So net-snmp does not conform to the these RFC standards?
(which clearly shows that VACM Authorization is required for
applications generating notification)
RFC2575
----------------
section1.2 states:
"Access Control also occurs in an SNMP entity when an SNMP
notification message is generated (by a Notification Originator
application)."
"The View-based Access Control Model defines a set of services that an
application (such as a Command Responder or a Notification Originator
application) can use for checking access rights. It is the
responsibility of the application to make the proper service calls
for access checking"
in section 2.5:
"The notify-view represents the set of object instances authorized for
the group when sending objects in a notification, such as when
sending a notification"
RFC2573
---------------
section 3.3. Notification Originator Applications
"The appropriate set of variable-bindings is retrieved from local
MIB instrumentation within the relevant MIB view. The relevant
MIB view is determined by the securityLevel, securityModel,
contextName, and securityName of the management target. To
determine whether a particular object instance is within the
relevant MIB view, the isAccessAllowed abstract service
interface is used, in the same manner as described in the
preceding section. If the statusInformation returned by
isAccessAllowed does not indicate accessAllowed, the
notification is not sent to the management target."
Erez Makavy
-----Original Message-----
From: Dave Shield [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 10, 2006 1:19 PM
To: Makavy, Erez (Erez)
Cc: [EMAIL PROTECTED]; [email protected]
Subject: RE: snmptrap - I don't understand how SNMPv3 traps are sent by
thesnmptrap utility.
On Thu, 2006-01-05 at 20:32 +0200, Makavy, Erez (Erez) wrote:
> I ment send traps through the master agent. (not to, sorry)
No - the "snmptrap" command communicates directly with the trap receiver
(e.g. snmptrapd). It doesn't try to work through the agent (which may
not even be running).
> 2) if not then how does the snmptrap access the USM and VACM modules?
It doesn't.
You supply the username, and authentication/privacy settings on the
command line, via suitable command-line options.
This is exactly the same as for any other command-line tool.
The USM and VACM modules are used by the trap *receiver*
to decide whether to process the trap or not. But the
"snmptrap" (sending) command doesn't care.
> 1) doesn't the system sending the trap verify that the trap
> (notificaiton) OID is valid in the View ?
No.
Strictly speaking, it probably should.
But neither the "snmptrap" command-line tool, nor the trap generation
elements of the Net-SNMP agent currently implement this.
Dave
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&op=click
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
