I am dealing with a private mib which includes some nodes with sensitive information.
I want these node to only be readable by a user who has a private community string.
details:
usersEntry
usersIndex
usersName
usersPassword
I want this sensitive information readable only for users with a community string and not
for users with a private community string.
Unless you are writing an SNMP agent of your own, the flexibility on security depends on the vendor of that agent. Talk to the vendor and you will know the answer.
Generally speaking, for SNMP v2 you won't get what you want, as role based security model was introduced only in SNMP v3,
http://www.rfc-editor.org/rfc/rfc3414.txt
If the vendor happens to also back port RFC3414 support for v2, you should be lucky enough to also use it in v2. If not, you are on your own.
Related
Substrate uses libp2p to do peer discovery and transport.
Is there functionality to advertise additional information from peers using this layer? Or alternatively, use substrate to advertise information without needing to sink that information to the chain?
For instance, the location of additional RPC endpoints attached to the light clients.
Re: shawntabrizi
one big issue about light clients and not storing that data to chain is that light client inherently depend on merkle proofs and this merkle trie is where all the overhead of runtime storage comes from practically speaking, so if you want some light-client verifiable content using only the runtime state, then you are basically stuck with this but you could store only a hash of some file
and then use any other p2p protocol to share that file
and let the light client verify based on the hash
but this would be a third party tool or possibly an offchain worker on top of a substrate client|
You should be able to make modifications to networking to enable different kinds of gossiping for your needs. AFAIK, Polkadot does this: https://github.com/paritytech/polkadot/tree/master/network
a few parties use IPFS, including ourselves at parity, that have investigated IPFS integration. I am not to certain on the latest progress from 3rd party teams, but we had a very old branch that adds an IPFS node along side the Substrate node. Because Substrate and IPFS use LibP2P, this was relatively painless from what I understand.
I'm a software developer with very little knowledge on telco, recently my boss asked me to find a way to request user location with their imsi from the HLR. I have never done such thing before, i work mostly on high end applications. I've done some research, read some articles, like on dialogic.com, but until now i haven't found clear instructions on have to make it.
So can someone explain me what are all the steps i should take in order to make it? I'm working on windows but a linux based solution will be good to. Please consider I'm a newbie.
There is a way to do it, of course, but all depends on the core network. If it is up to 3g, you could (depending on the operator) either do ATI against HLR based on IMSI, or send an SRI-SM query to the HLR and in response get the VLR id.
then send PSI (Provide subscriber info) query with Location Information tag to the VLR which you got from HLR.
In response of PSI the VLR/MSC will respond back with LAC and Cellid of
subscriber. For newer (4-5G) mobile networks, there is an explanation here http://4g5gworld.com/blog/lcs-architecture-lte-eps
The interface to the HLR is usually not an open interface - it is an SS7 based interface on what is a closed network for operators.
The information in the HLR and VLR (Visitor Location Register - a local copy of the HLR on visited switches) and the VLR is not usually available externally. Some of the information would never be shared, but there are some services which will allow you query some HLR info - for example (I have not used these and cannot vouch for them):
https://www.hlr-lookups.com
http://www.vianett.com/en/products/overview/hlr-number-lookup
If you wanted to implement a service like this yourself, you would need a gateway between the IP and SS7 networks.
The HLR lookup service provides information for IMSI and roaming MSC. A MSC have country code and network code. If this is the only information which serves the purpose the , you can get lookup services from any service provider , just by checking the coverage. If you are telecom company and have SS7/Sigtran level access to the mobile operators then can develop your own lookup gateway.
https://www.cspsprotocol.com/what-is-hlr-lookup/
I found what i needed with Telestax Restcomm GMLC server. It's available here
https://github.com/RestComm/gmlc
But be aware that the solution only works on Linux server, because windows does not implement the SCTP Stack.
I know it's an old post, but if it's any help to others, I use a company called Data Soap for HLR lookups and they provide information about phone network, along with the originating country.
https://www.datasoap.co.uk/data-quality-services/hlr-lookup
What is the Major difference in SNMP over DTLS and SNMPv3 USM model, which one to prefer.
TLS and DTLS make use of the Transport Security Model (TSM) security model, defined in RFC5591 which was created as an alternative to the USM security model
The difference is what is the problem each of them wants to resolve.
SNMP v3 USM enhances the SNMP message format itself to add proper integrity check and encryption, so that it can be transferred on probably unsafe wires.
SNMP over DTLS uses another approach that it tries to build safe channels on unsafe wires, and allows the messages to be transferred safely.
You can prefer either of them to achieve significant security improvements over the original SNMP, but please analyze your scenarios carefully and put the following into consideration,
What are the devices in your whole solution?
Whether they support both models? Which one of them only supports one of the model?
Then you can make a decision on which model to choose. As far as I know SNMP v3 USM is more widely supported, but I might be wrong.
before I start I realise there are a few SNMP related questions here already but not many seem to have been answered - that could mean I'm asking in the wrong place but I don't know where else to go at the moment.
I've been reading up as best I can on SNMP for a couple of days but am finding it difficult to get my head around what is meant to be happening. The idea is eventually we will integrate SNMP into our Java application server which will allow the end users to incorporate it into their pre-existing Network Management Systems(NMS).
Unfortunately I'm feeling entirely confused by what is meant to be going on. From what I understood from talking to the end users (which was unfortunately before any research) was that the monitoring allows their existing NMS to give their admin guys a view of the vital statistics in a tree type display, giving them feedback regarding different parts of the system at a high level and allowing them to dig down into specific subsystems.
From reading around we would implement an 'Agent' which has several defined interfaces allowing for GET requests etc to be processed and responded to. That makes sense but I am at a loss to work out what the format of the communication is - there don't seem to be any specific examples of what any of the messages look like, how the information is encoded.
More of my confusion though is regarding Management Information Base(MIB). I had, wrongly, assumed that the interface of the agent would allow for the monitored attributes to be requested and then in turn the values for those attributes requested. Allowing any new Agent to be started and detected without any configuration on the NMS end (with the exception of authentication in v3). This, if I understand correctly, is not the case and the Agent must instead define MIBs which can be used by the NMS to determine those attributes. My confusion is increased when people start referring to thousands of existing MIBs and that they can be reused which I don't understand. Is the intention that a single MIB definition can be used to say describe how a particular attribute of a network device (something simple like internet connected on a router:yes/no) for many different devices? If so I don't believe that our software would allow the monitoring of anything common to any other device/system but should we be looking for already exising MIBs? At the moment I don't really see any good rational for such a system, surely it would be easier for the Agent to export that information - so I'd appreciate it if someone could enlighten me!
I think it would help if I was able to setup a simple SNMP agent and some sort of client, I could begin to see the process and eventually inspect the communication between the two but am finding it difficult to find anywhere that provides any information on doing such a thing. Nagios has been recommended to us as a test 'client'/NMS but their 'get started quick' section recommends downloading a 600Mb virtual machine - surely there is a quicker way to get started?
Any help or suggestions will be appreciated, I have been through the Wiki page but it doesn't seem to go into much detail about the MIBs and the having not had to deal with anything like the referenced RFCs before, while they may contain all of the information they seem completely impenetrable to me at the moment. Or if there are any books that can be recommended for an overview and implementation of v3?
Thanks for reading and even more thanks if you think you can help!
It seems to me that you read all SNMP information piece by piece in an disorganized way. This is highly not recommended and of course lead you to confusion.
What about forgetting what you have learnt so far and dive into a good book such as Essential SNMP?
http://shop.oreilly.com/product/9780596008406.do
Click the Google Preview icon to preview it please.
You could not depend on a network forum to tell you the ABCs, as that's impractical I find out.
The communications interface is SNMP. That's the protocol used for transmission (usually on top of UDP). The thing that services information requests is an SNMP Agent. The thing that sends information requests is an SNMP Manager.
The definition of what information should be made available by the Agent, and requested by the Manager, goes in a MIB. A MIB is the "glue", a directory of what sort of things any particular system can/should offer. It maps numeric codes to names and types that allow us to make sense of the data, much like how a phone directory maps phone numbers to people's names and addresses.
Generally you would create and ship and use your own MIBs that can describe aspects specific to your own product, but you are supposed to service some standard information requests as well, which are defined in existing MIBs. Yes there are thousands of other pre-existing MIBs and the likelihood that you need more than one or two of these is remote. They are typically published versions of MIBs for existing products.
The conventional way to "toy around" is to install Net-SNMP (a software suite that includes an agent implementation and allows you to "bolt on" your own logic and your own MIBs fairly easily) then examine the results using a packet capturer like Wireshark.
For a fuller implementation in production you may stick with Net-SNMP, or write your own Agent software, or do what I did and create a hybrid of the two that's a little more flexible and performant but uses Net-SNMP's backend for handling all the low-level SNMP stuff.
Your first step, though, is to read a book or some other teaching material that can clear all your misconceptions, because guesswork won't cut it.
I had success using the samples from this page. Both the shell and Perl NetSNMP code was very straightforward to implement and query.
Forgive my ignorance if this is a trivial question. I am writing some code to support communication over SNMPv3; our application only supports SNMPv2c currently.
The response object when communicating using SNMPv3 is blank unless I match community strings. I was under the impression that community strings were an "SNMPv2/1 thing" and that "the new way" was to use a username/authentical protocol/privacy protocol.
Wikipedia states that:
Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks much different due to new textual conventions, concepts, and terminology.[1]
This statement leads me to believe that I do, in fact, need to supply community strings, too.
I just wanted to confirm this because it is difficult for me to tell whether I am getting data back because I fulfilled the SNMPv2 requirement or because I successfully fulfilled all the SNMPv3 requirements.
I'm using Dart's SNMP library to communicate with the other device and I have specified that my request should user SNMP version three -- but perhaps it falls back to SNMPv2 behind-the-scenes when given valid SNMP communities?
No, you don't. The internal packet structure changes to a number of new concepts, like the above quote tries to indicate. The protocol side that the above is stating is the same has to do with PDU operations, etc. IE, technically there are 3 versions of SNMP:
version 1: community string based authentication with SMNPv1 PDUs
version 2c: community string based authentication with SNMPv2 PDUs
(the SNMPv2 PDUs add GETBULK, INFORM, and REPORT PDUs)
version 3: modular security with SNMPv2 PDUs
IE, version 3 didn't touch how the actual operations work (it's still using the PDU types from version 2), but merely adds other header-stuff around them (like better and more modular security; in fact we now have 3 different security types to pick from at this point: USM, SSH, and (D)TLS).