7. Management Target Translation in Proxy Forwarder Applications

Proxy forwarder applications perform translation of management targets when forwarding SNMP messages. This translation involves mapping incoming message parameters (contextEngineID, contextName, securityModel, securityName, securityLevel) to outgoing message parameters suitable for the target SNMP engine.

The snmpProxyTable defines the translation rules used by proxy forwarders.

7.1. Request Forwarding

Request forwarding involves receiving a command request from a command generator, translating the request parameters, and forwarding the request to a command responder.

7.1.1. Processing an Incoming Request

When a proxy forwarder receives a request:

1. Extract the incoming parameters from the received message:

   • contextEngineID
   • contextName
   • securityModel
   • securityName
   • securityLevel
   • PDU type

2. Look up the snmpProxyTable using these parameters as a key. Specifically, search for an entry where:

   • snmpProxyType is read(1) for read-class PDUs (Get, GetNext, GetBulk) or write(2) for write-class PDUs (Set)
   • snmpProxyContextEngineID matches the incoming contextEngineID
   • snmpProxyContextName matches the incoming contextName
   • snmpProxyTargetParamsIn references target parameters that match the incoming security parameters

3. If no matching entry is found:

   • Generate an error response indicating that the request cannot be forwarded.
   • The specific error depends on the SNMP version and circumstances (e.g., authorizationError, genErr).

4. If a matching entry is found:

   • Extract the snmpProxySingleTargetOut or snmpProxyMultipleTargetOut value.

7.1.2. Forwarding the Request

After finding a matching snmpProxyTable entry:

Single Target Forwarding

If snmpProxySingleTargetOut is specified:

1. Look up the snmpTargetAddrTable using snmpProxySingleTargetOut as the snmpTargetAddrName.

2. Extract the target address information:

   • snmpTargetAddrTDomain (transport domain)
   • snmpTargetAddrTAddress (transport address)
   • snmpTargetAddrParams (reference to snmpTargetParamsTable)

3. Look up the snmpTargetParamsTable using snmpTargetAddrParams.

4. Extract the target security parameters:

   • snmpTargetParamsMPModel (message processing model)
   • snmpTargetParamsSecurityModel
   • snmpTargetParamsSecurityName
   • snmpTargetParamsSecurityLevel

5. Determine the target context:

   • If snmpProxyContextEngineID is empty, use the incoming contextEngineID.
   • Otherwise, use snmpProxyContextEngineID.
   • Similarly for snmpProxyContextName.

6. Translate the PDU if necessary:

   • If the incoming and outgoing SNMP versions differ, translate the PDU format and error codes.
   • For SNMPv1 to SNMPv2: Map error codes, convert trap formats.
   • For SNMPv2 to SNMPv1: Map error codes (e.g., noAccess → genErr), handle exception values.

7. Forward the request using the message processing subsystem's send PDU primitive with the target parameters.

Multiple Target Forwarding

If snmpProxyMultipleTargetOut is specified:

1. Search the snmpTargetAddrTable for all entries where snmpTargetAddrTagList contains the tag specified in snmpProxyMultipleTargetOut.

2. For each matching target address:

   • Follow steps 2-7 of single target forwarding.
   • Note that the original request is duplicated and sent to multiple target addresses.

3. Response handling for multiple targets:

   • Multiple target forwarding is typically used only for read operations.
   • The proxy may need to aggregate responses or return the first successful response.
   • The specific behavior is implementation-dependent.

7.1.3. Forwarding the Response

When the proxy forwarder receives a response from the target command responder:

1. Translate the response PDU if necessary to match the format expected by the original requester.

2. Map the contextEngineID and contextName back to the values expected by the original requester.

3. Return the response using the message processing subsystem's return response PDU primitive.

7.2. Notification Forwarding

Notification forwarding involves receiving a notification from a notification originator and forwarding it to one or more notification receivers.

7.2.1. Processing an Incoming Notification

When a proxy forwarder receives a notification:

1. Extract the incoming parameters:

   • contextEngineID
   • contextName
   • securityModel
   • securityName
   • securityLevel
   • Notification type (trap or inform)

2. Look up the snmpProxyTable using these parameters. Search for an entry where:

   • snmpProxyType is trap(3) for trap notifications or inform(4) for inform notifications
   • snmpProxyContextEngineID matches the incoming contextEngineID (or is empty to match any)
   • snmpProxyContextName matches the incoming contextName (or is empty to match any)
   • snmpProxyTargetParamsIn references target parameters that match the incoming security parameters (or is empty to match any)

3. If no matching entry is found:

   • The notification is not forwarded.
   • The proxy may log this event locally.

4. If a matching entry is found:

   • Extract the snmpProxyMultipleTargetOut value (notification forwarding always uses multiple target forwarding).

7.2.2. Forwarding the Notification

After finding a matching snmpProxyTable entry:

1. Search the snmpTargetAddrTable for all entries where snmpTargetAddrTagList contains the tag specified in snmpProxyMultipleTargetOut.

2. For each matching target address:

   a. Look up the snmpTargetAddrParams in the snmpTargetParamsTable.

   b. Extract the target parameters.

   c. Determine whether to send as trap or inform based on the snmpNotifyTable (if referenced) or use the same type as the incoming notification.

   d. Translate the notification PDU if necessary:

   • SNMPv1 trap to SNMPv2 trap: Convert PDU format, add sysUpTime.0 and snmpTrapOID.0.
   • SNMPv2 trap to SNMPv1 trap: Convert PDU format, extract enterprise, agent-addr, generic-trap, specific-trap.

   e. Forward the notification using the message processing subsystem's send PDU primitive.

3. If the outgoing notification is an inform request:

   • Wait for a response from each target.
   • If the incoming notification was also an inform, aggregate the responses.
   • Return a response to the original notification originator only after receiving responses from all (or a configured subset of) targets.

Translation Examples

Example 1: SNMPv3 to SNMPv1 Request Translation

Incoming Request:

• contextEngineID: 0x80001F8880
• contextName: "publicView"
• securityModel: 3 (USM)
• securityName: "admin"
• securityLevel: authPriv
• PDU: GetRequest

snmpProxyTable Entry:

• snmpProxyType: read(1)
• snmpProxyContextEngineID: 0x80001F8880
• snmpProxyContextName: "publicView"
• snmpProxyTargetParamsIn: "snmpv3Params"
• snmpProxySingleTargetOut: "legacyDevice"

snmpTargetAddrTable Entry (legacyDevice):

• snmpTargetAddrTDomain: snmpUDPDomain
• snmpTargetAddrTAddress: 192.0.2.10:161
• snmpTargetAddrParams: "snmpv1Params"

snmpTargetParamsTable Entry (snmpv1Params):

• snmpTargetParamsMPModel: 0 (SNMPv1)
• snmpTargetParamsSecurityModel: 1 (SNMPv1)
• snmpTargetParamsSecurityName: "public"
• snmpTargetParamsSecurityLevel: noAuthNoPriv

Outgoing Request:

• Transport: UDP to 192.0.2.10:161
• SNMP Version: SNMPv1
• Community: "public"
• PDU: GetRequest (same variable-bindings)

Response Translation:

• Incoming SNMPv1 response is translated back to SNMPv3 format.
• Response is encrypted and authenticated using USM.
• Returned to the original requester.

Example 2: SNMPv1 Trap to SNMPv2 Trap Translation

Incoming SNMPv1 Trap:

• Community: "public"
• enterprise: 1.3.6.1.4.1.9
• agent-addr: 192.0.2.1
• generic-trap: linkDown(2)
• specific-trap: 0
• time-stamp: 12345

snmpProxyTable Entry:

• snmpProxyType: trap(3)
• snmpProxyContextEngineID: "" (match any)
• snmpProxyContextName: "" (match any)
• snmpProxyTargetParamsIn: "" (match any)
• snmpProxyMultipleTargetOut: "snmpv2Targets"

snmpTargetAddrTable Entries with tag "snmpv2Targets": Multiple entries with SNMPv2c or SNMPv3 parameters.

Outgoing SNMPv2/v3 Traps:

• snmpTrapOID.0: 1.3.6.1.6.3.1.1.5.3 (linkDown)
• sysUpTime.0: 12345
• Additional variable-bindings from the original trap.

Special Considerations

Context Translation

The snmpProxyTable allows for context translation:

• An empty snmpProxyContextEngineID or snmpProxyContextName in the table entry means "use the incoming value."
• A non-empty value means "map the incoming context to this outgoing context."

This allows the proxy to map multiple incoming contexts to a single outgoing context, or vice versa.

Security Downgrade Prevention

When translating from a higher security level to a lower one (e.g., SNMPv3 authPriv to SNMPv1 noAuthNoPriv), the proxy should:

1. Log the security downgrade for audit purposes.
2. Apply additional access controls to limit which operations can be downgraded.
3. Consider encrypting the transport (e.g., using IPsec or TLS) to compensate for reduced SNMP-layer security.

Error Handling

Proxies must carefully handle errors:

• Translation Errors: If a PDU cannot be translated (e.g., SNMPv2 exception values in SNMPv1), return an appropriate error.
• Forwarding Errors: If the target is unreachable, return a timeout or network error to the original requester.
• Response Translation Errors: If a response cannot be translated back, log the error and return a genErr to the original requester.

Performance Optimization

Proxy forwarding can be optimized by:

1. Caching table lookups: Cache snmpProxyTable, snmpTargetAddrTable, and snmpTargetParamsTable lookups for frequently used paths.
2. Pre-compiling rules: Convert table entries into an optimized internal format at configuration time.
3. Connection pooling: For TCP-based transport, maintain persistent connections to frequently accessed targets.