Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SNMP][IPv6]: Fix to use link local IPv6 address as snmp agentAddress #16013

Merged
merged 4 commits into from
Aug 8, 2023
Merged

[SNMP][IPv6]: Fix to use link local IPv6 address as snmp agentAddress #16013

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c11415c
[SNMP][IPv6]: Fix to use link local IPv6 address as
SuvarnaMeenakshi Aug 2, 2023
a045449
Fix as per review comment
SuvarnaMeenakshi Aug 3, 2023
4c8bea0
Fix condition block
SuvarnaMeenakshi Aug 3, 2023
8ab52b0
Fix as per review comment
SuvarnaMeenakshi Aug 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions dockers/docker-snmp/snmpd.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
# Listen for connections on all ip addresses, including eth0, ipv4 lo for multi-asic platform
# Listen on managment and loopback0 ips for single asic platform
#
{% macro protocol(ip_addr) %}
{% macro get_protocol(ip_addr) %}
{%- if ip_addr|ipv6 -%}
{{ 'udp6' }}
{%- else -%}
Expand All @@ -32,14 +32,25 @@ agentAddress {{ protocol(agentip) }}:[{{ agentip }}]{% if port %}:{{ port }}{% e
{% if MGMT_INTERFACE is defined %}
{% for if, ip in MGMT_INTERFACE %}
{% set agentip = ip.split('/')[0] %}
agentAddress {{ protocol(agentip) }}:[{{ agentip }}]:161
{% set protocol = get_protocol(agentip) %}
{% if protocol == 'udp6' %}
agentAddress {{ protocol }}:[{{ agentip }}%{{ if }}]:161
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interface name needs to be used only in link local address scenario. For non link local it is not required. Can you please differentiate?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I verified that it works fine for other IPv6 addresses as well, for example, below is the configuration from T0 VS testbed:

agentAddress udp:[10.250.0.101]:161
agentAddress udp6:[fec0::ffff:afa:1%eth0]:161
agentAddress udp:[10.1.0.32]:161
agentAddress udp6:[FC00:1::32%Loopback0]:161

sudo netstat -tulnp | grep 161
tcp        0      0 127.0.0.1:3161          0.0.0.0:*               LISTEN      298761/snmpd        
udp        0      0 10.1.0.32:161           0.0.0.0:*                           298761/snmpd        
udp        0      0 10.250.0.101:161        0.0.0.0:*                           298761/snmpd        
udp6       0      0 fc00:1::32:161          :::*                                298761/snmpd        
udp6       0      0 fec0::ffff:afa:1:161    :::*                                298761/snmpd 

root@vlab-01:/# snmpget -v2c -c public fec0::ffff:afa:1 1.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "SONiC Software Version: SONiC.master.327516-04a6031b2 - HwSku: Force10-S6000 - Distribution: Debian 11.7 - Kernel: 5.10.0-18-2-amd64"

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conceptually speaking, the scope ID is applicable only for link local address https://learn.microsoft.com/en-us/previous-versions/aa921042(v=msdn.10).
Please refer to RFC https://datatracker.ietf.org/doc/html/rfc6874

The IPv6 Scoped Address Architecture specification [RFC4007] offers
guidance on how the ZoneID affects interface/address selection inside
the IPv6 stack. Note that the behaviour of an IPv6 stack, if it is
passed a non-null zone index for an address other than link-local, is
undefined.

Please refer section 4 under security.
To limit this risk, implementations MUST NOT allow use of this format
except for well-defined usages, such as sending to link-local
addresses under prefix fe80::/10. At the time of writing, this is
the only well-defined usage known.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, so it will be better to check if ipv6 address starts with Fe80 and use zone id only for that IP?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. That should be good

{% else %}
agentAddress {{ protocol }}:[{{ agentip }}]:161
{% endif %}
{% endfor %}
{% endif %}
{% if LOOPBACK_INTERFACE is defined %}
{% for lo in LOOPBACK_INTERFACE %}
{% if lo | length == 2 %}
{% set agentip = lo[1].split('/')[0] %}
agentAddress {{ protocol(agentip) }}:[{{ agentip }}]:161
{% set if = lo[0] %}
{% set protocol = get_protocol(agentip) %}
{% if protocol == 'udp6' %}
agentAddress {{ protocol }}:[{{ agentip }}%{{ if }}]:161
{% else %}
agentAddress {{ protocol }}:[{{ agentip }}]:161
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
Expand Down