[AGENT++] No response for empty view instead of noSuchName

Frank Fock fock at agentpp.com
Thu May 17 10:18:28 CEST 2007 

Hi Dave,

I am afraid that this is a relict from older days
where the behavior was not clearly defined by the
coexistance RFCs. Returning an error PDU for SNMPv1/v2c
however facilitates brute force attacks, but I do
not see a real degradation of the anyway week community
based "security".

So I will change this for the next release.

Best regards,
Frank

Dave White | Networking wrote:
> Hi Frank,
> 
>  
> 
> If a version1 request is received for a valid community name but there is no
> view in VACM for the access type, then the request is ignored.  I think this
> behavior is wrong.  In my test, I send a version1 Set request but VACM has
> only a read view and no write view.  The result is a timeout by the SNMP
> manager who sent the request.
> 
>  
> 
> According to RFC 3415 (VACM, p.10) if the view is empty, then isAccessAllowed
> should return noSuchView.  The code does this functionality correctly.  RFC
> 3413 (SNMP Applications, p.12) states that if isAccessAllowed returns
> noSuchView, then the error-status should become authorizationError.  The code
> does this correctly only if the request is version3, but ignores the request
> if it is not version3 (see RequestList::receive() in request.cpp).  RFC 3584
> (Coexistence between SNMP versions, p25) maps the authorizationError to
> noSuchName.
> 
>  
> 
> If I remove the "VACM_noSuchName" case in the RequestList::receive() function
> and let it process the request, AND I add a "SNMP_ERROR_AUTH_ERR" case to the
> RequestList::answer() function to map it to SNMP_ERROR_NO_SUCH_NAME for
> version1 requests, then Agent++ seems to follow my understanding of the RFCs.
> 
>  
> 
> Have I interpreted the RFCs correctly?  Do my changes to request.cpp seem
> reasonable?
> 
>  
> 
> Thanks,
> 
> Dave
> 
>  
> 
> ___________________
> 
> Dave White
> 
> Sr. Software Engineer
> 
> (650) 357-3980
> 
>  
> 
> _______________________________________________
> AGENTPP mailing list
> AGENTPP at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/agentpp

-- 
AGENT++
http://www.agentpp.com
http://www.mibexplorer.com
http://www.mibdesigner.com

More information about the AGENTPP mailing list