Navigation :

SnmpApp

SNMP Application Configuration

The N2SVCD SNMP Application listens for inbound SNMP requests and sends outbound SNMP event traps on behalf of other applications.

For SNMP requests received, the SNMP Application queries other applications and prepares responses.

Note that the only security model supported is the USM model defined in RFC 3414, and only SNMP version 3 messages are supported by this application. When forwarding SNMP messages from other applications, the SNMP Application functions as the USM Authoritative SNMP Engine.

Note that the SNMP Application is only required if you wish to process incoming SNMP requests. If an SNMP Application is not available, other components will send SNMP traps as per the global SNMP configuration.

See the N2SVCD Configuration Overview for more information on how the SNMP Application interacts with other components.

A sample minimal configuration for an SNMP Application instance might be:

<?xml version="1.0" encoding="utf-8"?>
<n2svcd>
  ...
  <applications>
    ...
    <application name="SNMP" module="SnmpApp">
      <include><lib>../apps/snmp/lib</lib></include>
      <parameters />
      <config>
        <groups>
          <group name="group1"/>
        </groups>

        <users>
          <user username="user1" group="group1"/>
        </users>

        <views>
          <view name="view1"/>
        </views>

        <accesses>
          <access group="group1" read_view="view1"/>
        </accesses>
      </config>
    </application>
    ...
  </application>
  ...
</n2svcd>

This configuration will:

Start an SNMP server listening using the default address localhost:161,
Have a single user user1 that cannot decrypt nor authenticate any messages,
Not differentiate between any received SNMP context,
Allow access to all read functions for the defined user, and
Forbid access to all write functions for the defined user.

Configuration Details

The application element attributes for a SNMP Application instance may include the below.

For details of the various parameter types used, refer to Common Configuration.

Parameter Name	Type	XML Type	Description
See: Common Application configuration
See: TCP/UDP Application configuration
`module`	String	Attribute	[Required] `SnmpApp`
`include.lib`	String	Element	[Required] `../apps/snmp/lib`
`parameters`	Array	Element	[Required] As per Common Configuration Application `parameters`.
`"edr_enabled"`	-	-	This value is ignored; the SNMP Application does not support writing EDRs.
`"local_port"`	Positive Integer	Attribute	As per common UDP configuration for `local_port`. (Default = `161`)
`"app_wait_secs"`	Positive Integer	Attribute	The number of seconds to wait for all applications to provide requested information to SnmpApp upon receipt of a message. (Default = `2`)
`"trap_history_max"`	Positive Number	Attribute	The maximum number of proxied SNMP traps to keep in a buffer for access via the administrative API. (Default = `100`)
`"map_generate_default"`	String	Attribute	Whether all applications should have an auto-generated SNMP engine ID for all contexts created in the Engine Mappings. Note that any manually-generated engine ID of the same value will prevent an auto-generated entry from being created. Auto-generated SNMP engine IDs are created using the default [SNMP engine ID values](/config.html#snmp-v3-engine-ids). The following values are available for this option: `none`: do not automatically generate any SNMP engine IDs for applications. Only explicit engine mappings will be used. `instances`: automatically generate SNMP engine IDs for each individual application instance, e.g. `App1:0`, `App1:1`, `App2:0`, etc. These mappings will direct inbound messages to a single application instance only. `groups`: automatically generate SNMP engine IDs for each configured application name, e.g. `App1`, `App2`, etc. These mappings will direct inbound messages to all repeated applications for that configured name. `all`: automatically generate SNMP engine IDs as for both `instances` and `groups`. Note that `no_map_query_all` parameter controls whether applications are queried if no match is made to either manual or automatically-generated engine ID mappings. (Default = `all`, add an auto-generated SNMP engine ID mapping for each application group and instance)
`"no_map_query_all"`	Boolean	Attribute	Whether all applications should be queried for SNMP received where no engine and/or context mapping is found in the engine mappings. Note that any matched mapping will be used preferentially regardless of this setting. (Default = `true`, query all applications if no specified mapping found)
`"use_response_vacm"`	Boolean	Attribute	Whether access control should be applied to OIDs within a response based on the user's configured view(s). When true and an OID in the response is not permitted by the applicable `read` view: For SNMP `get-next` requests, the response PDU will contain the SNMP `endOfMibView` value. For all other request types, the response PDU will be as if the original request contained the problem OID. Note that in this case the `index` will be `0`. (Default = `true`, apply VACM to response OIDs
`.auth_username`	String	Element	Explicit configuration for the SNMP username for outbound message invokes from this application, including proxied messages. This parameter only applies when no user parameters are present in the global SNMP trap configuration.
`.auth_password`	String	Element	Explicit configuration for the SNMP password for outbound message invokes from this application, including proxied messages. This parameter only applies when no user parameters are present in the global SNMP trap configuration.
`.auth_key`	String	Element	Explicit configuration for the SNMP authorisation key for outbound message invokes from this application, including proxied messages. This parameter only applies when no user parameters are present in the global SNMP trap configuration.
`.auth_alg`	String	Element	Explicit configuration for the SNMP authorisation algorithm for outbound message invokes from this application, including proxied messages. This parameter only applies when no user parameters are present in the global SNMP trap configuration.
`.auth_username`	String	Element	Explicit configuration for the SNMP encryption password for outbound message invokes from this application, including proxied messages. This parameter only applies when no user parameters are present in the global SNMP trap configuration.
`.privacy_key`	String	Element	Explicit configuration for the SNMP encryption key for outbound message invokes from this application, including proxied messages. This parameter only applies when no user parameters are present in the global SNMP trap configuration.
`.privacy_alg`	String	Element	Explicit configuration for the SNMP encryption algorithm for outbound message invokes from this application, including proxied messages. This parameter only applies when no user parameters are present in the global SNMP trap configuration.
`proxy_pending_max`	Integer `2000`..`10000`	The maximum amount of SNMP traps proxied by this application that may be queued locally for delivery. If this queue is full, old SNMP traps will be discarded in favour of new traps. (Default: `2000`)
`config`	Object	Element	Container for extended configuration for this application.
`.groups`	Array	Element	The available SNMP groups. At least one item must be defined in this section.
`.users`	Array	Element	The available SNMP users. At least one item must be defined in this section.
`.views`	Array	Element	The available SNMP views. At least one item must be defined in this section.
`.accesses`	Array	Element	The available SNMP accesses. At least one item must be defined in this section.
`.engine_mappings`	Array	Element	Non-standard mappings between SNMP engine IDs and N2SVCD applications. This section is optional.

Note that it may be necessary to increase the SNMP application’s admin_alloc application configuration parameter to account for the additional administrative messaging caused by proxying alarms.

SNMP Groups Definition

The SNMP groups definition is a simple list of the available groups for SNMP users to belong to. Only one group is permitted per user, as per RFC 3415. An example configuration might be:

<?xml version="1.0" encoding="utf-8"?>
<n2svcd>
  ...
  <applications>
    ...
    <application name="SNMP" module="SnmpApp">
      ...
      <config>
        ...
        <groups>
          <group name="group1"/>
          <group name="group2"/>
        </groups>
      </config>
    </application>
    ...
  </application>
  ...
</n2svcd>

The following parameters are available for each group within the groups configuration:

Field	Type	Description
`name`	String	[Required] The name of the group, to be referenced for SNMP user definitions.

SNMP Users Definition

Users that can access the SNMP Application from inbound messages must be defined to allow access to available functions.

All users exist only against the SNMP Application engine ID as the authoritative SNMP engine.

An example configuration might be:

<?xml version="1.0" encoding="utf-8"?>
<n2svcd>
  ...
  <applications>
    ...
    <application name="SNMP" module="SnmpApp">
      ...
      <config>
        ...
        <users>
          <user name="no_security_user"
                group="group1"/>
          <user name="auth_only_user"
                group="group2"
                auth_key="0183c5b0eefb85b6dd3181a787219bc5">
          </user>
          <user name="privacy_user" 
                group="group3"
                auth_password="maplesyrup"
                auth_alg="des"
                privacy_password="treacle">
          </user>
        </users>
      </config>
    </application>
    ...
  </application>
  ...
</n2svcd>

The following parameters are available for each user within the users configuration:

Field	Type	Description
`name`	String	[Required] The user name, as received within SNMP messages.
`group`	String	[Required] The name of the group the user is assigned to.
`auth_password`	String	As per global SNMP configuration for `auth_password`.
`auth_key`	String	As per global SNMP configuration for `auth_key`.
`auth_alg`	String	As per global SNMP configuration for `auth_alg`.
`privacy_password`	String	As per global SNMP configuration for `privacy_password`.
`privacy_key`	String	As per global SNMP configuration for `privacy_key`.
`privacy_alg`	String	As per global SNMP configuration for `privacy_alg`.

Note that:

As per RFC 3414, a zero-length username is permitted for discovery purposes. Such a user has no other permissions and may not be defined manually.
Users defined within the users configuration block are used for inbound messages and associated responses only. The user for outbound messages is taken preferentially from the global SNMP configuration or SNMP application user configuration.

SNMP Views Definition

The SNMP views definition is an array of the available views for SNMP accesses. An example configuration might be:

<?xml version="1.0" encoding="utf-8"?>
<n2svcd>
  ...
  <applications>
    ...
    <application name="SNMP" module="SnmpApp">
      ...
      <config>
        ...
        <views>
          <view name="view1">
            <exclude subtree="1.2.3.4"/>
          </view>
          <view name="view2">
            <include subtree="1.2.3.4.*"/>
            <exclude subtree="1.2.3.4.5"/>
            <exclude subtree="1.2.3.4.6"/>
          </view>
        </views>
      </config>
    </application>
    ...
  </application>
  ...
</n2svcd>

The following parameters are available for each view within the views configuration:

Field	Type	Description
`name`	String	[Required] The name of the view, to be referenced for SNMP accesses definitions.
`include` or `exclude`	Element	A view inclusion or exclusion for the view. Zero or more of each element type may be present.

Note that a view without any include or exclude element will be treated as though it has a single include element of *, i.e. a view inclusion that includes all possible OIDs.

SNMP View Inclusion/Exclusion

All SNMP views may have zero or more explicit inclusions or exclusions via configuration of include or exclude elements, respectively.

By default, a view will have full visibility of all available MIB OIDs. However:

if one or more include elements are configured, visibility will be limited to just the scope of the included elements.
if one or more exclude elements are configured, any included elements will have the excluded elements removed.

Exclusions may be configured regardless of whether any inclusions are defined.

Field	Type	Description
`subtree`	String	[Required] A subtree of MIB OID components for inclusion/exclusion, separated by `.` or `:`. These must be the unsigned integer representation of each OID component, i.e. no name mapping is performed. The character `` can be used to allow any value for any OID component, functioning similarly to the `mask` defined in RFCs 3413/3415. Note that specifying a `` character as the final value in an OID will consider all further OIDs within the specified subtree to be considered matched, i.e. the OID is a prefix. Otherwise, matches are only made up to the length of the defined OID.

Note that for defining inclusions and exclusions for views:

A shorter OID request than in an include is not allowed (e.g. a request of 1.2 with include of 1.2.3)
A longer OID request than in an include is allowed when a trailing wildcard is present and disallowed otherwise (e.g. a request of 1.2.3 with include of 1.2.*/1.2 respectively)
A shorter OID request than in an exclude is allowed (e.g. a request of 1.2 with exclude of 1.2.3)
A longer OID request than in an exclude is not allowed when a trailing wildcard is present and allowed otherwise (e.g. a request of 1.2.3 with exclude of 1.2.*/1.2 respectively)

Note that for explicit view control of individual scalar OIDs, 0 must be appended to the OID as per RFC 3781.

SNMP Accesses Definition

SNMP accesses are used to determine the appropriate security options to apply when receiving inbound SNMP messages.

When matching an access to an inbound message, a modified form of the method defined in RFC 3415 in the ASN.1 definition of vacmAccessTable is used:

Identify all accesses that match the group of the received user, have authentication and/or privacy equal to or higher than the message security, and have a matching context (potentially as a prefix).
If only one access matches, use it.
If any accesses fully match the context received, discard any others.
Discard any accesses with shorter contexts than the longest matched context.
Select the first access with the highest authentication and/or privacy security.

<?xml version="1.0" encoding="utf-8"?>
<n2svcd>
  ...
  <applications>
    ...
    <application name="SNMP" module="SnmpApp">
      ...
      <config>
        ...
        <accesses>
          <access group="group1" read_view="view1"/>
          <access group="group1"
                  context="n2svcd"
                  prefix="0"
                  auth="1"
                  priv="0"
                  read_view="view2"
                  write_view="view3"/>
        </accesses>
      </config>
    </application>
    ...
  </application>
  ...
</n2svcd>

The following parameters are available for each access within the accesses configuration:

Field	Type	Description
`group`	String	[Required] The SNMP group that a user must belong to for this access to apply.
`read_view`	String	[Required] The SNMP view that defines which OIDs may be read using this access.
`write_view`	String	The SNMP view that defines which OIDs may be written to using this access. (Default: no write access)
`context`	String	Which received SNMP (case-insensitive) context the access should be used for. Maximum of 32 characters. The character `` may be used to configure a prefix (including on an empty string) which will match all contexts, including the empty (“default”) context. (Default: ``)
`auth`	Boolean	Whether message authentication is required for this access. (Default: `0`)
`priv`	Boolean	Whether message privacy is required for this access. If set, `auth` must also be set. (Default: `0`)

Note that:

auth and priv together set the minimum message security level that is required for access, as per RFC 3415.
No empty (“default”) context is created by default (see RFC 3415). This may be explicitly specified, either as a prefix (functioning as a catch-all) or as a discrete match.

SNMP Engine Mappings

Each N2SVCD application has its own SNMP context engine ID, either set automatically as described in the SNMP trap configuration or manually overridden per-application. Because each N2SVCD application does not expose a listening SNMP port, the SNMP Application is used to broker inbound requests to these applications accordingly.

Default engine IDs may be automatically added to the mappings if configured to do so.

Whenever an SNMP message is received, the engine ID mapping table is checked first for a matching engine and context value before attempting to match to an automatic identifier (without examining context). The first result found via either method is used to attempt to route the message to the applicable application.

If no match can be made, the message will be rejected unless the application is configured to query all applications.

This mapping table is used solely for the PDU context engine ID. The RFC 3414 authoritative engine ID is checked against engine ID configuration.

Note that requests (other than get-next) containing SNMP proxy OIDs are always handled by the receiving SNMP application directly and are never sent to other applications. Information for such OIDs is always taken from the engine mappings table, including any automatically-configured engine IDs.

<?xml version="1.0" encoding="utf-8"?>
<n2svcd>
  ...
  <applications>
    ...
    <application name="SNMP" module="SnmpApp">
      ...
      <config>
        ...
        <engine_mappings>
          <mapping id="8000dcdc0457616c6b65722d342e6e3273766364"
                   app="Watchdog"/>
          <mapping id="8000dcdc0457616c6b65722d342e6e3511223316"
                   context="*"
                   app="N2IWF*"/>
        </engine_mappings>
      </config>
    </application>
    ...
  </application>
  ...
</n2svcd>

The following parameters are available for each mapping within the engine_mappings configuration:

Field	Type	Description
`engine_id`	String	[Required] The (case-insensitive) hexadecimal representation of the SNMP engine ID, as received within SNMP messages._
`app`	String	[Required] The application name (not `module`), as defined in the N2SVCD configuration file. The character `` may be used to configure a prefix (including on an empty string). For explicit application instances (e.g. repeated applications) where `` is not used, the iteration must be specified following a colon (e.g. `abc:1`).
`context`	String	Which received SNMP (case-insensitive) context the mapping should be used for. The character `` may be used to configure a prefix (including on an empty string). (Default: ``)

Application names in the app parameter may be configured in one of three ways to affect how incoming messages are routed:

With no suffix, e.g. Application. Incoming messages matching this engine ID would be sent to all repeated applications, i.e. Application:0 .. Application:n.
With an explicit index, e.g. Application:0. Incoming messages matching this engine ID would be sent to only the matching application instance, i.e. Application:0.
With a wildcard suffix, e.g. Application*. Incoming messages matching this engine ID would be sent to all applications, including repeated applications, matching the pattern, i.e. not only Applicaiton:0 .. Application:n but also, say, ApplicationX:0 .. ApplicationX:n.

In some cases, even if multiple application instances are matched for a request, it will be limited to only the last match (application names are sorted prior to matching). This occurs when:

The PDU type is get-next, or
An OID value type that is not a countable values (e.g. integer-value) is present within the variable bindings.

Receiving applications are free to respond to SNMP requests with arbitrary information. When only a single application instance receives a request, its response will be used verbatim. However, if multiple applications respond to a request:

The value format type for each variable binding is selected in the following order:
1. valueless type unSpecified
2. valueless type noSuchObject
3. valueless type noSuchInstance
4. any value-holding type (e.g. integer-value)
5. valueless type endOfMibView
When variable binding types hold values (e.g. integer-value), the first value type received will set the expected value type. Any subsequent responses received with value-holding types that do not match will be discarded.
The first application response received with a non-zero number of variable bindings will set both the number of expected bindings and the OID for each. Any subsequent responses received with inconsistent variable binding counts or OIDs will be discarded.
When variable binding types hold countable values (e.g. integer-value), the counts for each will be added together at each discrete index in the variable bindings. Note that should the same OID be present at a different index, its value will not be added together with other index positions.
When variable binding types hold uncountable values (e.g. string-value), only the first response for each variable binding value will be used.

Message Handling

In addition to the common Application management messages, the SNMP Application uses the following messages:

!SNMP-S-REQUEST messages (!SNMP-S-REQUEST inbound)
!SNMP-S-RESPONSE messages (!SNMP-S-RESPONSE outbound)
!SNMP-C-REQUEST messages (!SNMP-C-REQUEST outbound)