search

erlang / otp

Erlang/OTP
http://erlang.org
Apache License 2.0
11.33k stars 2.94k forks source link

SNMP V3 USM EngineId discovery #7156

Open laurent010472 opened 1 year ago

laurent010472 commented 1 year ago

Hi,

Using snmpm from the SNMP toolkit manager, I think it could be possible to improve something regarding the USM EngineId which is pratically unknown most of the time. When we tried to authenticate with a wrong EngineId the SNMP device responds an error : usmStatsUnknownEngineIDs together with its real EngineId. So that means it would be possible to get this EngineId and use it to authenticate with the correct credentials (MD5 user / protocol passwords ...). In the current code this error is not fully supplied to high level layer:

snmpm_usm.erl:

%% 3.2.3 (b)
?vtrace("process_incoming_msg -> [3.2.3-b] check engine id",[]),
case snmpm_config:is_usm_engine_id_known(MsgAuthEngineID) of
true ->
    ok;
false ->
    SecData1 = [MsgUserName],
    error(usmStatsUnknownEngineIDs, 
      ?usmStatsUnknownEngineIDs_instance,
      undefined, [{sec_data, SecData1}])

only the user name is supplied (MsgUserName). It could be nice to supply the MsgAuthEngineId too, so it can be catched in the error handling callback as UserData.

handle_error(ReqId, Reason, UserData) -> error_logger:info_msg("handle_error: req_id: ~p, reason: ~p, user_data: ~p~n", [ ReqId, Reason, UserData ]), ignore.

samwar commented 1 year ago

It would be really nice if the correct engine_id was reported back, or even just used to make the connection. The linux snmp cli tools are way less complicated to use and do all of that engine id management for you under the covers. It would be nice if the otp snmp toolkit did the same.

rtATvw commented 1 year ago

Wireshark packet dump of snmp_ex vs net-snmp:

SNMP.DiscoveryAgent.discover_engine_id(URI.parse("snmp://10.0.6.192:161")) {:error, :timeout}

Simple Network Management Protocol msgVersion: snmpv3 (3) msgGlobalData msgID: 1969083667 msgMaxSize: 484 msgFlags: 04 .... .1.. = Reportable: Set .... ..0. = Encrypted: Not set .... ...0 = Authenticated: Not set msgSecurityModel: USM (3) msgAuthoritativeEngineID: msgAuthoritativeEngineBoots: 0 msgAuthoritativeEngineTime: 0 msgUserName: msgAuthenticationParameters: msgPrivacyParameters: msgData: plaintext (0) plaintext contextEngineID: 8000000006 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) Engine Enterprise ID: Reserved (0) Engine ID Format: Reserved/Enterprise-specific (6) Engine ID Data: contextName: data: informRequest (6) informRequest request-id: 383364578 error-status: noError (0) error-index: 0 variable-bindings: 2 items 1.3.6.1.2.1.1.3.0: 1306722 Object Name: 1.3.6.1.2.1.1.3.0 (iso.3.6.1.2.1.1.3.0) Value (Timeticks): 1306722 1.3.6.1.6.3.1.1.4.1.0: 1.3.6.1.6.3.1.1.5.1 (iso.3.6.1.6.3.1.1.5.1) Object Name: 1.3.6.1.6.3.1.1.4.1.0 (iso.3.6.1.6.3.1.1.4.1.0) Value (OID): 1.3.6.1.6.3.1.1.5.1 (iso.3.6.1.6.3.1.1.5.1)

0000 68 d7 9a 5a 94 c1 28 92 4a d1 9e ec 08 00 45 00 h..Z..(.J.....E. 0010 00 8a 7a 51 40 00 40 11 fa 9c c0 a8 f4 0c 0a 00 ..zQ@.@......... 0020 06 c0 17 70 00 a1 00 76 c5 fc 30 6c 02 01 03 30 ...p...v..0l...0 0030 10 02 04 75 5d d5 13 02 02 01 e4 04 01 04 02 01 ...u]........... 0040 03 04 10 30 0e 04 00 02 01 00 02 01 00 04 00 04 ...0............ 0050 00 04 00 30 43 04 05 80 00 00 00 06 04 00 a6 38 ...0C..........8 0060 02 04 16 d9 ad e2 02 01 00 02 01 00 30 2a 30 0f ............0*0. 0070 06 08 2b 06 01 02 01 01 03 00 43 03 13 f0 62 30 ..+.......C...b0 0080 17 06 0a 2b 06 01 06 03 01 01 04 01 00 06 09 2b ...+...........+ 0090 06 01 06 03 01 01 05 01 ........

snmpbulkwalk -t 5 -v3 -a MD5 -A XXXX -l authPriv -x des -X XXXX -u XXXX 10.0.6.192 .1.3.6.1.2.1.34

Simple Network Management Protocol msgVersion: snmpv3 (3) msgGlobalData msgID: 976399906 msgMaxSize: 65507 msgFlags: 04 .... .1.. = Reportable: Set .... ..0. = Encrypted: Not set .... ...0 = Authenticated: Not set msgSecurityModel: USM (3) msgAuthoritativeEngineID: msgAuthoritativeEngineBoots: 0 msgAuthoritativeEngineTime: 0 msgUserName: msgAuthenticationParameters: msgPrivacyParameters: msgData: plaintext (0) plaintext contextEngineID: contextName: data: get-request (0) get-request request-id: 1152813210 error-status: noError (0) error-index: 0 variable-bindings: 0 items

0000 68 d7 9a 5a 94 c1 28 92 4a d1 9e ec 08 00 45 00 h..Z..(.J.....E. 0010 00 5c 80 62 40 00 40 11 f4 b9 c0 a8 f4 0c 0a 00 ..b@.@......... 0020 06 c0 cc 1a 00 a1 00 48 c5 ce 30 3e 02 01 03 30 .......H..0>...0 0030 11 02 04 3a 32 ae 22 02 03 00 ff e3 04 01 04 02 ...:2."......... 0040 01 03 04 10 30 0e 04 00 02 01 00 02 01 00 04 00 ....0........... 0050 04 00 04 00 30 14 04 00 04 00 a0 0e 02 04 44 b6 ....0.........D. 0060 88 9a 02 01 00 02 01 00 30 00 ........0.

Simple Network Management Protocol msgVersion: snmpv3 (3) msgGlobalData msgID: 976399906 msgMaxSize: 65507 msgFlags: 00 .... .0.. = Reportable: Not set .... ..0. = Encrypted: Not set .... ...0 = Authenticated: Not set msgSecurityModel: USM (3) msgAuthoritativeEngineID: 800003520200000000000000000000ffff0a0006c0 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) Engine Enterprise ID: Tripp Lite (850) Engine ID Format: IPv6 address (2) Engine ID Data: IPv6 address: ::ffff:10.0.6.192 msgAuthoritativeEngineBoots: 6 msgAuthoritativeEngineTime: 4391362 msgUserName: msgAuthenticationParameters: msgPrivacyParameters: msgData: plaintext (0) plaintext contextEngineID: 800003520200000000000000000000ffff0a0006c0 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) Engine Enterprise ID: Tripp Lite (850) Engine ID Format: IPv6 address (2) Engine ID Data: IPv6 address: ::ffff:10.0.6.192 contextName: data: report (8) report request-id: 1152813210 error-status: noError (0) error-index: 0 variable-bindings: 1 item 1.3.6.1.6.3.15.1.1.4.0: 485439 Object Name: 1.3.6.1.6.3.15.1.1.4.0 (iso.3.6.1.6.3.15.1.1.4.0) Value (Counter32): 485439

0000 28 92 4a d1 9e ec 68 d7 9a 5a 94 c1 08 00 45 00 (.J...h..Z....E. 0010 00 9b c4 60 00 00 3f 11 f1 7c 0a 00 06 c0 c0 a8 ...`..?..|...... 0020 f4 0c 00 a1 cc 1a 00 87 ea a3 30 7d 02 01 03 30 ..........0}...0 0030 11 02 04 3a 32 ae 22 02 03 00 ff e3 04 01 00 02 ...:2."......... 0040 01 03 04 27 30 25 04 15 80 00 03 52 02 00 00 00 ...'0%.....R.... 0050 00 00 00 00 00 00 00 ff ff 0a 00 06 c0 02 01 06 ................ 0060 02 03 43 01 c2 04 00 04 00 04 00 30 3c 04 15 80 ..C........0<... 0070 00 03 52 02 00 00 00 00 00 00 00 00 00 00 ff ff ..R............. 0080 0a 00 06 c0 04 00 a8 21 02 04 44 b6 88 9a 02 01 .......!..D..... 0090 00 02 01 00 30 13 30 11 06 0a 2b 06 01 06 03 0f ....0.0...+..... 00a0 01 01 04 00 41 03 07 68 3f ....A..h?