Bug #55088 for Net-SNMP: SNMPv3 Synchronization hangs with some agents and has one unnecessary packet exchange with net-snmp agent

Mon Mar 01 04:35:33 2010 lars.gloeckner [...] t-systems.com - Ticket created

Subject:

SNMPv3 Synchronization hangs with some agents and has one unnecessary packet exchange with net-snmp agent

Hi David, I want to use Net-SNMP in SNMPv3 AuthPriv mode with the sysedge Client from CA / Concord and I get the messages: error: [2514] Net::SNMP::__ANON__(): No response from remote host 'lenny' during synchronization debug: [2567] Net::SNMP::_discovery_synchronization_cb(): synchronization failed I get successful answers, if I use snmpget or snmpwalk from net-snmp with SNMPv3. Using the net-snmp agent I found the following differences in the communication between snmpget and Net::SNMP to the agent. Discovery Phase 1. snmpget and Net::SNMP send an empty SNMPv3 Request 2. net-snmp daemon and sysedge answer with a SNMPv3 Report PDU with the OID usmStatsUnknownEngineIDs, where in the PDU msgAuthoritativeEngineID, msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime are setted 3a. snmpget sends an encrypted SNMPv3 request with the now known values of the agents msgAuthoritativeEngineID, msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 3b. Net::SNMP sends an encrypted SNMPv3 request with the now known value of msgAuthoritativeEngineID, but msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime are 0 4a. net-snmp daemon and sysedge answer to snmpget with the encrypted SNMPv3 response - communication is successfully 4b-1. net-snmp daemon answers with a new Report PDU usmStatsNotInTimeWindows and in the next request Net::SNMP takes over msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime from the agent - communication is successfully, but has one unnecessary packet exchange 4b-2. sysedge daemon ignores the message with the unsetted msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime - communication times out and fails. I suggest to implement the same SNMPv3 behaviour like net-snmp snmpget, ... With the following Patches this behaviour could be reached: ------------------------------------------ Net-SNMP-6.0.0 Show quoted text

> cat USM.pm-6.0.0.patch

--- USM.pm.orig 2009-09-09 17:13:02.000000000 +0200 +++ USM.pm 2010-03-01 09:05:54.000000000 +0100 @@ -454,7 +454,7 @@ } else { # Handle authoritativeEngineID discovery - if (!defined $this->_engine_id_discovery($msg_engine_id)) { + if (!defined $this->_engine_id_discovery($msg_engine_id, $msg_engine_boots, $msg_engine_time)) { return $this->_error(); } @@ -982,7 +982,10 @@ sub _engine_id_discovery { - my ($this, $engine_id) = @_; + my $this = shift; + my $engine_id = shift; + my $msg_engine_boots = shift || 0; + my $msg_engine_time = shift || 0; return TRUE if ($this->{_authoritative}); @@ -1003,6 +1006,10 @@ return $this->_error(); } + if (!$this->_synchronize($msg_engine_boots, $msg_engine_time)) { + return $this->_error; + } + return TRUE; } ------------------------------------------ Net-SNMP-5.2.0 Show quoted text

> cat USM.pm-5.2.0.patch

--- USM.pm.orig 2010-03-01 08:24:07.000000000 +0100 +++ USM.pm 2010-03-01 08:45:28.000000000 +0100 @@ -447,7 +447,7 @@ } else { # Handle authoritativeEngineID discovery - if (!defined($this->_engine_id_discovery($msg_engine_id))) { + if (!defined($this->_engine_id_discovery($msg_engine_id, $msg_engine_boots, $msg_engine_time))) { return $this->_error; } @@ -985,7 +985,10 @@ sub _engine_id_discovery { - my ($this, $engine_id) = @_; + my $this = shift; + my $engine_id = shift; + my $msg_engine_boots = shift || 0; + my $msg_engine_time = shift || 0; return TRUE if ($this->{_authoritative}); @@ -997,6 +1000,9 @@ $this->{_discovered} = FALSE; return $this->_error; } + if (!$this->_synchronize($msg_engine_boots, $msg_engine_time)) { + return $this->_error; + } } else { return $this->_error( 'Invalid incoming msgAuthoritativeEngineID length [%d octet%s]', Best Regards Lars Gloeckner

Subject:

USM.pm-5.2.0.patch

--- USM.pm.orig 2010-03-01 08:24:07.000000000 +0100 +++ USM.pm 2010-03-01 08:45:28.000000000 +0100 @@ -447,7 +447,7 @@ } else { # Handle authoritativeEngineID discovery - if (!defined($this->_engine_id_discovery($msg_engine_id))) { + if (!defined($this->_engine_id_discovery($msg_engine_id, $msg_engine_boots, $msg_engine_time))) { return $this->_error; } @@ -985,7 +985,10 @@ sub _engine_id_discovery { - my ($this, $engine_id) = @_; + my $this = shift; + my $engine_id = shift; + my $msg_engine_boots = shift || 0; + my $msg_engine_time = shift || 0; return TRUE if ($this->{_authoritative}); @@ -997,6 +1000,9 @@ $this->{_discovered} = FALSE; return $this->_error; } + if (!$this->_synchronize($msg_engine_boots, $msg_engine_time)) { + return $this->_error; + } } else { return $this->_error( 'Invalid incoming msgAuthoritativeEngineID length [%d octet%s]',

Subject:

USM.pm-6.0.0.patch

--- USM.pm.orig 2009-09-09 17:13:02.000000000 +0200 +++ USM.pm 2010-03-01 09:05:54.000000000 +0100 @@ -454,7 +454,7 @@ } else { # Handle authoritativeEngineID discovery - if (!defined $this->_engine_id_discovery($msg_engine_id)) { + if (!defined $this->_engine_id_discovery($msg_engine_id, $msg_engine_boots, $msg_engine_time)) { return $this->_error(); } @@ -982,7 +982,10 @@ sub _engine_id_discovery { - my ($this, $engine_id) = @_; + my $this = shift; + my $engine_id = shift; + my $msg_engine_boots = shift || 0; + my $msg_engine_time = shift || 0; return TRUE if ($this->{_authoritative}); @@ -1003,6 +1006,10 @@ return $this->_error(); } + if (!$this->_synchronize($msg_engine_boots, $msg_engine_time)) { + return $this->_error; + } + return TRUE; }

Mon Mar 01 09:25:15 2010 dtown [...] cpan.org - Correspondence added 10 min

The Net::SNMP module is following the recommend discovery method defined in Section 4 of RFC 3414: If authenticated communication is required, then the discovery process should also establish time synchronization with the authoritative SNMP engine. This may be accomplished by sending an authenticated Request message with the value of msgAuthoritativeEngineID set to the newly learned snmpEngineID and with the values of msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime set to zero. It appears the the agent being queried is not properly following Section 3.2 if RFC 3414: 7 a) ... If the message is considered to be outside of the Time Window then the usmStatsNotInTimeWindows counter is incremented and an error indication (notInTimeWindow) together with the OID, the value of the incremented counter, and an indication that the error must be reported with a securityLevel of authNoPriv, is returned to the calling module I would like to keep the Net::SNMP module inline with RFC 3414, so I do not plan on making any changes. You can achieve your desired behavior by overriding the discovered() method in the Net::SNMP::Security::USM module. Declare the following after specifically loading the Net::SNMP::Security::USM module: use Net::SNMP; use Net::SNMP::Security::USM; ... sub Net::SNMP::Security::USM::discovered { my ($this) = @_; return $this->{_discovered}; } ... -David

Mon Mar 01 09:25:20 2010 The RT System itself - Status changed from 'new' to 'open'

Mon Mar 01 09:25:21 2010 dtown [...] cpan.org - Status changed from 'open' to 'rejected'

Mon Mar 01 09:25:23 2010 dtown [...] cpan.org - Given to DTOWN