[AGENT++] No response for empty view instead of noSuchName
Frank Fock
fock at agentpp.com
Thu May 17 10:18:28 CEST 2007
Hi Dave,
I am afraid that this is a relict from older days
where the behavior was not clearly defined by the
coexistance RFCs. Returning an error PDU for SNMPv1/v2c
however facilitates brute force attacks, but I do
not see a real degradation of the anyway week community
based "security".
So I will change this for the next release.
Best regards,
Frank
Dave White | Networking wrote:
> Hi Frank,
>
>
>
> If a version1 request is received for a valid community name but there is no
> view in VACM for the access type, then the request is ignored. I think this
> behavior is wrong. In my test, I send a version1 Set request but VACM has
> only a read view and no write view. The result is a timeout by the SNMP
> manager who sent the request.
>
>
>
> According to RFC 3415 (VACM, p.10) if the view is empty, then isAccessAllowed
> should return noSuchView. The code does this functionality correctly. RFC
> 3413 (SNMP Applications, p.12) states that if isAccessAllowed returns
> noSuchView, then the error-status should become authorizationError. The code
> does this correctly only if the request is version3, but ignores the request
> if it is not version3 (see RequestList::receive() in request.cpp). RFC 3584
> (Coexistence between SNMP versions, p25) maps the authorizationError to
> noSuchName.
>
>
>
> If I remove the "VACM_noSuchName" case in the RequestList::receive() function
> and let it process the request, AND I add a "SNMP_ERROR_AUTH_ERR" case to the
> RequestList::answer() function to map it to SNMP_ERROR_NO_SUCH_NAME for
> version1 requests, then Agent++ seems to follow my understanding of the RFCs.
>
>
>
> Have I interpreted the RFCs correctly? Do my changes to request.cpp seem
> reasonable?
>
>
>
> Thanks,
>
> Dave
>
>
>
> ___________________
>
> Dave White
>
> Sr. Software Engineer
>
> (650) 357-3980
>
>
>
> _______________________________________________
> AGENTPP mailing list
> AGENTPP at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/agentpp
--
AGENT++
http://www.agentpp.com
http://www.mibexplorer.com
http://www.mibdesigner.com
More information about the AGENTPP
mailing list