Re: Net-snmp 5.7.1: trouble with SNMPv3 INFORM's configured via MIBs, via config files ok

[Patrick Rogier]

Repost but with some parts in fixed font for easier reading/interpretation.
My original post was in plain-text as requested by guidelines. But then the
parts which are now fixed font, were difficult to read.


Hi,

I'm having trouble with SNMPv3 INFORM's dynamically configured via standard
MIB tables. I was able to get SNMPv3 INFORM's configured via the
configuration files working.

For now my snmpd and snmptrapd run on the same PC. My problems are related
to engineID's and localised keys. (With SNMPv3 INFORMs, the authoritative
engine is the engine that receives the trap: the snmptrapd.)

Let's call:
- the engineId of the snmpd the snmpdEngineId
- the engineId of the snmptrapd the snmptrapdEngineId

I configure some users in the config files as follows. I'll use the user
"my_inform_user" for the SNMPv3 INFORM's.

/usr/share/snmp/snmpd.conf (static snmpd.conf):

rwuser  my_rwuser
rouser  my_rouser

/var/net-snmp/snmpd.conf (dynamic snmpd.conf):

createUser my_rwuser      MD5 setup_rw_passphrase
createUser my_rouser      MD5 setup_ro_passphrase
createUser my_inform_user MD5 setup_inform_passphrase

/usr/share/snmp/snmptrapd.conf (static snmptrapd.conf):

authUser      log,execute my_inform_user

/var/net-snmp/snmptrapd.conf (dynamic snmptrapd.conf):

createUser my_inform_user MD5 setup_inform_passphrase


I start the snmpd and snmptrapd on the same PC:

$ sudo ./snmpd -f -DALL -L

And in another terminal:
$ sudo ./snmptrapd -f -n -DALL -Le


The applications replace the createUser statements into usmUser statements
as expected:

/var/net-snmp/snmpd.conf:

usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f726f75736572
0x6d795f726f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x35cf78de30df093456e16cf780075233
.1.3.6.1.6.3.10.1.2.1 0x 0x
usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f727775736572
0x6d795f727775736572 NULL
.1.3.6.1.6.3.10.1.1.20x38f812af4f4b12be9f9082ecb82d6843
.1.3.6.1.6.3.10.1.2.1 0x 0x
usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f696e666f726d5f75736572
0x6d795f696e666f726d5f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x2f390d7294e1ca1b105007c794046193
.1.3.6.1.6.3.10.1.2.1 0x 0x
engineBoots 7
oldEngineID 0x80001f8880c06ab707e551cf4f

/var/net-snmp/snmptrapd.conf:

usmUser 1 3 0x80001f888027d8fd7d2d53cf4f 0x6d795f696e666f726d5f75736572
0x6d795f696e666f726d5f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x9b5fb795af1b66c4e005278411b6f222
.1.3.6.1.6.3.10.1.2.1 0x 0x
engineBoots 4
oldEngineID 0x80001f888027d8fd7d2d53cf4f

When I query the usmUserTable, I also see the 3 users (empty columns not
shown):

SNMP table: SNMP-USER-BASED-SM-MIB::
usmUserTable:

                           index   SecurityName   CloneFrom
AuthProtocol      PrivProtocol StorageType Status
     "......j...Q.O"."my_rouser"      my_rouser zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active
     "......j...Q.O"."my_rwuser"      my_rwuser zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active
"......j...Q.O"."my_inform_user" my_inform_user zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active

Then I'll configure the snmpd to send SNMPv3 INFORM's using my_inform_user
as user to the snmptrapd (which listens at localhost:162), and I'll
configure this via the standard MIB tables snmpNotifyTable,
snmpTargetAddrTable and snmpTargetParamsTable. If I query them afterwards
with snmptable to check if their content is ok, I get:

-----------------------------------------------------------------
SNMP table: SNMP-NOTIFICATION-MIB::snmpNotifyTable

                        index                    Tag   Type StorageType
RowStatus
'localhost_informUser_notify' localhostInformUserTag inform nonVolatile
active
-----------------------------------------------------------------
SNMP table: SNMP-TARGET-MIB::snmpTargetAddrTable

                 index                  TDomain             TAddress
Timeout RetryCount                TagList       Params StorageType RowStatus
'localhost_informUser' SNMPv2-TM::snmpUDPDomain "7F 00 00 01 00 A2 "
1000          0 localhostInformUserTag myInformUser nonVolatile    active
-----------------------------------------------------------------
SNMP table: SNMP-TARGET-MIB::snmpTargetParamsTable

         index MPModel SecurityModel   SecurityName SecurityLevel
StorageType RowStatus
'myInformUser'       3             3 my_inform_user    authNoPriv
nonVolatile    active

The snmpd added the following lines to the dynamic snmpd.conf file:

snmpNotifyTable  0x6c6f63616c686f73745f696e666f726d557365725f6e6f74696679
"localhostInformUserTag" 2 3 1
targetAddr localhost_informUser .1.3.6.1.6.1.1 0x7f00000100a2 1000 0
"localhostInformUserTag" myInformUser 3 1
targetParams myInformUser 3 3 my_inform_user 2 3 1

I made a small test subagent which can send a
NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatRate notification.

Until now everything is ok.

When I now request my subagent to send a netSnmpExampleHeartbeatRate, I
would assume snmpd forwards an SNMPv3 INFORM to the snmptrapd. I see the
snmpd does the engineId probe to get the engineId of the snmptrapd, it gets
it correctly, but then the snmpd logs an "USM authentication failure". My
guess was then: the snmpd can't find the user because it has to look for
the combination of snmptrapdEngineId and my_inform_user in usmUserTable.
But the usmUserTable only knows snmpdEngineId.my_inform_user, not
snmptrapdEngineId.my_inform_user.

To fix this problem, I cloned the user my_inform_user in the usmUserTable
by sending an snmpset command to snmpd. In essence, my command is:

SET( usmUserCloneFrom.snmptrapdEngineId.my_inform_user =
snmpdEngineId.my_inform_user,
        usmUserStatus.snmptrapdEngineId.my_inform_user = createAndGo )

The snmpd adds the cloned user to its dynamic snmpd.conf, and hence the
file has 2 rows for my_inform_user, one for snmpdEngineId and one for
snmptrapdEngineId. I did not provide values for the keyChange column
(because I  want the passphase to stay the same, and I think I can do that
by not giving a value for keyChange).

/var/net-snmp/snmpd.conf becomes (1st 2 rows are rows for my_inform_user, 2
other rows are for my_rouser, and myrwuser):

usmUser 1 3 0x80001f888027d8fd7d2d53cf4f 0x6d795f696e666f726d5f75736572
0x6d795f696e666f726d5f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x2f390d7294e1ca1b105007c794046193 .
1.3.6.1.6.3.10.1.2.1 "" ""
usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f696e666f726d5f75736572
0x6d795f696e666f726d5f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x2f390d7294e1ca1b105007c794046193
.1.3.6.1.6.3.10.1.2.1 0x 0x
usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f726f75736572
0x6d795f726f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x35cf78de30df093456e16cf780075233
.1.3.6.1.6.3.10.1.2.1 0x 0x
usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f727775736572
0x6d795f727775736572 NULL
.1.3.6.1.6.3.10.1.1.20x38f812af4f4b12be9f9082ecb82d6843
.1.3.6.1.6.3.10.1.2.1 0x 0x

And If I do a query of usmUserTable, I see the 4 users too:

                           index   SecurityName   CloneFrom
AuthProtocol      PrivProtocol StorageType Status
".....'..}-S.O"."my_inform_user" my_inform_user zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active
     "......j...Q.O"."my_rouser"      my_rouser zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active
     "......j...Q.O"."my_rwuser"      my_rwuser zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active
"......j...Q.O"."my_inform_user" my_inform_user zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active

When I now request my subagent to send a netSnmpExampleHeartbeatRate, the
snmpd successfully sends a SNMPv3 INFORM, but the snmptrapd can't
authenticate it:

snmp_parse: Parsed SNMPv3 message (secName:my_inform_user,
secLevel:authNoPriv): USM authentication failure (incorrect password or key)

This is not surprising: the clone operation gave the cloned user (=
snmptrapdEngineId.my_inform_user) the same localised keys as the original
user (snmpdEngineId.my_inform_user): the localised keys in
/var/net-snmp/snmpd.conf for the 2 my_inform_user rows are the same.

The problem is that the keys for the user snmptrapdEngineId.my_inform_user
are of course not ok: they are localised to snmpdEngineId, not to
snmptrapdEngineId.

I can fix this problem by not sending an snmpset command to clone the user,
but by stopping snmpd, removing the cloned user from the dynamic snmpd.conf
file and adding the following line to the file:

createUser -e 0x80001f888027d8fd7d2d53cf4f my_inform_user MD5
setup_inform_passphrase

This statement instructs the snmpd to localize the user to the
snmptrapdEngineId. If I then start restart the snmpd, the 4 users in the
dynamic snmpd.conf are:

usmUser 1 3 0x80001f888027d8fd7d2d53cf4f 0x6d795f696e666f726d5f75736572
0x6d795f696e666f726d5f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x9b5fb795af1b66c4e005278411b6f222 .
1.3.6.1.6.3.10.1.2.1 "" ""
usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f696e666f726d5f75736572
0x6d795f696e666f726d5f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x2f390d7294e1ca1b105007c794046193
.1.3.6.1.6.3.10.1.2.1 0x 0x
usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f726f75736572
0x6d795f726f75736572 NULL
.1.3.6.1.6.3.10.1.1.20x35cf78de30df093456e16cf780075233
.1.3.6.1.6.3.10.1.2.1 0x 0x
usmUser 1 3 0x80001f8880c06ab707e551cf4f 0x6d795f727775736572
0x6d795f727775736572 NULL
.1.3.6.1.6.3.10.1.1.20x38f812af4f4b12be9f9082ecb82d6843
.1.3.6.1.6.3.10.1.2.1 0x 0x

If I now request my subagent to send a netSnmpExampleHeartbeatRate,
everything works fine: the snmptrapd sees the SNMPv3 INFORM:

Jun  6 16:18:20 studio15 snmptrapd[6579]: UDP:
[127.0.0.1]:47932->[127.0.0.1]:162 [UDP:
[127.0.0.1]:47932->[127.0.0.1]:162]: Trap ,
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1717) 0:00:17.17,
SNMPv2-MIB::snmpTrapOID.0 = OID:
NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification,
NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatRate.0 = INTEGER: 10

The problem is that I can't do this trick in a real network: there I would
like to configure everything via the MIBs, not by logging in on the device
and editing a text file. A possible solution would be to send a keyChange
value to fix the localised key of snmptrapdEngineId.my_inform_user. But I
couldn't get this working, and I think it will not work: the localised key
I'm trying to fix is localised to the wrong engineId. So I'm trying to fix
a wrong key. Probably this is not possible.



If I configure the SNMPv3 INFORM via a trapsess statement, then everything
works fine. I tried to figure out how it's possible that for that setup
there are no problems with engineId's and localised keys. My trapsess
statement in the static snmpd.conf (/usr/share/snmp/snmpd.conf) is:

trapsess -v 3 -Ci -u my_inform_user -l authNoPriv -a MD5 -A
setup_inform_passphrase localhost

Querying the usmUserTable after startup shows the 3 configured users:

                           index   SecurityName   CloneFrom
AuthProtocol      PrivProtocol StorageType Status
     "......j...Q.O"."my_rouser"      my_rouser zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active
     "......j...Q.O"."my_rwuser"      my_rwuser zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active
"......j...Q.O"."my_inform_user" my_inform_user zeroDotZero
usmHMACMD5AuthProtocol usmNoPrivProtocol nonVolatile active

If I ask my subagent to send a netSnmpExampleHeartbeatRate, the snmpd sends
a SNMPv3 INFORM and the snmptrapd sees the INFORM. But if I query the
usmUserTable now, I see the snmpd automagically added a row with the
snmptrapdEngineId and probably the right keys!

                           index   SecurityName   CloneFrom
AuthProtocol                               PrivProtocol StorageType Status
".....'..}-S.O"."my_inform_user" my_inform_user zeroDotZero
usmHMACMD5AuthProtocol SNMP-USER-BASED-SM-MIB::usmDESPrivProtocol
readOnly active
     "......j...Q.O"."my_rouser"      my_rouser zeroDotZero
usmHMACMD5AuthProtocol  SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol
nonVolatile active
     "......j...Q.O"."my_rwuser"      my_rwuser zeroDotZero
usmHMACMD5AuthProtocol  SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol
nonVolatile active
"......j...Q.O"."my_inform_user" my_inform_user zeroDotZero
usmHMACMD5AuthProtocol  SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol
nonVolatile active

The snmpd automagically creates a row for snmptrapdEngineId.my_inform_user
if the INFORM is configured via the trapsess statement, but not when I
configure the same INFORM via the MIB tables.

Can somebody shed some light on this ?

Actually, what I'm looking for, is a kind of howto on how to configure
SNMPv3 INFORMS via the MIBs instead of via (the trapsess statement in) the
config files.

thanks in advance for any help,

regards,

Patrick Rogier

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users