RE: Call for testers: SNMPv3 support for bsnmpd(1)

From: Marciano, Anthony <amarcian_at_redcom.com> Date: Thu, 3 Apr 2014 10:24:30 -0400 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:48 UTC

Awesome!

Thanks so much for all of your work.

Much appreciated.

Tony

-----Original Message-----
From: shteryana_at_gmail.com [mailto:shteryana_at_gmail.com] On Behalf Of Shteryana Shopova
Sent: Thursday, April 03, 2014 9:09 AM
To: Marciano, Anthony
Cc: Hartmut Brandt; Bjoern A. Zeeb; freebsd-current_at_freebsd.org; tomarox52_at_gmail.com
Subject: Re: Call for testers: SNMPv3 support for bsnmpd(1)

Hi all,

OK, I discovered and fixed several v3 bugs while testing this config.

1) A regresion introduced with SVN r256678 breaking parsing of v3 authentication part of a PDU - this is only in current; stable should be fine; I've uploaded a patch here - http://people.freebsd.org/~syrinx/snmp/libsnmp-v3-auth-20140403-01.diff

2) A bug in decoding string indexes in snmp_target(3), thus causing
bsnmpd(1) to not send v3 notifications properly and two missing return statements which could lead to abort() in case of a rollback - this has never worked in the svn tree, I am not sure why the patch didn't make it - a patch is available here - http://people.freebsd.org/~syrinx/snmp/snmp_target-20140403-01.diff,

it was generated against head, but should apply cleanly against stable too - to patch the module

#cd
#fetch http://people.freebsd.org/~syrinx/snmp/snmp_target-20140403-01.diff

#cd <sources-directory>/contrib/bsnmp
#patch < snmp_target-20140403-01.diff
#cd ../../usr.sbin/bsnmpd/modules/snmp_target/
#make && make install

3) A problem with old SNMP engine time being returned to the client in some cases (relevant to v3 only again) which would cause subsequent PDUs comming from the same client to be considered out-of-time-window and discarded - patch is available here - http://people.freebsd.org/~syrinx/snmp/bsnmpd-engine-time-20140403-01.diff

4) There is also a problem with the handling of the connected UDP sockets - e.g. if the client listening for the trap has not been available for sometime, the socket error is not cleared until the first send() - causing "snmpd[8573]: send: Connection refused"
messages in syslog even though the trap was successfully send - an old patch (pre-v3 sources) is available here - http://people.freebsd.org/~syrinx/snmp/bsnmp-20101220-03.diff, I'll update it against head too

Comments, reviews and test reports are very welcome.

Now, the needed configuration for encrypted traps -
1) bsnmpd(1) part

#First v3 SNMP Engine value should be set, e.g.
engine := 0x80:0x10:0x08:0x10:0x80:0x25
snmpEngineID = $(engine)

#USM module should be enabled and at least one user with proper credentials created
user1 := "bsnmp"
user1passwd := 0x22:0x98:0x1a:0x6e:0x39:0x93:0x16:0x5e:0x6a:0x21:0x1b:0xd8:0xa9:0x81:0x31:0x05:0x16:0x33:0x38:0x60
#
# SNMPv3 User-based security module - must be loaded for SNMPv3 USM #
begemotSnmpdModulePath."usm"    = "/usr/lib/snmp_usm.so"

# Definition of user "bsnmp" with password "bsnmptest"
usmUserStatus.$(engine).$(user1) = 5
usmUserAuthProtocol.$(engine).$(user1) = $(HMACSHAAuthProtocol)
usmUserAuthKeyChange.$(engine).$(user1) = $(user1passwd)
usmUserPrivProtocol.$(engine).$(user1) = $(AesCfb128Protocol)
usmUserPrivKeyChange.$(engine).$(user1) = $(user1passwd)
usmUserStatus.$(engine).$(user1) = 1

#Definition of a Notification target where traps will be sent with the credentials of $user1 # # SNMPv3 Notification Targets module #
begemotSnmpdModulePath."target"    = "/usr/lib/snmp_target.so"
tag        := "test"
snmpNotifyRowStatus.$(tag) = 4
snmpNotifyTag.$(tag) = $(tag)

#
# Specify the target parameters for the notifications - send with the credentials # of user $user1 #
snmpTargetParamsRowStatus.$(tag) = 5
snmpTargetParamsMPModel.$(tag) = $(MPmodelSNMPv3)
snmpTargetParamsSecurityModel.$(tag) = $(securityModelUSM)
snmpTargetParamsSecurityName.$(tag) = $(user1)
snmpTargetParamsSecurityLevel.$(tag) = $(authPriv)
snmpTargetParamsRowStatus.$(tag) = 1

#
# Define the notifications' target address - port 162 on localhost #
snmpTargetAddrRowStatus.$(tag) = 5
snmpTargetAddrTAddress.$(tag) = 0x0a:0x0:0x0:0x01:0x0:0xa2 # hexstring representing 10.0.0.119 in 4 octets and port 162 in two octets
snmpTargetAddrTagList.$(tag) = "test notification"
snmpTargetAddrParams.$(tag) = $(tag)
snmpTargetAddrRowStatus.$(tag) = 1

2) To receive the traps with net-snmp's snmptrapd put the following coonfiguration in /etc/snmp/snmptrapd.conf createUser -e 0x801008108025 bsnmp SHA "bsnmptest" AES "bsnmptest"
authuser log bsnmp

and start it e.g.
#snmptrapd -f -C -c /etc/snmp/snmptrapd.conf -Le

cheers,
Shteryana

On Tue, Apr 1, 2014 at 2:47 PM, Marciano, Anthony <amarcian_at_redcom.com> wrote:
> Thank Harti.
>
> Tony
>
> -----Original Message-----
> From: Hartmut Brandt [mailto:hartmut.brandt_at_dlr.de]
> Sent: Tuesday, April 01, 2014 2:06 AM
> To: Marciano, Anthony
> Cc: syrinx_at_FreeBSD.org; Bjoern A. Zeeb; freebsd-current_at_freebsd.org; 
> tomarox52_at_gmail.com
> Subject: RE: Call for testers: SNMPv3 support for bsnmpd(1)
>
> On Mon, 31 Mar 2014, Marciano, Anthony wrote:
>
> MA>Currently, we are just looking to monitor standard objects such as 
> MA>interfaces and send traps accordingly. Would it be possible to 
> MA>provide a trap example of what needs to be added to the 
> MA>snmpd.config file to monitor an object and have it sent via V3?
> MA>
> MA>I've searched for this information and read through various RFCs 
> MA>but have not discovered any bsnmpd specific trap syntax and/or examples.
>
> Well, bsnmp can send only the standard traps currently. This is configured via the begemotTrapSinkTable (/usr/share/snmp/mibs/BEGEMOT-SNMPD.txt).
> Each row in the table is a trap target and all traps are sent to all targets in the table. I don't know, how this interacts with v3, though.
>
> harti