iReasoning SNMP API FAQ

Q. What is iReasoning SNMP API?
A. iReasoning SNMP API is the industry leading SNMP library, which provides a high performance, cross platform Java API for building network management applications. All SNMP versions (SNMPv1, SNMPv2c and SNMPv3) are fully supported. It is written in Java, and designed from the ground up to support all SNMP versions. There is no legacy code which only for a certain version of SNMP protocol. All code base are highly optimized to maximize performance and minimize overhead.

Q. What're the advantages of iReasoning SNMP API over its competitors?
A. Here are just some of the advantages over our competitors.

  • Ease of use. You can take a look at the example code, such as snmpgetnext.java or snmpwalk.java , to see how easy to implement SNMPv1/v2c/v3 operations
  • High performance. All code bases are highly optimized to maximize performance and minimize overhead
  • The first Java SNMP product to support both DES and strong 128-bit AES encryption algorithms
  • Support for all SNMP versions (SNMPv1, SNMPv2c, SNMPv3)
  • Conforms to the EJB specification
  • Robust and powerful SMIv1/SMIv2 MIB parser
  • Supports both UDP and TCP transport layers

Q. Do SNMP security vulnerabilities reported by CERT affect iReasoning SNMP API?
A. The Finland Oulu University Secure Programming Group ( OUSPG) discovered numerous vulnerabilities in SNMP implementation from many different vendors. Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in unauthorized privileged access, denial-of-service attacks, or cause unstable behavior.
iReasoning has investigated how these vulnerabilities may impact our SNMP library and has found the following results:

  • VU#107186 - Multiple vulnerabilities in SNMPv1 trap handling
    SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent's state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages.
    iReasoning SNMP library successfully passed all the 24100 tests in OUSPG test suite! We conclude this advisory does not affect iReasoning SNMP library.
  • VU#854306 - Multiple vulnerabilities in SNMPv1 request handling
    SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.
    This advisory is not applicable to iReasoning SNMP library because it does not have SNMP agent functionality and does not accept SNMP request messages.

Q. Does iReasoning SNMP API conform to the EJB specification?
A. If asynchronous mode is not used, no thread is created. And EJB specification allows client side socket. So SNMP library conform to the EJB specification. However, if asyncSend method in SnmpSession is used, it creates a new thread and violates EJB specification. Asynchronous mode is not recommended to be used in enterprise java beans. SNMP libraries from other vendors create thread no matter which mode to use, they generally do not conform to EJB specification.

Q. How do I get started with this library?
A. First of all, a basic understanding of SNMP and Java is required. User guide (SnmpUserGuide.pdf) provides nice introduction and usage examples about this library. Then you can start with example code shipped with this product. Those example code clearly illustrates how to write simple programs to to do SNMP GetRequest, GetNextRequest, Walk, etc. Example code is also integrated into javadoc help. So you can read them from browsers. You also need an SNMP agent to test with most of example code. If you do not have a agent for testing purpose, you can run the snmpd.exe on windows to start an SNMP agent listening on port 161.

Q. Can I build an SNMP agent with iReasoning SNMP API?
A. No. You can use iReasoning Agent Builder to build SNMP agent.

Q. Which versions of SNMP are supported by iReasoning SNMP library?
A. iReasoning SNMP library support SNMPv1, SNMPv2c and SNMPv3. However if you only purchase license for iReasoning SNMPv2 library, SNMPv3 support is not included.

Q. How's the SNMPv3 support?
A. iReasoning SNMP library fully supports SNMPv3, including the complete VACM and USM security model (HMAC-MD5, HMAC-SHA, CBC-DES, CFB128-AES-128, CFB128-AES-192, CFB128-AES-256). It has successfully passed a number of interoperability tests with other SNMPv3 vendors and their SNMPv3 implementations. Now it is used as a de-facto reference SNMPv3 implementation for other implementers.

Q. What is AES standard? And how does 128-bit AES encryption compare to DES?
A. Excerpt from NIST (National Institute of Standards and Technology) website:

"The Advanced Encryption Standard (AES) is a new Federal Information Processing Standard (FIPS) Publication that will specify a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information. NIST also anticipates that the AES will be widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government - and outside of the United States - in some cases.

The AES is being developed to replace DES, but NIST anticipates that Triple DES will remain an approved algorithm (for U.S. Government use) for the foreseeable future. Single DES is being phased out of use, and is currently permitted in legacy systems, only.

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old."

See "The AES Cipher Algorithm in the SNMP User-based Security Model" for more details on AES in SNMP.

Q. How's the performance of your trap receiver program?
A. In our test environment, the snmptrapd.java sample program can handle trap at about 2700 traps/second (which can be higher if trap sender can reach higher sending rate) on a Pentium III 700 machine with 512MB memory, it consistently receives all the traps, while some popular trap receivers cannot catch all of the traps.

Q. How do I run example code?
A.

1. Set up java classpath.
   For example: 
   set classpath=lib\examples.jar;lib\ireasoningsnmp.jar
   (on windows, and assuming on a directory a level higher than lib)
2. Start an SNMP agent. You can run snmpd.exe on windows.
3. Run 
   java snmpget -? 
   to see the usage help.
   Run
   java snmpget localhost sysUpTime
   to get the sysUpTime value from the agent

   Then you can play with other example code.

Q. Is MIB parser included in your API?
A. Yes. MibUtil.parseMib(String fileName) method can parse MIB file and return a data structure representing MIB tree. A sample code, mibparser.java, is included to illustrate the use of mib parser. Here is an output of mibparser.java

Q. Does your SNMP API support IPv6?
A. Yes, if it's used with J2SDK/JRE 1.4. See "Networking IPv6 User Guide for J2SDK/JRE 1.4" for more information. As of JVM 1.4.2, supported operating systems are Solaris (ver 8 and up) and Linux (kernel 2.1.2 and up).

Q. What operating systems does iReasoning SNMP library run on?
A. iReasoning SNMP library is written in Java, so it can run on any OS which has JVM support.

Q.How can I make SNMP requests with object names instead of numeric OIDs?
A. iReasoning SNMP library includes a MIB parser. You need to load MIB files first by using MibUtil.loadMib method. To load MIB-II (RFC1213), you can call MibUtil.loadMib2() method. After necessary MIB files are loaded, you then can use MibUtil class' other method to do translation between object name and numeric OID. Check out example code for more information.

Q. Can I use your SNMP API to develop SNMP agent?
A. No. Our SNMP agent builder is the right tool for agent development.

Q. I don't want to see log message, can I disable Logger?
A. Yes. Add one line of code like the following:
Logger.setLevel(Logger.NONE);

Q. Can I put config files in a directory other than "./config"?
A. Yes. For instance, you want config files in "d:\config", just add one more java environment variable:
java -Dcom.ireasoning.configDir=d:\config ...

Q. Can I use SNMP API to access agent within a Java applet?
A. Yes. Because of security restrictions of Java applet, agent and web server have to be running on the same machine. Check out this applet example.