On Mon, Jul 03, 2000 at 10:22:41AM +0200, Juergen Schoenwaelder wrote:
> Guy> the msgSecurityParameters field in SNMPv3 packets using the
> Guy> SNMP V1 or SNMP V2C security model (RFC 2261 says a security
> Guy> model of 1 is "reserved for SNMPv1" and 2 is "reserved for
> Guy> SNMPv2c"; are those models documented anywhere, or are they still
> Guy> reserved?);
>
> There is some confusion here. The community based security model is
> not used with the SNMPv3 message format.
...but the SNMP dissector checks for SNMP_SEC_V1 and SNMP_SEC_V2C in the
code after
case SNMP_VERSION_3:
that checks the SNMP version number in the SNMP packet, which I infer
means either that
1) the values "reserved for SNMPv1" and "reserved for SNMPv2c"
*are* used with the SNMPv3 message format, and the format of
the msgSecurityParameters field in SNMPv3 packets when those
"reserved" values are used is documented somewhere
or
2) the SNMPv3 dissection code should just treat the
msgSecurityParameters field as opaque hex data.
Section 5.2.1 says of RFC 2576 says:
5.2.1. Processing An Incoming Request
In RFC1157 [2], section 4.1, item (3) for an entity which receives a
message, states that various parameters are passed to the 'desired
authentication scheme.' The desired authentication scheme in this
case is the SNMPv1 Community-Based Security Model, which will be
called using the processIncomingMsg ASI. The parameters passed to
this ASI are:
- The messageProcessingModel, which will be 0 (or 1 for SNMPv2c).
- The maxMessageSize, which should be the maximum size of a
message that the receiving entity can generate (since there is
no such value in the received message).
- The securityParameters, which consist of the community string
and the message's source and destination transport domains and
addresses.
- The securityModel, which will be 1 (or 2 for SNMPv2c).
- The securityLevel, which will be noAuthNoPriv.
- The wholeMsg and wholeMsgLength.
although I don't know whether that section is discussing the way
incoming SNMPv1 or v2c packets are to be processed by a server (which
would suggest that 2) is true), or is also discussing the way in which
the "reserved for SNMPv1" and "reserved for SNMPv2c" values are to be
handled in incoming SNMPv3 packets (which would suggest that 1) is true
and that the msgSecurityParameters field contains the community string -
if "the message's source and destination transport domains and
addresses" are just obtained from the transport-layer and network-layer
headers for the packet).