'Re: Re: Urgent - Time synchronization packet - does encryption'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       net-snmp-users
Subject:    Re: Re: Urgent - Time synchronization packet - does encryption
From:       "Dave Shield" <D.T.Shield () liverpool ! ac ! uk>
Date:       2007-11-23 15:00:43
Message-ID: c64ae3380711230700s7b02d258y77bd47f5a4a276d5 () mail ! gmail ! com
[Download RAW message or body]

On 23/11/2007, ravikumar1984@gmail.com <ravikumar1984@gmail.com> wrote:
> If a user say "PrivUser" is configured in the Agent is AuthPriv SecurityLevel

That's not how it works.
You don't specify a user as having a particular security level.

A user is associated with an authentication protocol (which may be "none")
and with a privacy protocol (which may also be "none").

If a given user doesn't have a privacy protocol defined, then any attempt
to use "authPriv" will fail with unsupportedSecurityLevel
If a given user doesn't have an authentication protocol defined, then
any attempt
to use "authNoPriv" (or "authPriv") will also fail with
unsupportedSecurityLevel.

But if a user does have an authentication protocol defined, then it's valid
to send requests using "authNoPriv"  -   even if that user also happens to
have a non-null privacy protocol.



>   i)   Agent authoritative EngineID.
>   ii)  UserName is "PrivUser" i.e the correct userName.
>   iii) EngineTime and EngineBoot value is zero.
>   with AuthNoPriv security level i.e PDU is not encrypted .
>
>  In this case,  how the PDU is processed whether it is dropped or not.

The request will be dropped, and a notInTimeWindow Report returned.
(as per RFC 3414 - 3.2 7)


>  As per RFC3414, 3.2 Processing of Incoming PDU section (5), will be applicable
> or not. It means that the PDU is dropped because of the unsupported security Level.

No - the user does have an authentication protocol defined, so "authNoPriv" is
a supported security level for that user.


I suspect you may be getting this confused with the Access Control processing,
which might well reject an unencrypted request.  But this would happen at a
later stage of processing.



>  Please clarify me as, the unSupportted SecurityLevel will be issued incase
> if the user is configured in the Agent is authNoPriv security level but the PDU
> comes from the manager is AuthPriv SecurityLevel for the same user.

That's correct.

The request would be marked as "authenticated" and "encrypted",
but there wouldn't be an algorithm to use for authenticating or decrypting
the PDU.

Remember that the algorithm ("protocol") is associated with the specified user,
not with the request.   The PDU simply says "authenticated" - but doesn't
specify whether this is MD5, SHA or something else (and similarly for
encryption).   That information is taken from the user settings.



Dave

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic