Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1354452 - [notifier] drop mentioning AES192 and AES256 in notifier.conf
Summary: [notifier] drop mentioning AES192 and AES256 in notifier.conf
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Services.Notifier
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
low vote
Target Milestone: ovirt-4.0.2
: 4.0.2
Assignee: Ravi Nori
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-11 11:18 UTC by Jiri Belka
Modified: 2016-08-12 14:24 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-12 14:24:46 UTC
oVirt Team: Infra
rule-engine: ovirt-4.0.z+
rule-engine: planning_ack+
mperina: devel_ack+
lsvaty: testing_ack+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 60963 master MERGED tools: Rephrase privacy protocol description 2016-07-18 18:15:57 UTC
oVirt gerrit 61004 ovirt-engine-4.0 MERGED tools: Rephrase privacy protocol description 2016-07-19 14:10:14 UTC

Description Jiri Belka 2016-07-11 11:18:00 UTC
Description of problem:

tl;dr but iiuc standard is 'CFB128-AES-128'[1] and this is what most agents, managers support. imo mentioning AES192 and AES256 can be counter-productive as it could cause an over-paranoid admin to define these values and then he could discover that remote snmpv3 compatible manager doesn't accept them.

# The SNMPv3 privacy protocol. Supported values are AES128, AES 192 and AES256.
# net-snmp only supports AES128 protocol.
##SNMP_PRIVACY_PROTOCOL=

[1] https://tools.ietf.org/html/rfc3826#section-3

Version-Release number of selected component (if applicable):
ovirt-engine-tools-4.0.2-0.2.rc1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. check if AES192 and/or AES256 is mentioned in notifier.conf
2.
3.

Actual results:
AES192 and/or AES256 are mentioned in notifier.conf and this can cause confusion/misconfiguration

Expected results:
just have AES128, if anybody has special need, he could find out other AES modes on his own (or ovirt support channels)

Additional info:

Comment 1 Jiri Belka 2016-07-11 11:20:30 UTC
Discovered while checking what kind of AES does OpenBSD snmpd (manager) uses (yes, this is not industry favourite snmp daemon implementation...):

$ grep -IRi aes ../cvs/openbsd-src/usr.sbin/snmpd/*.{c,h,y}
../cvs/openbsd-src/usr.sbin/snmpd/usm.c:        case PRIV_AES:
../cvs/openbsd-src/usr.sbin/snmpd/usm.c:                return EVP_aes_128_cfb128();
../cvs/openbsd-src/usr.sbin/snmpd/usm.c:        case PRIV_AES:
../cvs/openbsd-src/usr.sbin/snmpd/usm.c:                priv = "CFB128-AES-128";
../cvs/openbsd-src/usr.sbin/snmpd/usm.c:        case PRIV_AES:
../cvs/openbsd-src/usr.sbin/snmpd/snmpd.h:      PRIV_AES        /* CFB128-AES-128, RFC3826 */
../cvs/openbsd-src/usr.sbin/snmpd/parse.y:                      else if (strcasecmp($1, "aes") == 0 ||
../cvs/openbsd-src/usr.sbin/snmpd/parse.y:                          strcasecmp($1, "cfb128-aes-128") == 0)
../cvs/openbsd-src/usr.sbin/snmpd/parse.y:                              $$ = PRIV_AES;

Comment 2 Martin Perina 2016-07-12 09:06:57 UTC
I'd prefer to mention all of them as available options, but let's redefine the description like this:

# The SNMPv3 privacy protocol. Supported values are AES128, AES192 and AES256.
# Be aware that AES192 and AES256 are not defined in RFC3826, so please verify 
# that your SNMP server supports those protocols before enabling them


I just briefly checked that all major SNMP vendors like Cisco, HP and IBM supports those higher encryption protocols.

Comment 3 Jiri Belka 2016-07-12 09:13:49 UTC
(In reply to Martin Perina from comment #2)
> I'd prefer to mention all of them as available options, but let's redefine
> the description like this:
> 
> # The SNMPv3 privacy protocol. Supported values are AES128, AES192 and
> AES256.
> # Be aware that AES192 and AES256 are not defined in RFC3826, so please
> verify 
> # that your SNMP server supports those protocols before enabling them
> 
> 
> I just briefly checked that all major SNMP vendors like Cisco, HP and IBM
> supports those higher encryption protocols.

I'm fine with this.

Comment 4 Martin Perina 2016-07-19 07:50:36 UTC
This is documentation only fix for SNMPv3 feature which is new in 4.0, so it makes sense to have it included in 4.0.2

Comment 5 Jiri Belka 2016-07-25 09:33:41 UTC
ok

rpm2cpio ovirt-engine-tools-4.0.3-0.0.master.20160724203215.git5682254.el7.centos.noarch.rpm | cpio -i --to-stdout './usr/share/ovirt-engine/services/ovirt-engine-notifier/ovirt-engine-notifier.conf' 2>/dev/null | sed -n '/SNMPv3 privacy protocol/,+3p'
# The SNMPv3 privacy protocol. Supported values are AES128, AES192 and AES256.
# Be aware that AES192 and AES256 are not defined in RFC3826, so please verify
# that your SNMP server supports those protocols before enabling them.
SNMP_PRIVACY_PROTOCOL=


Note You need to log in before you can comment on or make changes to this bug.