[SNMP4J] Initial SNMPv3 handshake extra step?

Frank Fock fock at agentpp.com
Thu Aug 5 23:33:05 CEST 2010 

Hi Scott,

The SNMP4J implementation ist strictly following RFC 3414 which
does not suggest the shortcut NET-SNMP uses.

The use that shortcut with SNMP4J as well, add the following
method to the UsmTimeTable class:

  /**
   * Checks if the engine ID exists in the local cache. If not and
   * <code>discoveryAllowed</code> is true, the engine ID will be added
   * to the cache with the given engineBoots and -Time (both zero by 
default).
   *
   * @param securityEngineID
   *    the engine ID to check.
   * @param discoveryEnabled
   *    true if this method might add the engine ID to the local cache
   *   (side-effect).
   * @param engineBoots
   *    the number of engine boots for the engine ID (zero by default).
   * @param engineTime
   *    the engine time for the engine ID (zero by default).
   * @return
   *    SNMPv3_USM_OK if the engine ID is known by the local cache or has
   *    been added, {@link SnmpConstants#SNMPv3_USM_UNKNOWN_ENGINEID}
   *    otherwise.
   * @since 1.11.2
   */
  public int checkEngineID(OctetString securityEngineID,
                           boolean discoveryAllowed, int engineBoots,
                           int engineTime) {
    if (table.get(securityEngineID) != null) {
      return SnmpConstants.SNMPv3_USM_OK;
    }
    else if (discoveryAllowed) {
      addEntry(new UsmTimeEntry(securityEngineID, engineBoots, engineTime));
      return SnmpConstants.SNMPv3_USM_OK;
    }
    return SnmpConstants.SNMPv3_USM_UNKNOWN_ENGINEID;
  }
}

Then change the USM class in line 554 and call the new method with:
    if ((securityEngineID.length() == 0) ||
        (timeTable.checkEngineID(securityEngineID,
                                 isEngineDiscoveryEnabled(),
         usmSecurityParameters.getAuthoritativeEngineBoots(),
         usmSecurityParameters.getAuthoritativeEngineTime()) !=
         SnmpConstants.SNMPv3_USM_OK)) {

This should do the trick.

Best regards,
Frank

Mackay, Scott schrieb:
> Hi, related to my notInTimeWindow question....
>
> Wiresharking the initial exchange I see a bit of an oddity when compared to a net-snmp get request.
>
> The first step for both seems ok, sending an empty get request, the engine sending a report back about unknown engined ids.
> The next step is send the actual get requested, with the engine id and the user...here is the difference though:
>    snmp4j - it sends the request with no boots or time values (0) even though those were send with that reply gotten
>    net-snmp - it fills out the boots and time entries.
> The result is that snmp4j gets rejected with a usmStatsNotInTimeWindows, fills in the values and then finally sends that and gets accepted.
>
> all of this is within the library's handshaking, not user code.
>
> Is there any reason/flag to make snmp4j fill in those fields in step 2 instead of requiring that additional step?
>
> -Scott
> _______________________________________________
> SNMP4J mailing list
> SNMP4J at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j
>

More information about the SNMP4J mailing list