Snmp v3 get with snmp4j-3.1.0

Alessandro · June 15, 2019, 1:59pm

Hi All,
Hi everyone,
I would like to bring to your attention a problem encountered during the verification of a GET operation in version 3.
In particular, using the snmp4j-3.1.0 library I always get the “org.snmp4j.MessageException: Message processing model 3 returned error: Unsupported security level” error. the same GET, with the snmp4j-2.7.0 version works correctly. to follow the commands given.

With 3.1.0: (KO)
/usr/java/jdk-11.0.3/bin/java -jar snmp4j-3.1.0.jar get -v 3 -y AES128 -u user1 -a MD5 -A password -Y password -d DEBUG -rsl secure udp: 192.168.1.42/161 1.3.6.1.2.1.1.1.0
–error
2019-06-13 10: 47: 47.344 DefaultUDPTransportMapping_0.0.0.0 / 49981 DEBUG Context engine ID of scoped PDU is empty! Setting it to authoritative engine ID: 80: 00: 1f: 88: 80: fd: 78: 55: 52: 0d: e0: ec: 5c: 00: 00: 00: 00
2019-06-13 10: 47: 47.432 DefaultUDPTransportMapping_0.0.0.0 / 49981 DEBUG getUser (engineID = 80: 00: 1f: 88: 80: fd: 78: 55: 52: 0d: e0: ec: 5c: 00: 00:00:00, securityName = user1)
2019-06-13 10: 47: 47.465 DefaultUDPTransportMapping_0.0.0.0 / 49981 DEBUG Adding user user1 = UsmUser [secName = user1, authProtocol = 1.3.6.1.6.3.10.1.1.2, authPassphrase = null, privProtocol = 1.3.6.1. 6.3.10.1.2.4, PrivPassPhrase = null, localizationEngineID = 80: 00: 1f: 88: 80: fd: 78: 55: 52: 0d: e0: ec: 5c: 00: 00: 00: 00]
org.snmp4j.MessageException: Message processing model 3 returned error: Unsupported security level
…

With 2.7.0: (OK)
/usr/java/jdk-11.0.3/bin/java -cp “*” org.snmp4j.tools.console.SnmpRequest -a MD5 -A password -x AES128 -X password -u user1 -v 3 -p GET udp : 192.168.1.42/161 1.3.6.1.2.1.1.1.0

Thanks for your help

AGENTPP · June 15, 2019, 9:45pm

You can use SNMP4J 3.2 0 instead 3.1.0. The problem is caused by the command line parsing. As you can see by the log, both passphrases given at the command line are not used and that is why the security level does not match.

Alessandro · June 19, 2019, 7:09pm

Hi Frank,
thanks for the reply, but even with version 3.2.0 I get the same error.

I execute the command
/usr/java/jdk-11.0.3/bin/java -jar snmp4j-3.2.0.jar get -v 3 -u user1 -a MD5 -A password -y AES128 -X password -d DEBUG -rsl secure udp:192.168.43.227/161 1.3.6.1.2.1.1.1.0

During initialization (at least I think) I can see the credentials but then these are not sent.

… Phase 1
2019-06-17 18:26:47.918 main DEBUG Initialized Salt to e06039fb527e5427.
2019-06-17 18:26:48.357 main DEBUG Adding user user1 = UsmUser[secName=user1,authProtocol=1.3.6.1.6.3.10.1.1.2,authPassphrase=password,privProtocol=1.3.6.1.6.3.10.1.2.4,privPassphrase=password,localizationEngineID=null]
2019-06-17 18:26:48.529 main DEBUG RFC3414 §3.1.4.b Outgoing message is not encrypted
2019-06-17 18:26:48.580 DefaultUDPTransportMapping_0.0.0.0/53657 DEBUG UDP receive buffer size for socket 0.0.0.0/0 is set to: 106496
2019-06-17 18:26:48.581 DefaultUDPTransportMapping_0.0.0.0/53657 INFO Listening on socket 0.0.0.0/53657
… Phase 2
2019-06-17 18:26:49.075 DefaultUDPTransportMapping_0.0.0.0/53657 DEBUG Send new request after report.
2019-06-17 18:26:49.076 DefaultUDPTransportMapping_0.0.0.0/53657 DEBUG Context engine ID of scoped PDU is empty! Setting it to authoritative engine ID: 80:00:1f:88:80:fd:78:55:52:0d:e0:ec:5c:00:00:00:00
2019-06-17 18:26:49.159 DefaultUDPTransportMapping_0.0.0.0/53657 DEBUG getUser(engineID=80:00:1f:88:80:fd:78:55:52:0d:e0:ec:5c:00:00:00:00, securityName=user1)
2019-06-17 18:26:49.189 DefaultUDPTransportMapping_0.0.0.0/53657 DEBUG Adding user user1 = UsmUser[secName=user1,authProtocol=1.3.6.1.6.3.10.1.1.2,authPassphrase=null,privProtocol=1.3.6.1.6.3.10.1.2.4,privPassphrase=null,localizationEngineID=80:00:1f:88:80:fd:78:55:52:0d:e0:ec:5c:00:00:00:00]
org.snmp4j.MessageException: Message processing model 3 returned error: Unsupported security level
at org.snmp4j.MessageDispatcherImpl.sendPdu(MessageDispatcherImpl.java:626)
at org.snmp4j.Snmp.sendMessage(Snmp.java:1054)
at org.snmp4j.Snmp$ReportProcessor.processReport(Snmp.java:1375)
at org.snmp4j.Snmp.processPdu(Snmp.java:1240)
at org.snmp4j.MessageDispatcherImpl.fireProcessPdu(MessageDispatcherImpl.java:778)
at org.snmp4j.MessageDispatcherImpl.dispatchMessage(MessageDispatcherImpl.java:426)
at org.snmp4j.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:502)
at org.snmp4j.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:464)
at org.snmp4j.tools.console.SnmpCommand$SnmpCommandMessageDispatcher.processMessage(SnmpCommand.java:1586)
at org.snmp4j.transport.AbstractTransportMapping.fireProcessMessage(AbstractTransportMapping.java:77)
at org.snmp4j.transport.DefaultUdpTransportMapping$ListenThread.run(DefaultUdpTransportMapping.java:471)
at java.base/java.lang.Thread.run(Thread.java:834)
2019-06-17 18:26:49.314 DefaultUDPTransportMapping_0.0.0.0/53657 ERROR Failed to send message to UserTarget[address=192.168.43.227/161,version=3,timeout=1000,retries=0,securityLevel=3,securityModel=3,securityName=user1,preferredTransports=null, authoritativeEngineID=]: Message processing model 3 returned error: Unsupported security level

Thanks in advance

AGENTPP · June 19, 2019, 9:37pm

Hi Alesandro,

Please use
-v 3 -u user1 -a MD5 -A password -y AES128 -X password -d DEBUG -rsl secure get udp:192.168.43.227/161 1.3.6.1.2.1.1.1.0

instead

That should fix your problem.

Best regards,
Frank

Alessandro · June 21, 2019, 4:50am

Nothing, it doesn’t work. I also get the same error with the UsmGetNext example. Really weird … I checked it both on Linux and on Windows.

I think I will be forced to use version 2.7.0
thanks anyway

AGENTPP · June 21, 2019, 5:00am

Hi Allesandro, I read your debug log once again and it seams that your are affected by the most common error with SNMPv3 ever: non-unique engine IDs?
The user you added and the user fetched from USM when the communication reaches the state when privacy needs to be established differ by engine ID (user localization).

Please make sure Agent and Manager have different engine IDs.

Best regards
Frank

pschild · August 1, 2019, 7:23am

Hey guys,

I’m currently facing the exact same problem (2.7.0 works, >= 3.0.0 throws Unsupported security level) and would like to have more clarification on this topic, as I would like to use the latest version of SNMP4J.

@Alessandro: Did you manage to solve this problem and have it working using a version >=3.0.0?
@AGENTPP: What do you mean by “non-unique engine IDs”? I’m setting an engine Id for my USM like this:

OctetString localEngineId = new OctetString(MPv3.createLocalEngineID());
USM usm = new USM(SecurityProtocols.getInstance(), localEngineId, 0);

Do I have to set it somewhere else?

I also noticed that the data I create my UsmUser with seem to be overwritten somewhere. I’m creating my UsmUser like this:

OctetString securityName = new OctetString("usr-md5-des");
OctetString authPassphrase = new OctetString("authkey1");
OctetString privPassphrase = new OctetString("privkey1");
OID authProtocol = AuthMD5.ID;
OID privProtocol = PrivDES.ID;
UsmUser usmUser = new UsmUser(securityName, authProtocol, authPassphrase, privProtocol, privPassphrase);

But finally, my debug log says

...
DEBUG Adding user usr-md5-des = UsmUser[secName=usr-md5-des,authProtocol=1.3.6.1.6.3.10.1.1.2,authPassphrase=null,privProtocol=1.3.6.1.6.3.10.1.2.2,privPassphrase=null,localizationEngineID=80:...:cc]

So the authPassphrase and privPassphrase suddenly is null… and right after that the Error saying Unsupported security level is thrown, which seems to be just a logical consequence.

What could be the problem?
Thanks for any help or hints
pschild

AGENTPP · August 1, 2019, 7:31am

Hi,

We sorted this issue out in other thread, see NPE at USM.addLocalizedUsmUserEntry
With SNMP4J version 3.2.2 you should get the same behaviour as with 2.x, but you should nevertheless check if the code you are currently using is really appropriate, because it seems to trigger a USM user localisation that is not necessary.

Best regards,
Frank

pschild · August 1, 2019, 2:41pm

Hi Frank,

thanks for your answer!

Instead of using my own code I tried using the example for SNMPv3 GETNEXT provided in the docs to ensure I have a working code in front of me.
The only thing I changed is the main method to match my credentials. It looks like this:

public static void main(String[] args) {
    String targetAddress = "udp:127.0.0.1/1025";
    String context = "";
    String securityName = "testUser";
    String authPasssphrase = "test1234";
    String privPasssphrase = "test1234";
    String oid = "1.3.6.1.2.1.1.1.0";
    UsmGetNext usmGetNext = new UsmGetNext();
    try {
        usmGetNext.initSnmp();
        usmGetNext.next(targetAddress, context, securityName, authPasssphrase, privPasssphrase, oid);
    } catch (IOException e) {
        e.printStackTrace();
    }
}

I also made sure I’m using the correct protocols for auth and priv. Unfortunately, I get the same Exception Unsupported security level…
Additionally, I tested the connection with the Linux SNMP client. The following command does work and gives me the correct result:

snmpget -v 3 -u testUser -X test1234 -A test1234 -l authPriv -x DES -a SHA 127.0.0.1:1025 1.3.6.1.2.1.1.1.0

Could you give me a hint based on the referenced example, in which part things go wrong?

Thanks and best regards
pschild

AGENTPP · August 1, 2019, 6:08pm

It seems that you missed the fact, that the UsmGetNext is using SHA256 and AES128 as authentication and privacy protocols.
Besides that, the sample code should work.

pschild · August 14, 2019, 7:33pm

Hi Frank,

I got it working now.
The problem was that I indeed mixed up the auth- and priv-protocols.

To make it work with MD5 and SHA(-128), I had to enable those protocols manually because with SNMP4J v3.x those protocols are disabled by default. I did that only for testing purposes of course.

Using SHA-2 on client side doesn’t work, as the agent I setup only supports MD5/SHA-128 as auth protocol and DES/AES-128 as privacy protocol.

So all in all, I have it working now with any combination of MD5/SHA-128 and DES/AES-128 and the appropriate configuration on Agent side.

Thanks again for your help.

Best regards
pschild

Alessandro · August 15, 2019, 8:54pm

Hi,

What do you mean with “enable those protocols manually”. Can you explain to me?

Thanks in advance

Alessandro

Ottieni BlueMail per Android

AGENTPP · August 17, 2019, 11:05am

I guess pschild meant the following calls (in former releases those standard authentication protocols were activated by default, because of the recent security research results which classified those as insecure, I have removed them from the default protocols):

SecurityProtocols.getInstance().addAuthenticationProtocol(new AuthSHA());
SecurityProtocols.getInstance().addAuthenticationProtocol(new AuthMD5());

DES privacy is still in the default because there the situation seems to be different/not that clear.

Alessandro · August 26, 2019, 8:01am

Great !!! With this settings … work fine… Thanks a lot Frank ( and pschild)