Pegasus Enhancement
Proposal (PEP)
PEP#: 357
PEP Type: Functional
Title: SNMP v3 trap
generation in Pegasus.
Status: Approved
Version
History:
Version |
Date |
Author |
Change Description |
0.1 |
5th Oct 2010 |
Sahana Sampige Prabhakar (sahana@hp.com) |
Initial
Submission |
0.2 |
8th Oct 2010 |
Sahana Sampige Prabhakar (sahana@hp.com) |
For ballot. |
1.0 |
29th Oct 2010 |
Sahana Sampige Prabhakar (sahana@hp.com) |
Approved. |
Abstract: Pegasus added support for generating SNMP V1 and V2C traps in Pegasus Version 2.4 (Refer PEP 062). This PEP will add support for generating snmpv3 traps in Pegasus.
Support for generating snmp v1 and v2C traps was added
in Pegasus by introducing class PG_IndicationHandlerSNMPMapper. This class
holds all the details required to generate a snmp V1 and V2c trap. But SNMP V3
has introduced many new security features. Pegasus will have to undergo some
minimal changes to add support for generating SNMP V3 traps.
Snmpv3 introduces extra security features which were
not present in SNMPv1 and v2.
To summarize, most importantly each user has a name
(called a securityName) an authentication type (authProtocol) and privacy
type (privProtocol) as well as associated keys for each of these
(authKey and privKey). Authentication is performed by using a
user's authKey to sign the message being sent.
The authProtocol can be either MD5 or SHA at this
time. authKeys (and privKeys) are generated from a passphrase
that must be at least 8 characters in length. Encryption is performed by using
a user's privKey to encrypt the data portion in the message being
sent. The privProtocol can be either AES or DES.
Messages can be sent unauthenticated and unencrypted
(noAuthNoPriv), authenticated but unencrypted (authNoPriv), or authenticated
and encrypted (authPriv) by setting the securityLevel to use.
All of this information is passed to commands using
the command line arguments described in the table below. Additionally, you can
put default values in your ~/.snmp/snmp.conf files using the tokens specified
in the 3rd column.
Parameter |
Command Line Flag |
Snmp.conf token |
securityName |
-u NAME |
defSecurityName NAME |
authProtocol |
-a (MD5|SHA) |
defAuthType (MD5|SHA) |
privProtocol |
-x (AES|DES) |
defPrivType DES |
authKey |
-A PASSPHRASE |
defAuthPassphrase PASSPHRASE |
privKey |
-X PASSPHRASE |
defPrivPassphrase PASSPHRASE |
securityLevel |
-l (noAuthNoPriv|authNoPriv|authPriv) |
defSecurityLevel (noAuthNoPriv|authNoPriv|authPriv) |
Context |
-n CONTEXTNAME |
defContext CONTEXTNAME |
These security parameters are required when the snmp
session is created. The trap pdu format is similar to snmpv2.
1.
Support for the
security parameters to be passed to snmpindicationhandler in the
PG_IndicationHandlerSNMPMapper class.
2.
OpenPegasus
classes, snmpDeliverTrap, snmpDeliverTrap_netsnmp need to support snmpv3.
3.
Test cases need to
be added to verify snmpv3 support in OpenPegasus.
1.
PG_IndicationHandlerSNMPMapper
The
PG_IndicationHandlerSNMPMapper class currently has the following properties:
1.
The TargetHost
property contains the trap/inform destination.
2.
The
TargetHostFormat property describes the TargetHost format.
3.
The
OtherTargetHostFormat property describes an "other" format type.
4.
The PortNumber
property contains the UDP port number.
5.
The
SNMPSecurityName property contains the name of the SNMP Community.
6.
The SNMPVersion
property describes the desired SNMP protocol encoding.
7.
The SNMPEngineID
property contains the SNMP EngineID of the Target Host.
To support snmpv3 the
following extra properties need to be added:
1.
authProtocol
2.
privProtocol
3.
authKey
4.
privKey
2.
snmpDeliverTrap::deliverTrap
()
This function will need to
accept the extra security paramaters required to create the snmpv3 session,
i,e; authProtocol, authKey, privProtocol, privKey. Same is the case with the two
derived classes: snmpDeliverTrap_netsnmp, snmpDeliverTrap_stub.
3.
snmpDeliverTrap_netsnmp::_createSession()
This function will need to
specify the extra security parameters while creating the snmpv3 session. All
details required to fill the snmp_session structure are provided to this class
via 1 & 2 above.
1.
IndicationTestProvider
will be modified to send snmpv3 indications (I, e; send all security parameters
in the test indication)
2.
Snmptrapd.conf
needs to have the following entries to enable snmpv3 traps to be received on
the localhost:
createUser -e
<engineId> <username> SHA
<authKey> AES
engineId(SNMPEngineID),
username(SNMPSecurityName) and authKey should match with the values sent in the
IndicationTestProvider::invokeMethod() function.
3.
Pegasus/Handler/snmpIndicationHandler/test/testclient/testSnmpHandler.cpp
This test case should create a
v3 trap handler and keep a count of v3 traps received for verification.
1.
The snmp INFORM
support is not added. Only TRAP will be supported.
2.
No changes will
be made to the Emanate related classes in Pegasus.
The implementation of this PEP will help generate snmp
v3 traps from Pegasus.
PEP approval by Oct 15 2010.
Function Complete by Nov 30th 2010.
Copyright
(c) 2009 Hewlett-Packard Development Company, L.P.; IBM Corp.; The Open Group.
Permission is hereby granted, free of
charge, to any person obtaining a copy of
this software and associated
documentation files (the "Software"), to deal in
the Software without restriction,
including without limitation the rights to
use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of
the Software, and to permit persons to
whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission
notice shall be included in all
copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS
IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.
Template last
modified: February 17th 2009 by Martin Kirk
Template version: 1.15