7. Elements of Procedure for v3MP
This section describes the procedures followed by the SNMPv3 Message Processing Model when generating and processing SNMP messages. The SNMPv3 Message Processing Model interacts with the Security Subsystem when generating and processing messages.
7.1. Prepare an Outgoing SNMP Message
This section describes the procedure followed by the SNMPv3 Message Processing Model when preparing an outgoing SNMP message.
This procedure is invoked by the Dispatcher using the abstract service interface prepareOutgoingMessage.
Procedure:
-
The Message Processing Model uses a Local Configuration Datastore (LCD) to determine the maximum message size supported by the local SNMP engine. This is represented by snmpEngineMaxMessageSize in [RFC3411]. The Message Processing Model also determines the snmpEngineID of the local SNMP engine, which is represented by snmpEngineID in [RFC3411].
-
If the length of the contextEngineID is zero or if it is not equal to the snmpEngineID of the local SNMP engine, then:
a) If the value of pduType is a Confirmed Class PDU type (Get, GetNext, GetBulk, Set, or Inform), then:
- The v3MP creates a msgID. The msgID is used for coordinating the request with the response.
b) If the value of pduType is an Unconfirmed Class PDU type (Trap, Report, Response), then:
- The v3MP creates a msgID. The msgID is not used for coordinating requests with responses but is used internally by the v3MP.
-
The v3MP creates a msgMaxSize. The msgMaxSize is the minimum of:
- the maximum message size supported by the local SNMP engine (snmpEngineMaxMessageSize), and
- the maximum message size that can be supported by the transport domain and transport address used to send the message.
-
The v3MP creates msgFlags. The msgFlags are created based on the securityLevel:
- If securityLevel specifies noAuthNoPriv, then msgFlags auth bit = 0 and priv bit = 0.
- If securityLevel specifies authNoPriv, then msgFlags auth bit = 1 and priv bit = 0.
- If securityLevel specifies authPriv, then msgFlags auth bit = 1 and priv bit = 1.
-
If the pduType is a Confirmed Class PDU type, then the msgFlags reportable bit is set to 1. Otherwise, the msgFlags reportable bit is set to 0.
-
The v3MP creates a scopedPDU using the values of contextEngineID, contextName, and PDU.
-
The v3MP creates a msgSecurityParameters field for the outgoing message. This is done by calling the Security Model identified by the securityModel parameter using the abstract service interface generateRequestMsg or generateResponseMsg, as appropriate.
a) If preparing a Request or Notification, the v3MP calls the Security Model using the abstract generateRequestMsg service interface:
statusInformation = generateRequestMsg(
IN messageProcessingModel -- SNMPv3 in this case
IN globalData -- msgID, msgMaxSize, msgFlags, msgSecurityModel
IN maxMessageSize -- maximum message size as determined above
IN securityModel -- Security Model in use
IN securityEngineID -- authoritative SNMP engine
IN securityName -- principal
IN securityLevel -- Level of Security requested
IN scopedPDU -- message to be secured
OUT securityParameters -- filled in by Security Model
OUT wholeMsg -- complete generated message
OUT wholeMsgLength -- length of the generated message
)
b) If preparing a Response, the v3MP calls the Security Model using the abstract generateResponseMsg service interface:
statusInformation = generateResponseMsg(
IN messageProcessingModel -- SNMPv3 in this case
IN globalData -- msgID, msgMaxSize, msgFlags, msgSecurityModel
IN maxMessageSize -- maximum message size as determined above
IN securityModel -- Security Model in use
IN securityEngineID -- authoritative SNMP engine
IN securityName -- principal
IN securityLevel -- Level of Security
IN scopedPDU -- message to be secured
IN securityStateReference -- reference to security state information
OUT securityParameters -- filled in by Security Model
OUT wholeMsg -- complete generated message
OUT wholeMsgLength -- length of the generated message
)
-
If the statusInformation indicates an error, the v3MP returns the statusInformation to the Dispatcher. Processing of the message is halted.
-
If the statusInformation indicates success, the v3MP returns the outgoingMessage and outgoingMessageLength to the Dispatcher.
7.2. Prepare Data Elements from an Incoming SNMP Message
This section describes the procedure followed by the SNMPv3 Message Processing Model when preparing data elements from an incoming SNMP message.
This procedure is invoked by the Dispatcher using the abstract service interface prepareDataElements.
Procedure:
-
The v3MP parses the incoming message to extract the following fields:
- msgVersion
- msgID
- msgMaxSize
- msgFlags
- msgSecurityModel
- msgSecurityParameters
- scopedPduData
-
If the msgVersion is not 3, the v3MP returns an error to the Dispatcher. Processing of the message is halted.
-
If the scopedPduData cannot be parsed, the snmpInASNParseErrs counter [RFC3418] is incremented. The v3MP returns an error to the Dispatcher. Processing of the message is halted.
-
The msgFlags are parsed to extract the auth, priv, and reportable bits.
-
If the auth bit is 0 and the priv bit is 1, this is an error. The snmpInvalidMsgs counter [RFC3418] is incremented. The v3MP returns an error to the Dispatcher. Processing of the message is halted.
-
The securityLevel is determined from the msgFlags:
- If auth bit = 0 and priv bit = 0, then securityLevel = noAuthNoPriv
- If auth bit = 1 and priv bit = 0, then securityLevel = authNoPriv
- If auth bit = 1 and priv bit = 1, then securityLevel = authPriv
-
The v3MP calls the Security Model identified by msgSecurityModel using the abstract processIncomingMsg service interface:
statusInformation = processIncomingMsg(
IN messageProcessingModel -- SNMPv3 in this case
IN maxMessageSize -- maximum message size as determined by sender
IN securityParameters -- security parameters from incoming message
IN securityModel -- Security Model in use
IN securityLevel -- Level of Security
IN wholeMsg -- the whole message
IN wholeMsgLength -- length of the whole message
OUT securityEngineID -- authoritative SNMP engine
OUT securityName -- identification of the principal
OUT scopedPDU -- message (plaintext)
OUT maxSizeResponseScopedPDU -- maximum size of Response PDU
OUT securityStateReference -- reference to security state information
)
-
If the statusInformation indicates an error:
a) If the reportable bit is 1 and the pduType is a Confirmed Class PDU, the v3MP constructs a Report PDU using the usmStatsUnknownEngineIDs, usmStatsNotInTimeWindows, usmStatsUnknownUserNames, usmStatsWrongDigests, usmStatsDecryptionErrors, or other appropriate error counter, and calls the Dispatcher using the returnResponsePdu service interface.
b) The v3MP returns the error to the Dispatcher. Processing of the message is halted.
-
If the statusInformation indicates success:
a) The scopedPDU is parsed to extract:
- contextEngineID
- contextName
- data (the PDU)
b) If the scopedPDU cannot be parsed, the snmpInASNParseErrs counter is incremented. The v3MP returns an error to the Dispatcher. Processing of the message is halted.
-
The PDU is parsed to determine the pduType and other PDU-specific information:
a) If the PDU cannot be parsed, the snmpInASNParseErrs counter is incremented. The v3MP returns an error to the Dispatcher. Processing of the message is halted.
- The v3MP returns the following data elements to the Dispatcher:
- messageProcessingModel (3 for SNMPv3)
- securityModel
- securityName
- securityLevel
- contextEngineID
- contextName
- pduVersion
- PDU
- pduType
- sendPduHandle (extracted from the request-id in the PDU, if applicable)
- maxSizeResponseScopedPDU
- statusInformation (success)
- stateReference (the securityStateReference from the Security Model)
- Processing is complete.