pysnmp
pysnmp copied to clipboard
etingof
Some authentication/privacy combinations are not working correctly?
Hi there!
I am in the process of implementing a SNMPv3 agent here at work.
For testing purposes i test our agent with net-snmp (v5.10-git@82862da) with OpenSSL-1.1.1.
And i also test against the pysnmp testserver demo.pysnmp.com.
I actually do not know who is responsible for the testserver and what version it is...
While doing so i found that some authentication/privacy algorythms are maybe not working as expected?
I am interested in finding out why and how, also to make my own implementation better.
As far as i can tell the error could also be on the net-snmp side, but i am unsure.
Is anyone interested in working on this?
Here a table of all tested combinations:
| pysnmp | 0: None | 1: DES | 2: 3DES | 3: AES128 | 4: AES192 | 4: AES192C | 5: AES256 | 5: AES256C |
|---|---|---|---|---|---|---|---|---|
| 0: None | OK | --- | --- | --- | --- | --- | --- | --- |
| 1: MD5 | OK | OK | not supported | OK | Decryption error | OK | Decryption error | OK |
| 2: SHA1 | OK | OK | not supported | OK | Decryption error | OK | Decryption error | OK |
| 3: SHA2-224 | Decryption error | Decryption error | not supported | Decryption error | Decryption error | Decryption error | Decryption error | Decryption error |
| 4: SHA2-256 | OK | OK | not supported | OK | Decryption error | OK | Decryption error | OK |
| 5: SHA2-384 | OK | OK | not supported | OK | Decryption error | OK | Decryption error | OK |
| 6: SHA2-512 | Timeout! | Decryption error | not supported | Timeout! | Decryption error | Timeout! | Decryption error | Timeout! |
legend:
"---": impossible combination
"not supported": net-snmp does not support 3DES, so it can't be tested
"Timeout": pysnmp is not sending anything after time syncronisation -> needs fix!
"Decryption error": pysnmp has sent an answer, but net-snmp couldn't decrypt -> those ones need fix
The "C" at the end of privacy algos is for "Cisco", which means key localization is done with reeder-draft.
Those without the "C" have key localization according to blumethal-draft.
While it seems that the reeder implementation is the "standard" for pysnmp, the blumenthal ones don't seem to work at a
You can read #429 first to gain some insights on the current ecosystem status.
