SNMP Inform with AES

[Daniel Goertzen]

Hello, I am struggling to get SNMP Informs running from my Erlang agent to net-snmp snmptrapd. DES privacy works fine, but AES does not.

I am looking at RFC 3826 and am trying to understand how the IV is put together in the context of informs. I have some questions:

1. It says the IV is from the 32 bit authoritative engine boots, 32 bit engine time, and a 64 bit local integer. For informs the authoritative engine is the where the inform is being sent, so should those engine parameters be used here?

2. Since the engine time is used in the IV, wouldn't the sender have to know the engine time of the target's engine almost exactly to avoid mismatch? If the time drifts, wouldn't the IV become incorrect and produce a garbage decrypt? Do receiving engines try multiple decrypts at various drifts to account for this?

Thanks,
Dan.

[Daniel Goertzen]

We can probably scratch question #2. I see in the packet capture that the authoritative engine boots and time is included in the packet. I've been staring at this a bit too long...

Dan.

[Daniel Goertzen]

Also scratch #1. I patched the Erlang agent to use the correct engine id params (engine id of the target, which is authoritative for informs) and everything works swimmingly now.

Dan.

[Alex Anto Navis Lawrence]

Hi Daniel,

I have been facing the same issue with AES for snmpm module. Kindly can you share your patch and if any PR or issue created for the same in erlang codebase.

Thanks for taking time to fix this.

Thanks,
Alex