addSnmpCommunityEntry with multiple items which have the same community string and security name

SNMP4J
1

Hi Frank,
Would you please help to check this issue? Thanks in advance.
It goes like:

  1. addSnmpCommunityEntry was invoked to add several entries which have the same community string and security name. ‘pubset’ was intended for ‘snmpset’ command, while ‘public’ is for ‘snmpget’/‘snmpwalk’.

    [DEBUG] 19-Dec-2021::22:50:19,128 PST UserSecurity consumergroup-1-Thread-10: - addSnmpCommunityEntry index: 0, community: public, securityName: public
    [DEBUG] 19-Dec-2021::22:50:19,130 PST UserSecurity consumergroup-1-Thread-10: - addSnmpCommunityEntry index: 1, community: public, securityName: pubset
    [DEBUG] 19-Dec-2021::22:50:19,130 PST UserSecurity consumergroup-1-Thread-10: - addSnmpCommunityEntry index: 2, community: public, securityName: public
    [DEBUG] 19-Dec-2021::22:50:19,131 PST UserSecurity consumergroup-1-Thread-10: - addSnmpCommunityEntry index: 3, real time community: public, securityName: public

  2. snmpset got an error as:

    [vcapuser@localhost tmp]$ snmpset -c public -v 2c 127.0.0.1 DOCS-SEC-MIB::docsSecSavCfgListRowStatus.“test2”.1 i 6
    DOCS-SEC-MIB::docsSecSavCfgListRowStatus.“test2”.1 = INTEGER: destroy(6)
    [vcapuser@localhost tmp]$ snmpset -c public -v 2c 127.0.0.1 DOCS-SEC-MIB::docsSecSavCfgListRowStatus.“test2”.2 i 6
    Error in packet.
    Reason: noAccess
    Failed object: DOCS-SEC-MIB::docsSecSavCfgListRowStatus.“test2”.2

  3. The log info for snmpset.
    Seems after ‘Looking up coexistence info for ‘public’’, snmp4 only checks the first securityName which is ‘public’. While ‘public’ is not for ‘snmpset’, snmp4j could not find view for it. So the ‘snmpset’ fails.
    Is it possible that snmp4j go on to check the 2nd securityName (‘pubset’ in my case) so that the ‘snmpset’ could succeed?
    Or, addSnmpCommunityEntry should block multiple entries which have the same community string and security name?

    [DEBUG] 19-Dec-2021::22:50:28,002 PST Log4jLogAdapter DefaultUDPTransportMapping_0.0.0.0/161: - Received message from /127.0.0.1/52334 with length 57: 30:37:02:01:01:04:06:70:75:62:6c:69:63:a3:2a:02:04:55:cf:c6:35:02:01:00:02:01:00:30:1c:30:1a:06:15:2b:06:01:04:01:a3:0b:02:01:0b:01:06:01:06:05:74:65:73:74:32:02:02:01:06
    [DEBUG] 19-Dec-2021::22:50:28,004 PST Log4jLogAdapter DefaultUDPTransportMapping_0.0.0.0/161: - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1439680053], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1439680053],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=SET[requestID=1439680053, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/52334, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@1c486dbb, tmStateReference=TransportStateReference[transport=org.snmp4j.transport.DefaultUdpTransportMapping@1c486dbb, address=0:0:0:0:0:0:0:0/161, securityName=null, requestedSecurityLevel=undefined, transportSecurityLevel=undefined, sameSecurity=false, sessionID=java.net.DatagramSocket@6196ba53, target=null]]
    [DEBUG] 19-Dec-2021::22:50:28,004 PST Log4jLogAdapter DefaultUDPTransportMapping_0.0.0.0/161: - Looking up coexistence info for ‘public’
    [DEBUG] 19-Dec-2021::22:50:28,006 PST Log4jLogAdapter DefaultUDPTransportMapping_0.0.0.0/161: - Found coexistence info for ‘public’=CoexistenceInfo[securityName=public,contextEngineID=32473,contextName=,transportTag=]
    [DEBUG] 19-Dec-2021::22:50:28,006 PST Log4jLogAdapter DefaultUDPTransportMapping_0.0.0.0/161: - Found coexistence info for ‘public’=CoexistenceInfo[securityName=pubset,contextEngineID=32473,contextName=,transportTag=]
    [DEBUG] 19-Dec-2021::22:50:28,006 PST Log4jLogAdapter DefaultUDPTransportMapping_0.0.0.0/161: - Found coexistence info for ‘public’=CoexistenceInfo[securityName=public,contextEngineID=32473,contextName=,transportTag=]
    [DEBUG] 19-Dec-2021::22:50:28,006 PST Log4jLogAdapter DefaultUDPTransportMapping_0.0.0.0/161: - Found coexistence info for ‘public’=CoexistenceInfo[securityName=public,contextEngineID=32473,contextName=,transportTag=]
    [DEBUG] 19-Dec-2021::22:50:28,006 PST GsCommunityMIB DefaultUDPTransportMapping_0.0.0.0/161: - Address 127.0.0.1/52334 passes filter, because source address filtering is disabled
    [DEBUG] 19-Dec-2021::22:50:28,007 PST Log4jLogAdapter SnmpApp.0: - Found group name ‘public’ for secName ‘public’ and secModel 2
    [DEBUG] 19-Dec-2021::22:50:28,008 PST Log4jLogAdapter SnmpApp.0: - Got views [DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.1.1,values=[1, internet, , , 4, 1], DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.2.1,values=[1, internet, , , 4, 1], DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.3.1,values=[1, internet, , , 4, 1]] for group name ‘public’
    [DEBUG] 19-Dec-2021::22:50:28,008 PST Log4jLogAdapter SnmpApp.0: - Matching against access entry DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.1.1,values=[1, internet, , , 4, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=false and matchSecLevel=true
    [DEBUG] 19-Dec-2021::22:50:28,008 PST Log4jLogAdapter SnmpApp.0: - Matching against access entry DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.2.1,values=[1, internet, , , 4, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true
    [DEBUG] 19-Dec-2021::22:50:28,008 PST Log4jLogAdapter SnmpApp.0: - Matching against access entry DefaultMOMutableRow2PC[index=6.112.117.98.108.105.99.0.3.1,values=[1, internet, , , 4, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=false and matchSecLevel=true
    [DEBUG] 19-Dec-2021::22:50:28,008 PST Log4jLogAdapter SnmpApp.0: - Matching view found for group name ‘public’ is ‘’
    [DEBUG] 19-Dec-2021::22:50:28,008 PST Log4jLogAdapter SnmpApp.0: - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2,lowerIncluded=true,upperBound=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2,upperIncluded=true] from 1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6
    [DEBUG] 19-Dec-2021::22:50:28,009 PST Log4jLogAdapter SnmpApp.0: - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2,lowerIncluded=true,upperBound=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2,upperIncluded=true],vb=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6,status=RequestStatus{processed=false, phaseComplete=false, errorStatus=0},query=null,index=0,targetMO=null,lookupEvent=null]]
    [DEBUG] 19-Dec-2021::22:50:28,010 PST Log4jLogAdapter SnmpApp.0: - Acquired lock on DefaultMOTable[id=1.3.6.1.4.1.4491.2.1.11.1.6.1,index=MOTableIndex{subindexes=[MOTableSubIndex{smiSyntax=4, minLength=1, maxLength=16, oid=1.3.6.1.4.1.4491.2.1.11.1.6.1.1}, MOTableSubIndex{smiSyntax=2, minLength=1, maxLength=1, oid=1.3.6.1.4.1.4491.2.1.11.1.6.1.2}], impliedLength=false, validator=com.nokia.snmpapp.mibs.DocsSecMib$3@245824ec},columns=[org.snmp4j.agent.mo.MOMutableColumn[columnID=3,syntax=2,default=null,mutableInService=true,mandatory=true], org.snmp4j.agent.mo.MOMutableColumn[columnID=4,syntax=4,default=null,mutableInService=true,mandatory=true], org.snmp4j.agent.mo.MOMutableColumn[columnID=5,syntax=66,default=null,mutableInService=true,mandatory=true], com.nokia.snmpapp.mo.snmp.GsRowStatus[columnID=6,syntax=2,default=null,mutableInService=true,mandatory=true]]] for org.snmp4j.agent.request.SnmpRequest[phase=1,errorStatus=0,source=CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=2147483647, pduHandle=PduHandle[1439680053], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1439680053],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=SET[requestID=1439680053, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6]], messageProcessingModel=1, securityName=public, processed=true, peerAddress=127.0.0.1/52334, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@1c486dbb, tmStateReference=TransportStateReference[transport=org.snmp4j.transport.DefaultUdpTransportMapping@1c486dbb, address=0:0:0:0:0:0:0:0/161, securityName=null, requestedSecurityLevel=undefined, transportSecurityLevel=undefined, sameSecurity=false, sessionID=java.net.DatagramSocket@6196ba53, target=null]],response=RESPONSE[requestID=1439680053, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6]],transactionID=54,repeaterStartIndex=0,repeaterRowSize=1,reprocessCounter=0,subrequests=[org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2,lowerIncluded=true,upperBound=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2,upperIncluded=true],vb=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6,status=RequestStatus{processed=false, phaseComplete=false, errorStatus=0},query=org.snmp4j.agent.CommandProcessor$VACMQuery[]=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2<= x <=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2[viewName=],index=0,targetMO=null,lookupEvent=org.snmp4j.agent.MOServerLookupEvent[source=org.snmp4j.agent.CommandProcessor$SetHandler@65f18753]]]]
    [DEBUG] 19-Dec-2021::22:50:28,012 PST Log4jLogAdapter SnmpApp.0: - No view tree family entry for view ‘’
    [DEBUG] 19-Dec-2021::22:50:28,012 PST Log4jLogAdapter SnmpApp.0: - Removed lock on DefaultMOTable[id=1.3.6.1.4.1.4491.2.1.11.1.6.1,index=MOTableIndex{subindexes=[MOTableSubIndex{smiSyntax=4, minLength=1, maxLength=16, oid=1.3.6.1.4.1.4491.2.1.11.1.6.1.1}, MOTableSubIndex{smiSyntax=2, minLength=1, maxLength=1, oid=1.3.6.1.4.1.4491.2.1.11.1.6.1.2}], impliedLength=false, validator=com.nokia.snmpapp.mibs.DocsSecMib$3@245824ec},columns=[org.snmp4j.agent.mo.MOMutableColumn[columnID=3,syntax=2,default=null,mutableInService=true,mandatory=true], org.snmp4j.agent.mo.MOMutableColumn[columnID=4,syntax=4,default=null,mutableInService=true,mandatory=true], org.snmp4j.agent.mo.MOMutableColumn[columnID=5,syntax=66,default=null,mutableInService=true,mandatory=true], com.nokia.snmpapp.mo.snmp.GsRowStatus[columnID=6,syntax=2,default=null,mutableInService=true,mandatory=true]]] by org.snmp4j.agent.request.SnmpRequest[phase=1,errorStatus=0,source=CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=2147483647, pduHandle=PduHandle[1439680053], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1439680053],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=SET[requestID=1439680053, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6]], messageProcessingModel=1, securityName=public, processed=true, peerAddress=127.0.0.1/52334, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@1c486dbb, tmStateReference=TransportStateReference[transport=org.snmp4j.transport.DefaultUdpTransportMapping@1c486dbb, address=0:0:0:0:0:0:0:0/161, securityName=null, requestedSecurityLevel=undefined, transportSecurityLevel=undefined, sameSecurity=false, sessionID=java.net.DatagramSocket@6196ba53, target=null]],response=RESPONSE[requestID=1439680053, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6]],transactionID=54,repeaterStartIndex=0,repeaterRowSize=1,reprocessCounter=0,subrequests=[org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2,lowerIncluded=true,upperBound=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2,upperIncluded=true],vb=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6,status=RequestStatus{processed=false, phaseComplete=false, errorStatus=0},query=org.snmp4j.agent.CommandProcessor$VACMQuery[]=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2<= x <=1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2[viewName=],index=0,targetMO=null,lookupEvent=org.snmp4j.agent.MOServerLookupEvent[source=org.snmp4j.agent.CommandProcessor$SetHandler@65f18753]]]]
    [DEBUG] 19-Dec-2021::22:50:28,015 PST Log4jLogAdapter SnmpApp.0: - No view tree family entry for view ‘’
    [DEBUG] 19-Dec-2021::22:50:28,021 PST Log4jLogAdapter SnmpApp.0: - Cleaning-up sub-request (1.3.6.1.4.1.4491.2.1.11.1.6.1.6.5.116.101.115.116.50.2 = 6) for column: com.nokia.snmpapp.mo.snmp.GsRowStatus[columnID=6,syntax=2,default=null,mutableInService=true,mandatory=true]
    [DEBUG] 19-Dec-2021::22:50:28,022 PST Log4jLogAdapter SnmpApp.0: - Sending message to 127.0.0.1/52334 from 0.0.0.0/161 with length 57: 30:37:02:01:01:04:06:70:75:62:6c:69:63:a2:2a:02:04:55:cf:c6:35:02:01:06:02:01:01:30:1c:30:1a:06:15:2b:06:01:04:01:a3:0b:02:01:0b:01:06:01:06:05:74:65:73:74:32:02:02:01:06
    [DEBUG] 19-Dec-2021::22:50:28,022 PST Log4jLogAdapter SnmpApp.0: - Sending packet to 127.0.0.1/52334

2

The behaviour of the SnmpCommunityMib is defined by RFC 3584 and cannot be changed as suggested. Particularly, section 5.2.1 specifies:

The Community-Based Security Model will attempt to select a row in
the snmpCommunityTable. This is done by performing a search through
the snmpCommunityTable in lexicographic order. The first entry for
which the following matching criteria are satisfied will be selected:

  • The community string is equal to the snmpCommunityName value.

  • If the snmpCommunityTransportTag is an empty string, it is ignored
    for the purpose of matching. If the snmpCommunityTransportTag is
    not an empty string, the transportDomain and transportAddress from
    which the message was received must match one of the entries in
    the snmpTargetAddrTable selected by the snmpCommunityTransportTag
    value. The snmpTargetAddrTMask object is used as described in
    section 5.3 when checking whether the transportDomain and
    transportAddress matches a entry in the snmpTargetAddrTable.

As you can see, the message type (GET or SET) is not a search criteria and multiple entries in the table must be supported to allow selection by transport tag.

3

Thanks Frank for the update.

Regarding to: different securityName share a same community string like:

[DEBUG] 19-Dec-2021::22:50:19,128 PST UserSecurity consumergroup-1-Thread-10: - addSnmpCommunityEntry index: 0, community: public, securityName: public
[DEBUG] 19-Dec-2021::22:50:19,130 PST UserSecurity consumergroup-1-Thread-10: - addSnmpCommunityEntry index: 1, community: public, securityName: pubset

Is there any RFC or SPEC to forbid this?
Would you please give some advice that should we block this configuration or not?
Appreciated.