[erlang-patches] snmp agent inform w/AES privacy not working

Raimo Niskanen raimo+erlang-patches@REDACTED
Tue Jun 17 13:16:09 CEST 2014


On Mon, Jun 16, 2014 at 08:28:59AM -0500, Daniel Goertzen wrote:
> Ping.
> 
> Has this patch gone anywhere?  I was thinking of adding tests and turning
> this into a github pull request if that would help this patch get in.

Yes.  Absolutely.  Test cases would help us accept the patch.
And a pull request I guess would also not hurt although should
not be essential.

> 
> 
> On Tue, Feb 25, 2014 at 11:56 AM, Daniel Goertzen <daniel.goertzen@REDACTED
> > wrote:
> 
> > The SNMP agent AES initialization vector calculation is definitely wrong.
> >  The IV is composed from the authoritative engine boots, engine time, and a
> > random locally generated number.  The agent is currently always using the
> > *local* engine to get engine boots and engine time, which happens to be
> > correct for GET, SET, and TRAP, but is wrong for INFORM.
> >
> > The attached patch fixes it.  When composing a packet for transmission,
> > the existing code collects the correct engine parameters, so this patch
> > just uses those for the AES IV instead of going off and getting the wrong
> > local engine params.  The patch looks bigger than it really is because the
> > order of packet composition had to be changed slightly.
> >
> > With this patch applied, I am able to send AES encrypted informs.  AES
> > encrypted traps also continued to work.
> >
> > Cheers,
> > Dan.
> >
> >
> > On Mon, Feb 24, 2014 at 4:57 PM, Daniel Goertzen <
> > daniel.goertzen@REDACTED> wrote:
> >
> >> I am struggling to get SNMP informs with AES privacy working.  I have no
> >> problems with DES privacy on informs.
> >>
> >> In snmpa_usm.erl I see that the *local engine* boots and time is passed
> >> to snmp_usm:aes_encrypt() which forms part of the IV....
> >>
> >>
> >>
> >> However RFC 3826 states that the *authoritative* engine boots and time
> >> should be used, and in the case of informs the authoritative engine is the
> >> inform target engine, not the local engine....
> >>
> >> [from RFC 3826]
> >>
> >> 3.1.2.1.  AES Encryption Key and IV
> >>
> >>    The first 128 bits of the localized key Kul are used as the AES
> >>    encryption key.  The 128-bit IV is obtained as the concatenation of
> >>    the authoritative SNMP engine's 32-bit snmpEngineBoots, the SNMP
> >>    engine's 32-bit snmpEngineTime, and a local 64-bit integer.  The 64-
> >>    bit integer is initialized to a pseudo-random value at boot time.
> >>
> >>
> >>
> >> Could this be why AES privacy is not working for informs?
> >>
> >> Dan.
> >>
> >
> >

> _______________________________________________
> erlang-patches mailing list
> erlang-patches@REDACTED
> http://erlang.org/mailman/listinfo/erlang-patches


-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB



More information about the erlang-patches mailing list