Page MenuHomeVyOS Platform

New SNMP resource request - SNMP over TCP
Closed, ResolvedPublicFEATURE REQUEST

Description

Hello.

I request a new resource to comply with rfc3430 chapter 2:
Hello.

I request a new resource to comply with rfc3430 chapter 2:

RFC 3430 Section 2

  1. SNMP over TCP

SNMP over TCP is an optional transport mapping. It is primarily
defined to support more efficient bulk transfer mechanisms within the
SNMP framework [5].

Attached are suggestions for enabling SNMP over TCP.

I would also like to suggest a standard option to define the standard SNMP port similar to what is done in SSH. Example:

set service ssh port 48022
set service snmp port 48161

Option to standardize the SNMP port by the transport protocol:

set service snmp transport udp # <standard, UDP (ipv4 and ipv6)
set service snmp transport tcp # <change to standard tcp (ipv4 and ipv6), without udp
set service snmp transport both # both / all, <tcp and udp, ipv4 and ipv6
set service snmp transport udp-ipv4-only # <explicit udp ipv4 only
set service snmp transport udp-ipv6-only # <explicit udp ipv6 only
set service snmp transport tcp-ipv4-only # <explicit tcp ipv4 only
set service snmp transport tcp-ipv6-only # <explicit tcp ipv6 only

DIFF PATCH:

--- /usr/libexec/vyos/conf_mode/snmp.py	2020-08-04 23:00:46.072910104 +0000
+++ /usr/libexec/vyos/conf_mode/snmp.py	2020-08-04 23:22:04.951136121 +0000
@@ -123,7 +123,7 @@
 {%- endif %}
 
 # Listen
-agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},udp:161,udp6:161{% endif %}
+agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},udp:161,udp6:161,tcp6:161,tcp:161{% endif %}
 
 # SNMP communities
 {%- for c in communities %}
@@ -555,10 +555,10 @@
 
         if vyos.validate.is_ipv4(addr):
             # example: udp:127.0.0.1:161
-            listen = 'udp:' + addr + ':' + port
+            listen = 'udp:' + addr + ':' + port + ',tcp:' + addr + ':' + port
         else:
             # example: udp6:[::1]:161
-            listen = 'udp6:' + '[' + addr + ']' + ':' + port
+            listen = 'udp6:' + '[' + addr + ']' + ':' + port + ',tcp6:' + '[' + addr + ']' + ':' + port
 
         # We only wan't to configure addresses that exist on the system.
         # Hint the user if they don't exist

Vyos Config:

set service snmp community public authorization 'ro'
set service snmp contact 'Admin'
set service snmp description 'VyOS-Router'
set service snmp location '-22.962002, -43.212348'

CHECK:

cat /etc/snmp/snmpd.conf | egrep -v '(^#|^$)'

OUTPUT:

sysObjectID 1.3.6.1.4.1.44641
sysServices 14
master agentx
agentXPerms 0777 0777
pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias
smuxpeer .1.3.6.1.2.1.83
smuxpeer .1.3.6.1.2.1.157
smuxsocket localhost
iquerySecName vyos799e300d1651f916
notificationEvent linkUpTrap linkUp ifIndex ifDescr ifType ifAdminStatus ifOperStatus
notificationEvent linkDownTrap linkDown ifIndex ifDescr ifType ifAdminStatus ifOperStatus
monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2
monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
sysDescr VyOS 1.2.5
SysDescr VyOS-Router
agentaddress unix:/run/snmpd.socket,udp:161,udp6:161,tcp6:161,tcp:161
rocommunity public
rocommunity6 public
SysContact Admin
SysLocation -22.962002, -43.212348

With LISTEN:

set service snmp listen-address 127.0.0.1 port '48161'
set service snmp listen-address 172.19.2.125 port '48161'
set service snmp listen-address 2001:db8:19:2::125 port '48161'

Output (/etc/snmp/snmpd.conf):

# Listen
agentaddress unix:/run/snmpd.socket,udp:127.0.0.1:48161,tcp:127.0.0.1:48161,udp:172.19.2.125:48161,tcp:172.19.2.125:48161,udp6:[2001:db8:19:2::125]:48161,tcp6:[2001:db8:19:2::125]:48161,udp6:[::1]:161,tcp6:[::1]:161

Problem:
I do not want door 161 open, I want the door to be 48161 and door 161 must be closed.
So I suggest as a solution the implementation of:

set service snmp port 48161

Testing:

# Test UDP over IPv4:
snmpget -Ir -r6 -t3 -v2c -c public 'udp:172.19.2.125:48161' .1.3.6.1.2.1.1.1.0
   SNMPv2-MIB::sysDescr.0 = STRING: VyOS-Router

# Test TCP over IPv4:
snmpget -Ir -r6 -t3 -v2c -c public 'tcp:172.19.2.125:48161' .1.3.6.1.2.1.1.1.0
   SNMPv2-MIB::sysDescr.0 = STRING: VyOS-Router

# Test UDP over IPv6:
snmpget -Ir -r6 -t3 -v2c -c public 'udp6:[2001:db8:19:2::125]:48161' .1.3.6.1.2.1.1.1.0
   SNMPv2-MIB::sysDescr.0 = STRING: VyOS-Router

# Test TCP over IPv6:
snmpget -Ir -r6 -t3 -v2c -c public 'tcp6:[2001:db8:19:2::125]:48161' .1.3.6.1.2.1.1.1.0
snmpget -Ir -r6 -t3 -v2c -c public 'tcpipv6:[2001:db8:19:2::125]:48161' .1.3.6.1.2.1.1.1.0
   SNMPv2-MIB::sysDescr.0 = STRING: VyOS-Router

Thanks for your attention, I await implementation in 1.2.x or 1.3 rolling soon !

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

srgabrieltelecon triaged this task as Normal priority.
srgabrieltelecon created this object in space S1 VyOS Public.

I find the above mentioned syntax to clumsy:

set service snmp transport udp # <standard, UDP (ipv4 and ipv6)
set service snmp transport tcp # <change to standard tcp (ipv4 and ipv6), without udp
set service snmp transport both # both / all, <tcp and udp, ipv4 and ipv6
set service snmp transport udp-ipv4-only # <explicit udp ipv4 only
set service snmp transport udp-ipv6-only # <explicit udp ipv6 only
set service snmp transport tcp-ipv4-only # <explicit tcp ipv4 only
set service snmp transport tcp-ipv6-only # <explicit tcp ipv6 only

IPv4/IPv6 only can be calculated if only one v4 or one v6 listen address is specified - why not always listen on udp and tcp?

Another idea is to add tcp as option to the listen address, and default to udp (which is current behavior)

Dear friend,
any syntax can be suggested, the problem to be solved is the administrator's willingness to open a port, be it tcp, udp, both, only ipv4, or only ipv6.
If this problem can be solved at the administrator's discretion, it would be a great solution.

dmbaturin changed Is it a breaking change? from Behavior change to Perfectly compatible.
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Jun 7 2021, 6:35 PM
erkin set Issue type to Feature (new functionality).Aug 29 2021, 1:33 PM
erkin removed a subscriber: Global Notifications.
Viacheslav changed the task status from Open to In progress.Oct 25 2021, 6:37 PM
Viacheslav changed the task status from In progress to Needs testing.Oct 25 2021, 7:13 PM