Pegasus Enhancement Proposal (PEP)

PEP#: 357

PEP Type: Functional

Title:  SNMP v3 trap generation in Pegasus.

Status:  Approved

 Version History:

Version	Date	Author	Change Description
0.1	5th Oct 2010	Sahana Sampige Prabhakar (sahana@hp.com)	Initial Submission
0.2	8th Oct 2010	Sahana Sampige Prabhakar (sahana@hp.com)	For ballot.
1.0	29th Oct 2010	Sahana Sampige Prabhakar (sahana@hp.com)	Approved.

 

Abstract: Pegasus added support for generating SNMP V1 and V2C traps in Pegasus Version 2.4 (Refer PEP 062). This PEP will add support for generating snmpv3 traps in Pegasus.

Definition of the Problem

Support for generating snmp v1 and v2C traps was added in Pegasus by introducing class PG_IndicationHandlerSNMPMapper. This class holds all the details required to generate a snmp V1 and V2c trap. But SNMP V3 has introduced many new security features. Pegasus will have to undergo some minimal changes to add support for generating SNMP V3 traps.

Proposed Solution

SNMPv3 Background:

Snmpv3 introduces extra security features which were not present in SNMPv1 and v2. 

To summarize, most importantly each user has a name (called a securityName) an authentication type (authProtocol) and privacy type (privProtocol) as well as associated keys for each of these (authKey and privKey). Authentication is performed by using a user's authKey to sign the message being sent. The authProtocol can be either MD5 or SHA at this time. authKeys (and privKeys) are generated from a passphrase that must be at least 8 characters in length. Encryption is performed by using a user's privKey to encrypt the data portion in the message being sent. The privProtocol can be either AES or DES.

Messages can be sent unauthenticated and unencrypted (noAuthNoPriv), authenticated but unencrypted (authNoPriv), or authenticated and encrypted (authPriv) by setting the securityLevel to use.

All of this information is passed to commands using the command line arguments described in the table below. Additionally, you can put default values in your ~/.snmp/snmp.conf files using the tokens specified in the 3rd column.

Parameter	Command Line Flag	Snmp.conf token
securityName	-u NAME	defSecurityName NAME
authProtocol	-a (MD5|SHA)	defAuthType (MD5|SHA)
privProtocol	-x (AES|DES)	defPrivType DES
authKey	-A PASSPHRASE	defAuthPassphrase PASSPHRASE
privKey	-X PASSPHRASE	defPrivPassphrase PASSPHRASE
securityLevel	-l (noAuthNoPriv|authNoPriv|authPriv)	defSecurityLevel (noAuthNoPriv|authNoPriv|authPriv)
Context	-n CONTEXTNAME	defContext CONTEXTNAME

 

These security parameters are required when the snmp session is created. The trap pdu format is similar to snmpv2.

The following changes are required in OpenPegasus to support SNMPV3

1.      Support for the security parameters to be passed to snmpindicationhandler in the PG_IndicationHandlerSNMPMapper class.

2.      OpenPegasus classes, snmpDeliverTrap, snmpDeliverTrap_netsnmp need to support snmpv3.

3.      Test cases need to be added to verify snmpv3 support in OpenPegasus.

 

Details about the changes in OpenPegasus

1.      PG_IndicationHandlerSNMPMapper

The PG_IndicationHandlerSNMPMapper class currently has the following properties:

1.      The TargetHost property contains the trap/inform destination.

2.      The TargetHostFormat property describes the TargetHost format.

3.      The OtherTargetHostFormat property describes an "other" format type.

4.      The PortNumber property contains the UDP port number.

5.      The SNMPSecurityName property contains the name of the SNMP Community.

6.      The SNMPVersion property describes the desired SNMP protocol encoding.

7.      The SNMPEngineID property contains the SNMP EngineID of the Target Host.

To support snmpv3 the following extra properties need to be added:

1.      authProtocol

2.      privProtocol

3.      authKey

4.      privKey

2.      snmpDeliverTrap::deliverTrap ()

This function will need to accept the extra security paramaters required to create the snmpv3 session, i,e; authProtocol, authKey, privProtocol, privKey. Same is the case with the two derived classes: snmpDeliverTrap_netsnmp, snmpDeliverTrap_stub.

3.      snmpDeliverTrap_netsnmp::_createSession()

This function will need to specify the extra security parameters while creating the snmpv3 session. All details required to fill the snmp_session structure are provided to this class via 1 & 2 above.

Testing

1.      IndicationTestProvider will be modified to send snmpv3 indications (I, e; send all security parameters in the test indication)

2.      Snmptrapd.conf needs to have the following entries to enable snmpv3 traps to be received on the localhost:

createUser -e <engineId>  <username> SHA <authKey> AES

engineId(SNMPEngineID), username(SNMPSecurityName) and authKey should match with the values sent in the IndicationTestProvider::invokeMethod() function.

3.      Pegasus/Handler/snmpIndicationHandler/test/testclient/testSnmpHandler.cpp

This test case should create a v3 trap handler and keep a count of v3 traps received for verification.

Not Supported

1.      The snmp INFORM support is not added. Only TRAP will be supported.

2.      No changes will be made to the Emanate related classes in Pegasus.

Rationale

The implementation of this PEP will help generate snmp v3 traps from Pegasus.

Schedule

PEP approval by Oct 15 2010.

Function Complete by Nov 30^th 2010.

Discussion

 

 

Template last modified: February 17th 2009 by Martin Kirk
Template version: 1.15