<div dir="ltr">The SNMP agent AES initialization vector calculation is definitely wrong. The IV is composed from the authoritative engine boots, engine time, and a random locally generated number. The agent is currently always using the *local* engine to get engine boots and engine time, which happens to be correct for GET, SET, and TRAP, but is wrong for INFORM.<div>
<br></div><div>The attached patch fixes it. When composing a packet for transmission, the existing code collects the correct engine parameters, so this patch just uses those for the AES IV instead of going off and getting the wrong local engine params. The patch looks bigger than it really is because the order of packet composition had to be changed slightly.</div>
<div><br></div><div>With this patch applied, I am able to send AES encrypted informs. AES encrypted traps also continued to work.</div><div><br></div><div>Cheers,</div><div>Dan.</div></div><div class="gmail_extra"><br><br>
<div class="gmail_quote">On Mon, Feb 24, 2014 at 4:57 PM, Daniel Goertzen <span dir="ltr"><<a href="mailto:daniel.goertzen@gmail.com" target="_blank">daniel.goertzen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I am struggling to get SNMP informs with AES privacy working. I have no problems with DES privacy on informs.<div><br></div><div>In snmpa_usm.erl I see that the *local engine* boots and time is passed to snmp_usm:aes_encrypt() which forms part of the IV....<br>
</div><div><br></div><div><div><br></div></div><div><br></div><div>However RFC <span style="white-space:pre-wrap">3826 states that the *authoritative* engine boots and time should be used, and in the case of informs the authoritative engine is the inform target engine, not the local engine....</span></div>
<div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">[from RFC 3826]</span></div><div><pre style="white-space:pre-wrap;word-wrap:break-word">3.1.2.1. AES Encryption Key and IV
The first 128 bits of the localized key Kul are used as the AES
encryption key. The 128-bit IV is obtained as the concatenation of
the authoritative SNMP engine's 32-bit snmpEngineBoots, the SNMP
engine's 32-bit snmpEngineTime, and a local 64-bit integer. The 64-
bit integer is initialized to a pseudo-random value at boot time.
</pre></div><div><br></div><div><br></div><div>Could this be why AES privacy is not working for informs?</div><div><br></div><div>Dan.</div></div>
</blockquote></div><br></div>