Skip Menu |
 

This queue is for tickets about the Net-SNMP CPAN distribution.

Report information
The Basics
Id: 55088
Status: rejected
Worked: 10 min
Priority: 0/
Queue: Net-SNMP

People
Owner: dtown [...] cpan.org
Requestors: lars.gloeckner [...] t-systems.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: SNMPv3 Synchronization hangs with some agents and has one unnecessary packet exchange with net-snmp agent
Download (untitled) / with headers
text/plain 3.7k
Hi David, I want to use Net-SNMP in SNMPv3 AuthPriv mode with the sysedge Client from CA / Concord and I get the messages: error: [2514] Net::SNMP::__ANON__(): No response from remote host 'lenny' during synchronization debug: [2567] Net::SNMP::_discovery_synchronization_cb(): synchronization failed I get successful answers, if I use snmpget or snmpwalk from net-snmp with SNMPv3. Using the net-snmp agent I found the following differences in the communication between snmpget and Net::SNMP to the agent. Discovery Phase 1. snmpget and Net::SNMP send an empty SNMPv3 Request 2. net-snmp daemon and sysedge answer with a SNMPv3 Report PDU with the OID usmStatsUnknownEngineIDs, where in the PDU msgAuthoritativeEngineID, msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime are setted 3a. snmpget sends an encrypted SNMPv3 request with the now known values of the agents msgAuthoritativeEngineID, msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 3b. Net::SNMP sends an encrypted SNMPv3 request with the now known value of msgAuthoritativeEngineID, but msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime are 0 4a. net-snmp daemon and sysedge answer to snmpget with the encrypted SNMPv3 response - communication is successfully 4b-1. net-snmp daemon answers with a new Report PDU usmStatsNotInTimeWindows and in the next request Net::SNMP takes over msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime from the agent - communication is successfully, but has one unnecessary packet exchange 4b-2. sysedge daemon ignores the message with the unsetted msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime - communication times out and fails. I suggest to implement the same SNMPv3 behaviour like net-snmp snmpget, ... With the following Patches this behaviour could be reached: ------------------------------------------ Net-SNMP-6.0.0 Show quoted text
> cat USM.pm-6.0.0.patch
--- USM.pm.orig 2009-09-09 17:13:02.000000000 +0200 +++ USM.pm 2010-03-01 09:05:54.000000000 +0100 @@ -454,7 +454,7 @@ } else { # Handle authoritativeEngineID discovery - if (!defined $this->_engine_id_discovery($msg_engine_id)) { + if (!defined $this->_engine_id_discovery($msg_engine_id, $msg_engine_boots, $msg_engine_time)) { return $this->_error(); } @@ -982,7 +982,10 @@ sub _engine_id_discovery { - my ($this, $engine_id) = @_; + my $this = shift; + my $engine_id = shift; + my $msg_engine_boots = shift || 0; + my $msg_engine_time = shift || 0; return TRUE if ($this->{_authoritative}); @@ -1003,6 +1006,10 @@ return $this->_error(); } + if (!$this->_synchronize($msg_engine_boots, $msg_engine_time)) { + return $this->_error; + } + return TRUE; } ------------------------------------------ Net-SNMP-5.2.0 Show quoted text
> cat USM.pm-5.2.0.patch
--- USM.pm.orig 2010-03-01 08:24:07.000000000 +0100 +++ USM.pm 2010-03-01 08:45:28.000000000 +0100 @@ -447,7 +447,7 @@ } else { # Handle authoritativeEngineID discovery - if (!defined($this->_engine_id_discovery($msg_engine_id))) { + if (!defined($this->_engine_id_discovery($msg_engine_id, $msg_engine_boots, $msg_engine_time))) { return $this->_error; } @@ -985,7 +985,10 @@ sub _engine_id_discovery { - my ($this, $engine_id) = @_; + my $this = shift; + my $engine_id = shift; + my $msg_engine_boots = shift || 0; + my $msg_engine_time = shift || 0; return TRUE if ($this->{_authoritative}); @@ -997,6 +1000,9 @@ $this->{_discovered} = FALSE; return $this->_error; } + if (!$this->_synchronize($msg_engine_boots, $msg_engine_time)) { + return $this->_error; + } } else { return $this->_error( 'Invalid incoming msgAuthoritativeEngineID length [%d octet%s]', Best Regards Lars Gloeckner
Subject: USM.pm-5.2.0.patch
Download USM.pm-5.2.0.patch
text/x-diff 992b
--- USM.pm.orig 2010-03-01 08:24:07.000000000 +0100 +++ USM.pm 2010-03-01 08:45:28.000000000 +0100 @@ -447,7 +447,7 @@ } else { # Handle authoritativeEngineID discovery - if (!defined($this->_engine_id_discovery($msg_engine_id))) { + if (!defined($this->_engine_id_discovery($msg_engine_id, $msg_engine_boots, $msg_engine_time))) { return $this->_error; } @@ -985,7 +985,10 @@ sub _engine_id_discovery { - my ($this, $engine_id) = @_; + my $this = shift; + my $engine_id = shift; + my $msg_engine_boots = shift || 0; + my $msg_engine_time = shift || 0; return TRUE if ($this->{_authoritative}); @@ -997,6 +1000,9 @@ $this->{_discovered} = FALSE; return $this->_error; } + if (!$this->_synchronize($msg_engine_boots, $msg_engine_time)) { + return $this->_error; + } } else { return $this->_error( 'Invalid incoming msgAuthoritativeEngineID length [%d octet%s]',
Subject: USM.pm-6.0.0.patch
Download USM.pm-6.0.0.patch
text/x-diff 850b
--- USM.pm.orig 2009-09-09 17:13:02.000000000 +0200 +++ USM.pm 2010-03-01 09:05:54.000000000 +0100 @@ -454,7 +454,7 @@ } else { # Handle authoritativeEngineID discovery - if (!defined $this->_engine_id_discovery($msg_engine_id)) { + if (!defined $this->_engine_id_discovery($msg_engine_id, $msg_engine_boots, $msg_engine_time)) { return $this->_error(); } @@ -982,7 +982,10 @@ sub _engine_id_discovery { - my ($this, $engine_id) = @_; + my $this = shift; + my $engine_id = shift; + my $msg_engine_boots = shift || 0; + my $msg_engine_time = shift || 0; return TRUE if ($this->{_authoritative}); @@ -1003,6 +1006,10 @@ return $this->_error(); } + if (!$this->_synchronize($msg_engine_boots, $msg_engine_time)) { + return $this->_error; + } + return TRUE; }
Download (untitled) / with headers
text/plain 1.4k
The Net::SNMP module is following the recommend discovery method defined in Section 4 of RFC 3414: If authenticated communication is required, then the discovery process should also establish time synchronization with the authoritative SNMP engine. This may be accomplished by sending an authenticated Request message with the value of msgAuthoritativeEngineID set to the newly learned snmpEngineID and with the values of msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime set to zero. It appears the the agent being queried is not properly following Section 3.2 if RFC 3414: 7 a) ... If the message is considered to be outside of the Time Window then the usmStatsNotInTimeWindows counter is incremented and an error indication (notInTimeWindow) together with the OID, the value of the incremented counter, and an indication that the error must be reported with a securityLevel of authNoPriv, is returned to the calling module I would like to keep the Net::SNMP module inline with RFC 3414, so I do not plan on making any changes. You can achieve your desired behavior by overriding the discovered() method in the Net::SNMP::Security::USM module. Declare the following after specifically loading the Net::SNMP::Security::USM module: use Net::SNMP; use Net::SNMP::Security::USM; ... sub Net::SNMP::Security::USM::discovered { my ($this) = @_; return $this->{_discovered}; } ... -David


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.