[SNMP4J] SNMPv3 engineBoots/engineTime issue
Frank Fock
fock at agentpp.com
Tue Aug 10 22:51:53 CEST 2010
Hi Brian,
Well, why are you using SNMPv3 then? Without security, SNMPv1 is
sufficient. The Engine ID Discovery can be disabled in SNMP4J to not
accidentially learn a wrong engine ID.
Best regards,
Frank
Am 10.08.2010 um 22:13 schrieb Brian Weaver <cmdrclueless at gmail.com>:
> OK, I'll give you that it might be insecure, but if you are going to
> yell "insecure" then why even accept the Engine ID from initial
> query? If someone is monitoring traffic (man in the middle) is it
> not just as likely they can give you the wrong Engine ID too.
>
> Regards,
>
> Brian
>
> On Aug 10, 2010, at 3:54 PM, Jochen Katz wrote:
>
>> Hi,
>>
>> please see Franks recent response with subject "Initial SNMPv3
>> handshake
>> extra step?"
>>
>>> Can SNMP4J be configured to have similar behavior? Not only is the
>>> Net-SNMP behavior more efficient
>>
>> but also it is insecure! If you are using SNMPv3 without
>> authentication,
>> the NET-SNMP behaviour is ok, as everybody who is able to sniff and
>> insert packets can send valid responses.
>>
>> But if you are using authentication, the NET-SNMP behaviour allows an
>> attacker to prevent all communication between agent and manager. He
>> just
>> has to answer with an unknownEngineID report with very high boot
>> counter. If the manager accepts this unauthenicated report it won't
>> be
>> able to communicate with the agent.
>>
>> Regards,
>> Jochen
>> _______________________________________________
>> SNMP4J mailing list
>> SNMP4J at agentpp.org
>> http://lists.agentpp.org/mailman/listinfo/snmp4j
>
> _______________________________________________
> SNMP4J mailing list
> SNMP4J at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j
More information about the SNMP4J
mailing list