[SNMP4J] AuthenticationFailure notification with invalid V3 query

Frank Fock fock at agentpp.com
Wed Nov 18 22:21:17 CET 2009 

Vivi,

I do not know what you have changed. The SampleAgent as
delivered with SNMP4J-Agent sends out the authenticationFailure
trap - without any changes to the code!

Sorry, I still not understand where the problem is...

Regards,
Frank

Vivi Zhang wrote:
> Thanks, Frank.
> 
> I did enabled the authenticationFailure trap, and able receive the 
> autheticationFailure trap when receive a query with bad v1 or v2 
> community string.
> 
> The SNMPv2MIB class in SNMP4J-AGENT listens to CounterEvent for handling 
> authentication failure for bad v1 and v2 community string.
> 
> SNMP4J does send out AuthenticationFailureEvent for V3 usmWrongDigest. 
> But the SNMPv2MIB class does not listen to AuthenticationFailureEvent. 
> The current framework doesn't have the code to capture the 
> AuthenticationFailureEvent and send out the notification.
> To make it work, I extended my code to listen to 
> AuthenticationFailureEvent, and send notification from my code.
> Thank you very much for your help.
> 
> Vivi
> 
> Frank Fock wrote:
>> My statement referred to the changes made in SNMP4J-Agent 1.3.1.
>> The change log for that version states clearly that the
>> authenticationFailure trap is no longer sent for usmNotInTimeWindow
>> and usmUnknownEngineID events only.
>>
>> The authentication failure trap is generated for usmWrongDigest,
>> for example (I used the SampleAgent). How did you test it?
>> Have you enabled the authenticationFailure trap?
>>
>> Regards,
>> Frank
>>
>> Vivi Zhang wrote:
>>> Frank:
>>>
>>> I misunderstood your reply.
>>>
>>> Your following statement really means : "I have removed the 
>>> generation of the authenticationFailure trap in SNMP4J-Agent 1.3.1 to 
>>> be more robust against DoS attacks. There is no benefit from having 
>>> generated these traps. "
>>>
>>>
>>> Now, back to my original question: how could I received an 
>>> authenticationFailure trap when a V3 user send a request with bad 
>>> password, or misspelled name?  I am able to receive an authentication 
>>> failure trap when the agent receive a query with bad V1 or V2 
>>> community string.
>>>
>>> Frank Fock wrote:
>>>> Vivi,
>>>>
>>>> I have problems to follow your thoughts.
>>>> SNMP4J-Agent is already (and still) sending
>>>> out authenticationFailure traps on SNMPV3
>>>> USM errors other than unknownEngineID and
>>>> notInTimeWindow. As you wrote, these are
>>>> excluded because of discovery and to
>>>> impede DoS attacks.
>>>>
>>>> So, where exactly is the problem?
>>>>
>>>> Regards,
>>>> Frank
>>>>
>>>> Vivi Zhang wrote:
>>>>> Frank:
>>>>>
>>>>> Thanks for your response.
>>>>>
>>>>> I am curious why you took the generation of the 
>>>>> authenticationFailure trap away for V3, but not V2 nor V1 
>>>>> authentication failure notification.  I downloaded the latest agent 
>>>>> code SNMP4J-Agent1.3.2. Seems it still supports V1 and V2c 
>>>>> authenticationFailure.   Should we let user choose if he wants to 
>>>>> have authentication failure notification?
>>>>>
>>>>>  From coding point of view,
>>>>> The api MPv3::prepareDataElements() associates detail error code  
>>>>> with the msgId so that it can be put in response pdu, returns 
>>>>> SnmpConstants.SNMP_MP_USM_ERROR  in case the variable "status" is 
>>>>> not SNMPv3_USM_OK.  If the api returns error code in variable 
>>>>> "status" back to its caller,  the 
>>>>> MessageDispatcherImpl::dispatchMessage() can fire authentication 
>>>>> failure event when status are not  
>>>>> SNMPv3_USM_UNKNOWN_ENGINEID            nor 
>>>>> SNMPv3_USM_NOT_IN_TIME_WINDOW :
>>>>> switch (status) {
>>>>>        case SnmpConstants.SNMP_MP_UNSUPPORTED_SECURITY_MODEL:
>>>>>        case SnmpConstants.SNMPv3_USM_UNSUPPORTED_SECURITY_LEVEL:
>>>>>        case SnmpConstants.SNMPv3_USM_UNKNOWN_SECURITY_NAME :
>>>>>        case SnmpConstants.SNMPv3_USM_ENCRYPTION_ERROR :
>>>>>        case SnmpConstants.SNMPv3_USM_DECRYPTION_ERROR :
>>>>>        case SnmpConstants.SNMPv3_USM_AUTHENTICATION_ERROR :
>>>>>        case SnmpConstants.SNMPv3_USM_AUTHENTICATION_FAILURE :
>>>>>        {
>>>>>          AuthenticationFailureEvent event =
>>>>>              new AuthenticationFailureEvent(this, incomingAddress,
>>>>>                                             sourceTransport, status,
>>>>>                                             wholeMessage);
>>>>>          fireAuthenticationFailure(event);
>>>>>          break;
>>>>>        }
>>>>> The switch statement does not list unknown engine id nor timeliness 
>>>>> error since we don't want send out an authentication failure trap 
>>>>> for discovery.
>>>>>
>>>>> Of course, we need implement authentication failure event listener 
>>>>> registering, and calling authentication notification as we receive 
>>>>> the event.
>>>>>
>>>>> Would this help us handling the authentication failure notification?
>>>>>
>>>>> Vivi
>>>>>
>>>>> Frank Fock wrote:
>>>>>> Hi Vivi,
>>>>>>
>>>>>> I have removed the generation of the authenticationFailure
>>>>>> trap in SNMP4J-Agent 1.3.1 to be more robust against DoS
>>>>>> attacks. There is no benefit from having generated these
>>>>>> traps.
>>>>>>
>>>>>> Regards,
>>>>>> Frank
>>>>>>
>>>>>> Vivi Zhang wrote:
>>>>>>> Frank:
>>>>>>>
>>>>>>> The email was send Oct 28.  I have not seen reply yet. Guess it 
>>>>>>> got lost. Let me try it again.
>>>>>>>
>>>>>>> I am trying to verify that SNMP4J will send out an authentication 
>>>>>>> failure notification when it receives an query with bad user 
>>>>>>> name, or bad password. Is there a way to verify the notification 
>>>>>>> works with SNMP4j test agent?
>>>>>>>
>>>>>>> I found a thread of conversation between you and Marek on: 
>>>>>>> http://fixunix.com/snmp/64320-wrong-authorization-alarm-trap-usm.html./ 
>>>>>>>
>>>>>>> "Indeed, AGENT++ did not generate authenticationFailure 
>>>>>>> notifications
>>>>>>> on usmWrongDigest and usmNotInTimeWindow failures. I have fixed 
>>>>>>> that bug
>>>>>>> and you can download the new version
>>>>>>> <http://fixunix.com/#> from http://www.agentpp.com" 
>>>>>>> <http://www.agentpp.com>/
>>>>>>>
>>>>>>> I am using AgenPro 2.7.2, SNMP4J is version 1.9.3c, and 
>>>>>>> SNMP4JAgent is version 1.2.1d.  Does this version contain your 
>>>>>>> fix? Or this version contains this bug?  Is there any option I 
>>>>>>> can choose during code generation phase to make authentication 
>>>>>>> failure notification?
>>>>>>>
>>>>>>> Could you explain which error codes will trigger the notification?
>>>>>>>
>>>>>>> Thanks for your help in advance.
>>>>>>>
>>>>>>> Vivi
>>>>>>>
>>>>>>> Vivi Zhang wrote:
>>>>>>>> Frank:
>>>>>>>>
>>>>>>>> I wonder how to make a notification recipient receive an 
>>>>>>>> authenticationFailure notification when an agent received an 
>>>>>>>> query with bad user name or bad password. When agent receives a 
>>>>>>>> v2 query with bad community string, the api SNMPv2Mib:: 
>>>>>>>> incrementCounter() calls notify api and send out 
>>>>>>>> notifications.   But when the agent receives a v3 query with bad 
>>>>>>>> username,  no notification is send out.
>>>>>>>>
>>>>>>>> I am using : SNMP4J is version 1.9.3c, and SNMP4JAgent is 
>>>>>>>> version 1.2.1d.
>>>>>>>>
>>>>>>>> This is second question. According to CHANGES.txt on snmp4j site:
>>>>>>>>
>>>>>>>> [2009-07-30] v1.3.1 (Requires SNMP4J v1.10.1)
>>>>>>>> ....
>>>>>>>> * Improved: Authentication failure traps are no longer
>>>>>>>>  sent on usmNotInTimeWindow and usmUnknownEngineID
>>>>>>>>  reports.
>>>>>>>>
>>>>>>>> I am wondering why?  If a user has a bad username, would that 
>>>>>>>> cause usmNotInTimeWindow error since the second part of 
>>>>>>>> discovery requires user credential?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> Vivi
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
> 

-- 
AGENT++
http://www.agentpp.com
http://www.snmp4j.com
http://www.mibexplorer.com
http://www.mibdesigner.com

More information about the SNMP4J mailing list