[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MIB

To: rja@inet.org
Subject: Re: MIB
From: Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>
Date: Mon, 5 Jun 2000 16:10:06 +0200
CC: mibs@ops.ietf.org
Delivery-date: Mon, 05 Jun 2000 07:14:16 -0700
Envelope-to: mibs-data@psg.com


>>>>> RJ Atkinson writes:

RJ> 	Several folks have COMPLETELY missed the issue, so please let
RJ> me start over and try to explain from the top:

RJ> 	The original proposal was for DESCRIPTION text for a specific
RJ> OID in the OSPF that said that if a particular OSPF implementation
RJ> did NOT implement SNMPv3, then a particular OID (one enabling OSPF
RJ> cryptographic authentication) would be MAX-ACCESS of READ-ONLY,
RJ> but that if the agent DID implement SNMPv3, then that OID would
RJ> have a MAX-ACCESS of READ-CREATE.

RJ> 	In short, the original proposal was that the MAX-ACCESS would
RJ> be a function of what security mechanisms were implemented and
RJ> hence were --AVAILABLE-- to the operator.

I think such a MIB definition is broken. The MAX-ACCESS clause is
designed to define what operation (e.g. reading or writing) makes
sense with respect to the semantics of a given object type. Of course,
it makes sense to write the object type in question.

You are saying that write access to this object type should be denied
unless you use a security level higher than noAuth/noPriv. This rule
certainly makes sense - but it has nothing to do with the MAX-ACCESS
clause - it is an access control issue.

And as Bert already pointed out, the difference is important for some
agent implementation environments where the instrumentation has no
clue whether the write operation had a noAuth/noPriv security level or
not.

We are going in circles.

I suggest to write up a clear security considerations section (and if
it is only for the IESG :-) and to define a compliance statement which
does only require MIN-ACCESS read-only for the relevant object types.
This worked in the past, and this will work in this case.

/js

-- 
Juergen Schoenwaelder      Technical University Braunschweig
<schoenw@ibr.cs.tu-bs.de>  Dept. Operating Systems & Computer Networks
Phone: +49 531 391 3289    Bueltenweg 74/75, 38106 Braunschweig, Germany
Fax:   +49 531 391 5936    <URL:http://www.ibr.cs.tu-bs.de/~schoenw/>

Prev by Date: RE: MIB
Next by Date: RE: MIB
Prev by thread: RE: MIB
Next by thread: RE: MIB
Index(es):
- Date
- Thread