我正在构建一个 C++ 应用程序,其目的之一是接收 SNMP 陷阱。为此,我使用 SNMP ++ 库版本 V3.3 (https://agentpp.com/download.html< /a> C++ API SNMP++ 3.4.9)。
我期望如果配置请求某种形式的身份验证,则不使用身份验证的陷阱将被丢弃/删除,但情况似乎并非如此。
为了确认此行为,我使用了 consoleExamples 目录中提供的 receive_trap 示例。 的每个调用进行了注释
usm->add_usm_user(...)
我对除了以“MD5”作为安全名称的调用之外
usm->add_usm_user("MD5",
SNMP_AUTHPROTOCOL_HMACMD5, SNMP_PRIVPROTOCOL_NONE,
"MD5UserAuthPassword", "");
:然后,我使用 net-snmp 向应用程序发送了一个陷阱(与“MD5”安全名称匹配):
snmptrap -v 3 -e 0x090807060504030200 -u MD5 -Z 1,1 -l noAuthNoPriv localhost:10162 '' 1.3.6.1.4.1.8072.2.3.0.1 1.3.6.1.4.1.8072.2.3.2.1 i 123456
由于应用程序仅注册了用户安全模型,因此需要 MD5虽然陷阱会被拒绝/丢弃/丢弃,但我会拥有密码,但事实并非如此:
Trying to register for traps on port 10162.
Waiting for traps/informs...
press return to stop
reason: -7
msg: SNMP++: Received SNMP Notification (trap or inform)
from: 127.0.0.1/45338
ID: 1.3.6.1.4.1.8072.2.3.0.1
Type:167
Oid: 1.3.6.1.4.1.8072.2.3.2.1
Val: 123456
为了确保没有使用“默认”UserSecurityModel,然后我评论了剩余的内容
usm->add_usm_user("MD5",
SNMP_AUTHPROTOCOL_HMACMD5, SNMP_PRIVPROTOCOL_NONE,
"MD5UserAuthPassword", "");
并使用相同的命令再次发送了我的陷阱。这次没有发生任何事情:
Trying to register for traps on port 10162.
Waiting for traps/informs...
press return to stop
V3 大约有 18k 行 RFC,因此我完全有可能错过或误解了某些内容,但我希望能够指定我期望的安全级别并删除所有不匹配的内容。我缺少什么?
编辑使用 SNMPD 的附加测试
我已经使用 SNMPD 进行了一些测试,但不知何故仍然得到类似的结果。
我已经创建了一个用户:
net-snmp-create-v3-user -ro -A STrP@SSWRD -a SHA -X STr0ngP@SSWRD -x AES snmpadmin
然后我尝试使用 authPriv key :
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin localhost
请求被接受
with authNoPriv :
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -l AuthNoPriv -u snmpadmin localhost
请求被接受
with noAuthNoPriv
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWR2D -l noauthnoPriv -u snmpadmin localhost
:请求被拒绝。
据我所知,authNoPriv 必须被拒绝,但被接受,这是我在 RFC 和 思科 snmpv3 简历
I am building a C++ application which purpose is, among other thing, to receive SNMP traps. For this I am using SNMP ++ library version V3.3 (https://agentpp.com/download.html C++ APIs SNMP++ 3.4.9).
I was expecting for traps using no authentication to be discarded/dropped if configuration was requesting some form of authentication but it does not seem to be the case.
To confirm this behavior I used the provided receive_trap example available in the consoleExamples directory. I commented every call to
usm->add_usm_user(...)
except for the one with "MD5" as security name :
usm->add_usm_user("MD5",
SNMP_AUTHPROTOCOL_HMACMD5, SNMP_PRIVPROTOCOL_NONE,
"MD5UserAuthPassword", "");
I then sent a trap (matching the "MD5" security name) to the application using net-snmp :
snmptrap -v 3 -e 0x090807060504030200 -u MD5 -Z 1,1 -l noAuthNoPriv localhost:10162 '' 1.3.6.1.4.1.8072.2.3.0.1 1.3.6.1.4.1.8072.2.3.2.1 i 123456
Since the application only registered User Security Model requires an MD5 password I would have though the trap would have been refused/dropped/discarded, but it was not :
Trying to register for traps on port 10162.
Waiting for traps/informs...
press return to stop
reason: -7
msg: SNMP++: Received SNMP Notification (trap or inform)
from: 127.0.0.1/45338
ID: 1.3.6.1.4.1.8072.2.3.0.1
Type:167
Oid: 1.3.6.1.4.1.8072.2.3.2.1
Val: 123456
To make sure there was no "default" UserSecurityModel used instead I then commented the remaining
usm->add_usm_user("MD5",
SNMP_AUTHPROTOCOL_HMACMD5, SNMP_PRIVPROTOCOL_NONE,
"MD5UserAuthPassword", "");
and sent my trap again using the same command. This time nothing happened :
Trying to register for traps on port 10162.
Waiting for traps/informs...
press return to stop
V3 is around 18k lines of RFC so it is completely possible I missed or misunderstood something but I would expect to be able to specify which security level I am expecting and drop everything which does not match. What am I missing ?
EDIT Additional testing with SNMPD
I have done some test with SNMPD and I somehow still get similar result.
I have created a user :
net-snmp-create-v3-user -ro -A STrP@SSWRD -a SHA -X STr0ngP@SSWRD -x AES snmpadmin
Then I am trying with authPriv key :
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin localhost
The request is accepted
with authNoPriv :
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -l AuthNoPriv -u snmpadmin localhost
The request is accepted
with noAuthNoPriv :
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWR2D -l noauthnoPriv -u snmpadmin localhost
The request is rejected.
As I understand the authNoPriv must be rejected, but is accepted, this is incorrect from what I have read in the RFC and the cisco snmpv3 resume
发布评论
评论(1)
免责声明我不是专家,所以对以下内容持保留态度。
我不能说您正在使用的库,但关于 SNMP v3 流程:
在 SNMPv3 交换中,USM 仅负责 SNMP 权威引擎端的验证,权威引擎角色取决于消息的类型。
RFC 3414 在第 3.2 节中描述了消息的接收:
因此,在步骤 6 中,安全级别是来自消息的安全级别。这意味着即使未提供身份验证,接收方的 USM 层也会接受 TRAP。
然后 TRAP 用户的任务是决定是否必须解释该消息。
Disclaimer I am not expert so take the following with a pinch of salt.
I cannot say for the library you are using but regarding the SNMP v3 flow:
In SNMPv3 exchanges, the USM is responsible for validation only on the SNMP authoritative engine side, the authoritative role depending of the kind of message.
The RFC 3414 describes the reception of message in section 3.2 :
So in the step 6, the securityLevel is the one from the message. This means the TRAP is accepted by the USM layer on the receiver side even if the authentication is not provided.
It is then the task of the user of the TRAP to decide if the message must be interpreted or not.