[SNMP4J] Snmp Agent security

Matthieu Casanova chocolat.mou at gmail.com
Fri May 5 16:23:26 CEST 2006 

Hi, I'm trying to understand the security in snmp agent :
for the coexistent info I added this init method in my agent (that extends
BaseAgent)
public void init() throws IOException
    {
        super.init();
        Variable[] com2sec = new Variable[]{
                new OctetString("public"),
                new OctetString("public"),
                agent.getContextEngineID(),
                new OctetString(),
                new OctetString(),
                new Integer32(StorageType.nonVolatile),
                new Integer32()
        };

        SnmpCommunityMIB snmpCommunityMIB = getSnmpCommunityMIB();
        MOTable table = snmpCommunityMIB.getSnmpCommunityEntry();
        MOTableRow row = table.createRow(new OID("1"), com2sec);
        if (row == null)
            LoggerFacility.error(LogType.T_SNMP, "could not create community
entry table row");
        else
            table.addRow(row);

        com2sec = new Variable[]{
                new OctetString("private"),
                new OctetString("private"),
                agent.getContextEngineID(),
                new OctetString(),
                new OctetString(),
                new Integer32(StorageType.nonVolatile),
                new Integer32()
        };

        row = table.createRow(new OID("1"), com2sec);
        if (row == null)
            LoggerFacility.error(LogType.T_SNMP, "could not create community
entry table row");
        else
            table.addRow(row);
    }

and added the views

    protected void addViews(VacmMIB vacmMIB)
    {
        vacmMIB.addGroup(SecurityModel.SECURITY_MODEL_SNMPv2c,
                         new OctetString("public"),
                         new OctetString("v1v2group"),
                         StorageType.nonVolatile);

        vacmMIB.addGroup(SecurityModel.SECURITY_MODEL_SNMPv2c,
                         new OctetString("private"),
                         new OctetString("v1v2group"),
                         StorageType.nonVolatile);

        vacmMIB.addAccess(new OctetString("v1v2group"), new OctetString(),
                          SecurityModel.SECURITY_MODEL_SNMPv2c,
                          SecurityLevel.NOAUTH_NOPRIV,
VacmMIB.vacmExactMatch,
                          new OctetString("fullReadView"),
                          new OctetString("fullWriteView"),
                          new OctetString("fullNotifyView"),
                          StorageType.nonVolatile);

        vacmMIB.addViewTreeFamily(new OctetString("fullReadView"), new OID("
1.3"),
                                  new OctetString(),
VacmMIB.vacmViewIncluded,
                                  StorageType.nonVolatile);
        vacmMIB.addViewTreeFamily(new OctetString("fullWriteView"), new
OID("1.3.6.1.4.1.9999.2"),
                                  new OctetString(),
VacmMIB.vacmViewIncluded,
                                  StorageType.nonVolatile);
    }


but if I try to do a SET on 1.3.6.1.4.1.9999.1 (that should be forbidden) I
have an exception
java.lang.Exception: Error 'No such name' generated at: 1.3.6.1.4.1.9999.1 =
1234
    at
org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest.requestStatusChanged(
SnmpRequest.java:630)
    at org.snmp4j.agent.request.RequestStatus.fireRequestStatusChanged(
RequestStatus.java:79)

I understand that this part of the tree is not covered but how to forbid
access instead of getting a "no such instance" ?

The other question I have is about the Coexistence : if I use a community
that is not declared in the coexistence provider the agent do not response
so since it's UDP the mib browser thinks the packet is lost and launch the
command again. is that normal ?

thanks

Matthieu

More information about the SNMP4J mailing list