Re: [ipcdn] draft-ietf-ipcdn-device-mibv2-01.txt

[RJ Atkinson <rja@extremenetworks.com>]

On Monday, April 22, 2002, at 01:24 , Andy Bierman wrote:

> At 03:27 AM 4/22/2002, Wijnen, Bert (Bert) wrote:
>> I am working on a revised text for the guideline.
>
> I object to the last statement in Ran's text proposal.
> It is one thing to point out the security vulnerabilities
> of SNMPv1 and SNMPv2c, but it is another thing to mandate
> the use of SNMPv3 (in the boilerplate section of a MIB
> document.)

My text does not mandate "use" but does mandate "implementation".
So my draft text places a burden on implementers/vendors,
but does not tell operators how to deploy their equipment.

That distinction is critical, IMHO.

> I do not object to mandating specific functionality.
> I object to mandating a specific solution for achieving
> that functionality.

	IETF standards are entirely about mandating specific
solutions (namely: IETF standards) for achieving
particular functions.  In this case, SNMPv3 is the
IETF standard approach to providing cryptographic
protection for SNMPv3 and for MIBs.

	So maybe I don't grok your objection.

> This statement seems to suggest that implementations must differentiate
> operations by security user (i.e., use VACM and USM).
> I think such features should not be mandated. SNMPv1(2c) over IPSEC 
> should
> be considered secure enough.

	Not hardly secure enough, though I know that cisco is trying to
push that approach so they can sell a more proprietary approach
to SNMP and MIB security for their own profit reasons.

	Oh, and that text came out of a published IETF standards-track
MIB's security considerations text (already an RFC long since).
So I borrowed it from another author, credit where due.

Ran
rja@extremenetworks.com