>>
>>>> This is second question. According to CHANGES.txt on snmp4j site:
>>>>
>>>> [2009-07-30] v1.3.1 (Requires SNMP4J v1.10.1)
>>>> ....
>>>> * Improved: Authentication failure traps are no longer
>>>>  sent on usmNotInTimeWindow and usmUnknownEngineID
>>>>  reports.
>>>>
>>>> I am wondering why?  If a user has a bad username, would that cause 
>>>> usmNotInTimeWindow error since the second part of discovery requires 
>>>> user credential?
>>>>
>>>> Thanks.
>>>>
>>>> Vivi
>>>>
>>>>
>>>>
>>>
>>
> 

-- 
AGENT++
http://www.agentpp.com
http://www.snmp4j.com
http://www.mibexplorer.com
http://www.mibdesigner.com

More information about the SNMP4J mailing list