Re: Call for testers: SNMPv3 support for bsnmpd(1)

From: Shteryana Shopova <syrinx_at_FreeBSD.org>
Date: Thu, 3 Apr 2014 16:08:49 +0300
Hi all,

OK, I discovered and fixed several v3 bugs while testing this config.

1) A regresion introduced with SVN r256678 breaking parsing of v3
authentication part of a PDU - this is only in current; stable should
be fine; I've uploaded a patch here -
http://people.freebsd.org/~syrinx/snmp/libsnmp-v3-auth-20140403-01.diff

2) A bug in decoding string indexes in snmp_target(3), thus causing
bsnmpd(1) to not send v3 notifications properly and two missing return
statements which could lead to abort() in case of a rollback - this
has never worked in the svn tree, I am not sure why the patch didn't
make it - a patch is available here -
http://people.freebsd.org/~syrinx/snmp/snmp_target-20140403-01.diff,
it was generated against head, but should apply cleanly against stable
too - to patch the module

#cd
#fetch http://people.freebsd.org/~syrinx/snmp/snmp_target-20140403-01.diff
#cd <sources-directory>/contrib/bsnmp
#patch < snmp_target-20140403-01.diff
#cd ../../usr.sbin/bsnmpd/modules/snmp_target/
#make && make install

3) A problem with old SNMP engine time being returned to the client in
some cases (relevant to v3 only again) which would cause subsequent
PDUs comming from the same client to be considered out-of-time-window
and discarded - patch is available here -
http://people.freebsd.org/~syrinx/snmp/bsnmpd-engine-time-20140403-01.diff

4) There is also a problem with the handling of the connected UDP
sockets - e.g. if the client listening for the trap has not been
available for sometime, the socket error is not cleared until the
first send() - causing "snmpd[8573]: send: Connection refused"
messages in syslog even though the trap was successfully send - an old
patch (pre-v3 sources) is available here -
http://people.freebsd.org/~syrinx/snmp/bsnmp-20101220-03.diff, I'll
update it against head too

Comments, reviews and test reports are very welcome.

Now, the needed configuration for encrypted traps -
1) bsnmpd(1) part

#First v3 SNMP Engine value should be set, e.g.
engine := 0x80:0x10:0x08:0x10:0x80:0x25
snmpEngineID = $(engine)

#USM module should be enabled and at least one user with proper
credentials created
user1 := "bsnmp"
user1passwd := 0x22:0x98:0x1a:0x6e:0x39:0x93:0x16:0x5e:0x6a:0x21:0x1b:0xd8:0xa9:0x81:0x31:0x05:0x16:0x33:0x38:0x60
#
# SNMPv3 User-based security module - must be loaded for SNMPv3 USM
#
begemotSnmpdModulePath."usm"    = "/usr/lib/snmp_usm.so"

# Definition of user "bsnmp" with password "bsnmptest"
usmUserStatus.$(engine).$(user1) = 5
usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol)
usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd)
usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol)
usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd)
usmUserStatus.$(engine).$(user1) = 1

#Definition of a Notification target where traps will be sent with the
credentials of $user1
#
# SNMPv3 Notification Targets module
#
begemotSnmpdModulePath."target"    = "/usr/lib/snmp_target.so"
tag        := "test"
snmpNotifyRowStatus.$(tag) = 4
snmpNotifyTag.$(tag) = $(tag)

#
# Specify the target parameters for the notifications - send with the
credentials
# of user $user1
#
snmpTargetParamsRowStatus.$(tag) = 5
snmpTargetParamsMPModel.$(tag) = $(MPmodelSNMPv3)
snmpTargetParamsSecurityModel.$(tag) = $(securityModelUSM)
snmpTargetParamsSecurityName.$(tag) = $(user1)
snmpTargetParamsSecurityLevel.$(tag) = $(authPriv)
snmpTargetParamsRowStatus.$(tag) = 1

#
# Define the notifications' target address - port 162 on localhost
#
snmpTargetAddrRowStatus.$(tag) = 5
snmpTargetAddrTAddress.$(tag) = 0x0a:0x0:0x0:0x01:0x0:0xa2 # hexstring
representing 10.0.0.119 in 4 octets and port 162 in two octets
snmpTargetAddrTagList.$(tag) = "test notification"
snmpTargetAddrParams.$(tag) = $(tag)
snmpTargetAddrRowStatus.$(tag) = 1

2) To receive the traps with net-snmp's snmptrapd put the following
coonfiguration in /etc/snmp/snmptrapd.conf
createUser -e 0x801008108025 bsnmp SHA "bsnmptest" AES "bsnmptest"
authuser log bsnmp

and start it e.g.
#snmptrapd -f -C -c /etc/snmp/snmptrapd.conf -Le

cheers,
Shteryana

On Tue, Apr 1, 2014 at 2:47 PM, Marciano, Anthony <amarcian_at_redcom.com> wrote:
> Thank Harti.
>
> Tony
>
> -----Original Message-----
> From: Hartmut Brandt [mailto:hartmut.brandt_at_dlr.de]
> Sent: Tuesday, April 01, 2014 2:06 AM
> To: Marciano, Anthony
> Cc: syrinx_at_FreeBSD.org; Bjoern A. Zeeb; freebsd-current_at_freebsd.org; tomarox52_at_gmail.com
> Subject: RE: Call for testers: SNMPv3 support for bsnmpd(1)
>
> On Mon, 31 Mar 2014, Marciano, Anthony wrote:
>
> MA>Currently, we are just looking to monitor standard objects such as
> MA>interfaces and send traps accordingly. Would it be possible to
> MA>provide a trap example of what needs to be added to the snmpd.config
> MA>file to monitor an object and have it sent via V3?
> MA>
> MA>I've searched for this information and read through various RFCs but
> MA>have not discovered any bsnmpd specific trap syntax and/or examples.
>
> Well, bsnmp can send only the standard traps currently. This is configured via the begemotTrapSinkTable (/usr/share/snmp/mibs/BEGEMOT-SNMPD.txt).
> Each row in the table is a trap target and all traps are sent to all targets in the table. I don't know, how this interacts with v3, though.
>
> harti
Received on Thu Apr 03 2014 - 11:08:52 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:48 UTC