[erlang-patches] snmp agent inform w/AES privacy not working

Daniel Goertzen <>
Tue Feb 25 18:56:32 CET 2014

The SNMP agent AES initialization vector calculation is definitely wrong.
 The IV is composed from the authoritative engine boots, engine time, and a
random locally generated number.  The agent is currently always using the
*local* engine to get engine boots and engine time, which happens to be
correct for GET, SET, and TRAP, but is wrong for INFORM.

The attached patch fixes it.  When composing a packet for transmission, the
existing code collects the correct engine parameters, so this patch just
uses those for the AES IV instead of going off and getting the wrong local
engine params.  The patch looks bigger than it really is because the order
of packet composition had to be changed slightly.

With this patch applied, I am able to send AES encrypted informs.  AES
encrypted traps also continued to work.


On Mon, Feb 24, 2014 at 4:57 PM, Daniel Goertzen

> I am struggling to get SNMP informs with AES privacy working.  I have no
> problems with DES privacy on informs.
> In snmpa_usm.erl I see that the *local engine* boots and time is passed to
> snmp_usm:aes_encrypt() which forms part of the IV....
> However RFC 3826 states that the *authoritative* engine boots and time
> should be used, and in the case of informs the authoritative engine is the
> inform target engine, not the local engine....
> [from RFC 3826]
>  AES Encryption Key and IV
>    The first 128 bits of the localized key Kul are used as the AES
>    encryption key.  The 128-bit IV is obtained as the concatenation of
>    the authoritative SNMP engine's 32-bit snmpEngineBoots, the SNMP
>    engine's 32-bit snmpEngineTime, and a local 64-bit integer.  The 64-
>    bit integer is initialized to a pseudo-random value at boot time.
> Could this be why AES privacy is not working for informs?
> Dan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-patches/attachments/20140225/88cd8598/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snmp_agent_aes_bootstime_fix.patch
Type: text/x-patch
Size: 5007 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-patches/attachments/20140225/88cd8598/attachment.bin>

More information about the erlang-patches mailing list