snmpv3 doc updates

[inphobia]

todo

• 1. priv and auth protocol support depends on the os net-snmp package, don't hardcode options (snmp::info passes this to snmp_session to handle)
• 2. either provide a way to let users check supported options or find a way to let snmp::info handle this
• 3. perhaps mention secret cisco options: AES256 for SNMPv3 is not working netdisco#962 (comment) & https://github.com/net-snmp/net-snmp/blob/75f2aedd88ff0d42a99bd2e29aed749012334bad/snmplib/snmpusm.c#L198
• 4. mention net-snmp version we're using somewhere
• 5. provide some cli tests to check v3
• 6. (optional) also update netdisco wiki

examples and references

1. current example seems to be based on net-snmp 5.7.2, not 5.9.
   

   snmp-info/lib/SNMP/Info.pm

   Lines 74 to 77 in b0144cc

   	# AuthProto => 'MD5', # MD5|SHA
   	# AuthPass => 'authp4ss',
   	# PrivProto => 'DES', # DES|AES
   	# PrivPass => 'pr1vp4ss',

   
   go through code & wiki to check.

2. try and find a portable way to figure out what's supported, or some other uniform way to check.
   net-snmp cli tools seem to contradict:

snmpcmd -H seems to be a hardcoded reply. 5.9.4.pre2 says it does:

(MD5|SHA|SHA-224|SHA-256|SHA-384|SHA-512)
(DES|AES|AES-192|AES-256)

man snmpcmd doesn't mention several aes versions

-x privProtocol
              Set  the privacy protocol (DES or AES) used for encrypted SNMPv3 messages.

compile options rule out des & md5:

net-snmp-config --configure-options
    '--enable-blumenthal-aes' '--disable-des' '--disable-md5'

try and find a portable way to figure out what's supported, or some other uniform way to check.

3. while at it also document cisco specific options

since there is little mention of this (aes192c & aes256c)

https://github.com/net-snmp/net-snmp/blob/75f2aedd88ff0d42a99bd2e29aed749012334bad/snmplib/snmpusm.c#L198-L202

netdisco/netdisco#962 (comment)

4. at least with netdisco-do can't find the net-snmp version that's being used:

netdisco-do  show -d 10.40.254.51 -e name -DIISSS >versi 2>&1

snmpget -V
NET-SNMP version: 5.9.4.pre2

% grep -i pre2 versi
% grep -i 5.9.4 versi

-> nada

5. examples like:

• client does not support your auth proto

snmpbulkwalk   -v 3 -x AES -X SNMPV3priv -a MD5 -A SNMPV3auth -u rouser -l authPriv 1.1.1.1
Invalid authentication protocol specified after -3a flag: MD5

• incorrect username

snmpwalk -v 3 -x AES -X SNMPV3priv -a SHA -A SNMPV3auth -u baduser -l authPriv 1.1.1.1
snmpwalk: Unknown user name

• incorrect privacy or authentication key

snmpwalk -v 3 -x AES -X SNMPV3priv -a SHA -A SNMPV3type -u rouser -l authPriv 1.1.1.1
snmpwalk: Authentication failure (incorrect password, community or key)

• something with engineid?
• minimum & maximum lengst for auth/priv keys (protocol dependand)
• snmp context example?

6. done

• https://github.com/netdisco/netdisco/wiki/Vendor-Tips#snmpv3-on-cisco-with-non-standard-priv-algorithms
• https://github.com/netdisco/netdisco/wiki/Configuration#device_auth

https://github.com/netdisco/netdisco/wiki/Vendor-Tips#snmpv3-support-on-cisco-ios

[ollyg]

There's also my Alien::SNMP dist which should bring in the latest net-snmp with all crypto enabled.

It could be an optional or default install.

I think the reason I've not done that so far is that it'll override the installed net-snmp and it's also a pig to uninstall.

[inphobia]

There's also my Alien::SNMP dist which should bring in the latest net-snmp with all crypto enabled.

true dat, was pondering to mention this but decided to let it be for now since trying to document what we support already got way bigger as i estimated. i'll leave documenting how to get Alien::SNMP compiled, how to run netdisco with a different LD_LIBRARY path and keeping it to date to someone else :)

the need for using alien::snmp is also both ways, for newer and older algorithms. opensuse tumbleweed no longer has md5 & des support compiled in. not saying using those is a good idea, but most design choices in snmp::info have been made to support as many devices as possible. an bundled net-snmp might become a requirement and/or an update/security nightmare. perhaps one to put on the wishlist :)