Page MenuHomePhabricator

SNMP v3 - remove required engineid from user node
Open, LowPublicFEATURE REQUEST

Description

Currently it is required to configure an engine ID used to hash the auth/privacy key.

This mechanism only works when it is repeatedly hased with the global system engineid, which makes the user engineid redundant.

We should have a confg migration script which deletes the users engineid from the running config.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

c-po claimed this task.Sep 1 2018, 12:59 PM
c-po created this task.
c-po updated the task description. (Show Details)
c-po removed a subscriber: c-po.

@Line2 @begetan I added both of you as you seem to use SNMP (probably with v3). What's your opinion on this?

syncer triaged this task as Normal priority.Sep 1 2018, 2:24 PM
pasik added a subscriber: pasik.Nov 4 2018, 11:22 AM
Line2 added a comment.Nov 24 2018, 7:13 PM

I would remove the user engineid. I can't see any useful benefit.

If engineid in user node only provides hashing for auth key I would remove it too.
Since we usually not assign engine id automatically it is created for every new hardware installation automatically, so hash of auth key became not transferable. In this case we have to keep plain text password for snmpv3 in our config store, because of automation of provisioning. But I would to keep hash instead of plain text credential.

It is important for engineid to be unique.

syncer lowered the priority of this task from Normal to Low.Feb 8 2019, 12:12 AM
syncer added a subscriber: syncer.

@c-po you can proceed with the removal