Add basic SNMPv3 configuration and user handling#611
Conversation
| <section xml:id="s.snmpv3_extension"> | ||
| <title>SNMPv3 Device Management Extension (Optional)</title> | ||
| <para> | ||
| This section defines an optional extension to the Device Management Service for supporting Simple Network Management Protocol version 3 (SNMPv3) as specified in <xref linkend="RFC3410"/> and related standards. Devices supporting this extension <emphasis role="bold">shall</emphasis> indicate this capability via the <literal>SNMPv3</literal> flag in the <literal>DeviceServiceCapabilities</literal> (see Section <xref linkend="_Ref468447902"/>). |
There was a problem hiding this comment.
where SNMPv3 capability flag is added in DeviceServiceCapabilities in the PR?
There was a problem hiding this comment.
No.. I forgot to add that, but I've added it now to the Network category
There was a problem hiding this comment.
@ubkr @venki5685 there is an error in the table and the "SNMPv3" is not rendering properly in the table noted in my review comment. Looks to be missing a row section.
| </row> | ||
| <row> | ||
| <entry> | ||
| <para>SNMPv3</para> |
There was a problem hiding this comment.
Error here needs correction. Misalignment between the "SNMPv3" and definition "Indication if the device supports SNMPv3..." and description.
| <section xml:id="s.snmpv3_extension"> | ||
| <title>SNMPv3 Device Management Extension (Optional)</title> | ||
| <para> | ||
| This section defines an optional extension to the Device Management Service for supporting Simple Network Management Protocol version 3 (SNMPv3) as specified in <xref linkend="RFC3410"/> and related standards. Devices supporting this extension <emphasis role="bold">shall</emphasis> indicate this capability via the <literal>SNMPv3</literal> flag in the <literal>DeviceServiceCapabilities</literal> (see Section <xref linkend="_Ref468447902"/>). |
There was a problem hiding this comment.
@ubkr @venki5685 there is an error in the table and the "SNMPv3" is not rendering properly in the table noted in my review comment. Looks to be missing a row section.
| <para role="text">The requested <literal>PrivacyProtocol</literal> is not supported by the Device.</para> | ||
| <para role="param">env:Sender - ter:InvalidArgVal - ter:SNMPUnsupportedSecurityLevel</para> | ||
| <para role="text">The combination of protocols for the specified <literal>SecurityLevel</literal> is not supported, or a required protocol was not specified.</para> | ||
| <para role="param">env:Receiver - ter:ActionNotSupported - ter:MaxSNMPUsersExceeded</para> |
There was a problem hiding this comment.
How does a device user know the "MaxSNMPUsersExceeded" where has it been defined ?
| Keys for authentication and privacy <emphasis role="bold">shall</emphasis> be provided by the Client as base64-encoded binary data using the <literal>tt:BinaryData</literal> type. The Device <emphasis role="bold">shall</emphasis> delocalize these keys using its EngineID as per SNMPv3 USM specifications (<xref linkend="RFC3414"/> Appendix A) before storing them internally. | ||
| </para> | ||
| <section xml:id="s.snmpv3_auth_protocols"> | ||
| <title>Authentication Protocols</title> |
There was a problem hiding this comment.
@HansBusch are these needed to be included in the new security baseline specification? #571
| <itemizedlist> | ||
| <listitem> | ||
| <para> | ||
| <emphasis role="bold">AES-128-CFB:</emphasis> As specified in <xref linkend="RFC3826"/> (OID: <literal>usmAesCfb128Protocol</literal>). This protocol is <emphasis role="bold">REQUIRED</emphasis>. The privacy key length is 16 octets. |
There was a problem hiding this comment.
@HansBusch do we need to also support these protocols "AES-128-CFB" in the Security Baseline doc? #571
|
Propose to remove version from method names to ease any potential future support for v4. |
Adds SNMPv3 configuration, user handling and control.
- Remove AddSNMPUser, DeleteSNMPUser, and GetSNMPUsers operations - Enhance SetSNMPConfiguration to support initial user creation - Remove SNMPUser and SNMPUserConfiguration complex types - Retain security level, authentication, and privacy protocol types - Update capability descriptions for service config + initial user setup - Maintain GetSNMPConfiguration and SetSNMPConfiguration operations
- Remove xml:id attributes from SNMPv3 RFC entries (RFC 3410, 3411, 3414, 3826, 7860) - Replace <xref linkend='RFCxxxx'/> with [RFC xxxx] bracket notation throughout SNMPv3 section - Maintain datatracker.ietf.org URLs for modern RFC access - Align SNMPv3 references with existing document RFC citation style
Rename privacy protocol enumerations from AES_*_CFB to CFB_AES_* to match RFC 3826 naming convention (cipher mode first). Update OID references from usmAesCfb*Protocol to usmAesCfb*PrivProtocol (correct "Priv" suffix). Remove redundant SNMPv1/v2c statement. The CFB_AES_128 pattern better represents cipher mode (CFB) followed by algorithm (AES) and key size, consistent with RFC 3826 specifications.
Standardize terminology from "SNMPv3" to "SNMP" throughout specification while clarifying that only SNMPv3 protocol version is supported. Update section IDs, operation references, and capability flags for consistency. Flatten SetSNMPConfiguration request structure to accept individual parameters rather than nested types.
|
Rebased to current development branch. Some open questions to be adressed later:
|
| <entry>SecurityLevel</entry> | ||
| <entry>tt:SNMPSecurityLevel</entry> | ||
| <entry>optional</entry> | ||
| <entry>Security level for the initial user (noAuthNoPriv, authNoPriv, authPriv). Required if InitialUserName is provided.</entry> |
There was a problem hiding this comment.
Device SecurityLevel supported values should be provided via SNMP Options for the client to choose and configure via SetSNMPConfiguration.
There was a problem hiding this comment.
I've added a SNMPSecurityLevels capability
| </row> | ||
| <row> | ||
| <entry>AuthenticationProtocol</entry> | ||
| <entry>tt:SNMPAuthenticationProtocol</entry> |
There was a problem hiding this comment.
Device AuthenticationProtocol supported values should be provided via SNMP Options for the client to choose and configure via SetSNMPConfiguration.
There was a problem hiding this comment.
I've added a SNMPAuthenticationProtocols capability
| <entry>Authentication protocol. Required if SecurityLevel is authNoPriv or authPriv.</entry> | ||
| </row> | ||
| <row> | ||
| <entry>AuthenticationKey</entry> |
There was a problem hiding this comment.
This parameter should be AuthPassword for Initial User, not AuthKey.
There was a problem hiding this comment.
I changed it to AuthPassword as suggested
| <entry>Privacy protocol. Required if SecurityLevel is authPriv.</entry> | ||
| </row> | ||
| <row> | ||
| <entry>PrivacyKey</entry> |
There was a problem hiding this comment.
This parameter should be PrivacyPassword for Initial User, not PrivacyKey.
There was a problem hiding this comment.
I changed it to PrivacyPassword as suggested
| </row> | ||
| <row> | ||
| <entry>PrivacyProtocol</entry> | ||
| <entry>tt:SNMPPrivacyProtocol</entry> |
There was a problem hiding this comment.
Device PrivacyProtocol supported values should be provided via SNMP Options for the client to choose and configure via SetSNMPConfiguration.
There was a problem hiding this comment.
I've added a SNMPPrivacyProtocols capability
| port is maintained. Valid port range is typically 1-65535. </entry> | ||
| </row> | ||
| <row> | ||
| <entry>InitialUserName</entry> |
There was a problem hiding this comment.
if the current SNMP V3 ONVIF spec is limited with only Initial User creation itself rather than SNMP multi user creation and it's management, the spec should explicitly clarify it's scope for snmp Initial User handling.
There was a problem hiding this comment.
I tried to change the wording so that you can only set the parameters if SNMP is disabled and you make a SetSNMPConfiguration with all the parameters needed. if you want to change your configuration you need to disable SNMP and then redo the SetSNMPConfiguration with all parameters again.
| <wsdl:output message="tds:GetSNMPConfigurationResponse"/> | ||
| </wsdl:operation> | ||
| <wsdl:operation name="SetSNMPConfiguration"> | ||
| <wsdl:documentation>Enables or disables the SNMP service and allows configuration of global SNMP parameters such as engine ID and listening port, in accordance with Core.xml. Only SNMPv3 is supported. Only secure protocols as specified in Core.xml are accepted.</wsdl:documentation> |
There was a problem hiding this comment.
instead of saying Core.xml in the wsdl file, we can use ONVIF-Core-Specification which is published officially.
There was a problem hiding this comment.
Refered to "core specifikation" as done in some other places in the document.
…and clarify parameter descriptions
…ved understanding
Adds basic SNMPv3 configuration to enable SNMPv3 on the device and configure parameters such as the listening port, EngineID, initial user and set its associated secrets.