AuthProtocol & PrivProtocol for incoming requests are overridden by Notification variation module

[simonsavvi]

Summary If authentication and/or privacy protocols differ between snmpsim and that configured in .snmprec for the Notification variation module, then second and subsequent SNMPv3 requests to snmpsim fail with usmStatsWrongDigests.

If for example snmpsim is configured with SHA and AES for authentication and privacy, but the Notification variation module is in use and the authentication and privacy protocols are not specified in the .snmprec file then the second and subsequent SNMPv3 requests incoming to snmpsim fail with usmStatsWrongDigests. This happens because the Notification module defaults to MD5 and DES, and these override the protocols configured in snmpsim.

Expected behaviour The authentication and privacy protocols used by the notification module should be independent of those used for incoming SNMPv3 traffic to snmpsim.

[etingof]

Thank you for raising this issue!

The authentication and privacy protocols used by the notification module should be independent of those used for incoming SNMPv3 traffic to snmpsim.

This can probably be achieved right out of the box if you'd have different usmUser for snmpsim (e.g. for SNMP commands) and notification module (e.g. for traps).

The other solution that comes to my mind is to default the authentication and privacy protocols in notification module to the same ones as being configured for this usmUser by snmpsim.

Finally, may be we could make notification module instantiating its own snmpEngine and that way having independent usmUser configuration. This approach looks marginally logical to me as snmpsim, being a SNMP agent, is supposed to run the only snmpEngine so that SNMP commands and notifications would come from the same snmpEngine / usmUser...

WDYT?

[simonsavvi]

Hi Ilya,

The other solution that comes to my mind is to default the authentication and privacy protocols in notification module to the same ones as being configured for this usmUser by snmpsim.

and

snmpsim ... is supposed to run the only snmpEngine so that SNMP commands and notifications would come from the same snmpEngine / usmUser

If this is the case, it does not make sense to allow SNMPv3 protocols and credentials to be configured on a per-UID basis in the .snmprec files.

I do not believe that it is reasonable to require that the SNMP monitor receiving TRAPs accept the same protocols & credentials as the SNMP "agent under test" (snmpsim), especially when the fact that .snmprec files contain their own credentials, strongly suggests that this is not the case.

If it is imperative that snmpsim maintain a single snmpEngine instance, then perhaps the Notification module could set its own credentials, send the TRAP, then change them back?