Closed richud closed 8 months ago
If you have a few minutes for a zoom call today, I'm off. Send a PM to thewitness at cacti dot net.
The reason being, we need a test machine...
Sorry posting above was the last thing I did before shutting my laptop down and leaving work.
I could probably borrow something, connect it at home and make it externally accessible if that helps? My test subject was a 2960, just looking on eBay they are going for little so maybe easier to just buy one and setup.
Came across this which explains key localisation procedure needs changing to 3DES for Cisco AES192/256 https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763
Also came across this ; https://github.com/etingof/snmpsim ... which may be helpful, I don't think it does the Cisco combination though but maybe easily changeable for testing.
.. _priv-algos:
The following privacy (encryption) algorithms are currently supported (via --v3-priv-proto=
option): +------------+------------------------+----------------------+ | ID | Algorithm | Reference | +------------+------------------------+----------------------+ | NONE | - | RFC3414 | +------------+------------------------+----------------------+ | DES | DES | RFC3414 | +------------+------------------------+----------------------+ | AES | AES CFB 128 | RFC3826 | +------------+------------------------+----------------------+ | AES192 | AES CFB 192 | RFC Draft | +------------+------------------------+----------------------+ | AES256 | AES CFB 256 | RFC Draft | +------------+------------------------+----------------------+ | AES192BLMT | AES CFB 192 Blumenthal | RFC Draft | +------------+------------------------+----------------------+ | AES256BLMT | AES CFB 256 Blumenthal | RFC Draft | +------------+------------------------+----------------------+ | 3DES | Triple DES EDE | RFC Draft | +------------+------------------------+----------------------+
.. note::
The AES192, AES256 and 3DES are implemented based on `Blumenthal <http://tools.ietf.org/html/draft-blumenthal-aes-usm-04>`_ and `Reeder <https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00>`_ draft RFCs.
@richud, can you get me a clean pull request for 1.2.x? We've got two weeks before release, and I would like to preserved your pull request.
i've redone pull on 1.2.x for cacti proper (added managers.php changes as well, assume that is relevant?) - and i've added a pull for spine, but just realised writing this that also has a 1.2.x branch - so not sure if that needs redoing too?
Let me take a look. I'll keep you posted.
If this is resolved now @richud, just close this one. Thanks for your contribution!
Hi, Any chance (please) this could be fixed to work with SNMPv3 / Cisco's AES256 to match the change in the main Cacti?
I added the appropriate bits in spine/snmp.c but there is a problem with the Ku buffer size.
Get this error from part of net-snmp; Internal Error: ku buffer too small (min=64)
And this error from Spine; SNMP: Error generating SNMPv3 Ku from privacy pass phrase.
It seems to have been a problem in net-snmp a while ago that got fixed? e.g. https://sourceforge.net/p/net-snmp/patches/1346/ (It works fine querying with snmpget etc using same info as Spine is using)