Discussion:
SNMP Inform with AES
(too old to reply)
Daniel Goertzen
2014-02-25 02:33:08 UTC
Permalink
Hello, I am struggling to get SNMP Informs running from my Erlang agent to net-snmp snmptrapd. DES privacy works fine, but AES does not.

I am looking at RFC 3826 and am trying to understand how the IV is put together in the context of informs. I have some questions:

1. It says the IV is from the 32 bit authoritative engine boots, 32 bit engine time, and a 64 bit local integer. For informs the authoritative engine is the where the inform is being sent, so should those engine parameters be used here?

2. Since the engine time is used in the IV, wouldn't the sender have to know the engine time of the target's engine almost exactly to avoid mismatch? If the time drifts, wouldn't the IV become incorrect and produce a garbage decrypt? Do receiving engines try multiple decrypts at various drifts to account for this?

Thanks,
Dan.
Daniel Goertzen
2014-02-25 12:54:55 UTC
Permalink
We can probably scratch question #2. I see in the packet capture that the authoritative engine boots and time is included in the packet. I've been staring at this a bit too long...

Dan.
Post by Daniel Goertzen
Hello, I am struggling to get SNMP Informs running from my Erlang agent to net-snmp snmptrapd. DES privacy works fine, but AES does not.
1. It says the IV is from the 32 bit authoritative engine boots, 32 bit engine time, and a 64 bit local integer. For informs the authoritative engine is the where the inform is being sent, so should those engine parameters be used here?
2. Since the engine time is used in the IV, wouldn't the sender have to know the engine time of the target's engine almost exactly to avoid mismatch? If the time drifts, wouldn't the IV become incorrect and produce a garbage decrypt? Do receiving engines try multiple decrypts at various drifts to account for this?
Thanks,
Dan.
Daniel Goertzen
2014-02-25 18:01:30 UTC
Permalink
Also scratch #1. I patched the Erlang agent to use the correct engine id params (engine id of the target, which is authoritative for informs) and everything works swimmingly now.

Dan.
Post by Daniel Goertzen
We can probably scratch question #2. I see in the packet capture that the authoritative engine boots and time is included in the packet. I've been staring at this a bit too long...
Dan.
Post by Daniel Goertzen
Hello, I am struggling to get SNMP Informs running from my Erlang agent to net-snmp snmptrapd. DES privacy works fine, but AES does not.
1. It says the IV is from the 32 bit authoritative engine boots, 32 bit engine time, and a 64 bit local integer. For informs the authoritative engine is the where the inform is being sent, so should those engine parameters be used here?
2. Since the engine time is used in the IV, wouldn't the sender have to know the engine time of the target's engine almost exactly to avoid mismatch? If the time drifts, wouldn't the IV become incorrect and produce a garbage decrypt? Do receiving engines try multiple decrypts at various drifts to account for this?
Thanks,
Dan.
Alex Anto Navis Lawrence
2017-05-22 10:45:29 UTC
Permalink
Hi Daniel,

I have been facing the same issue with AES for snmpm module. Kindly can you share your patch and if any PR or issue created for the same in erlang codebase.

Thanks for taking time to fix this.

Thanks,
Alex
Post by Daniel Goertzen
Also scratch #1. I patched the Erlang agent to use the correct engine id params (engine id of the target, which is authoritative for informs) and everything works swimmingly now.
Dan.
Post by Daniel Goertzen
We can probably scratch question #2. I see in the packet capture that the authoritative engine boots and time is included in the packet. I've been staring at this a bit too long...
Dan.
Post by Daniel Goertzen
Hello, I am struggling to get SNMP Informs running from my Erlang agent to net-snmp snmptrapd. DES privacy works fine, but AES does not.
1. It says the IV is from the 32 bit authoritative engine boots, 32 bit engine time, and a 64 bit local integer. For informs the authoritative engine is the where the inform is being sent, so should those engine parameters be used here?
2. Since the engine time is used in the IV, wouldn't the sender have to know the engine time of the target's engine almost exactly to avoid mismatch? If the time drifts, wouldn't the IV become incorrect and produce a garbage decrypt? Do receiving engines try multiple decrypts at various drifts to account for this?
Thanks,
Dan.
Loading...