[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Review: IESG Agenda and Package for January 22, 2004 Telechat



> > SNMP community strings are not passwords.  A better analogy is that a
> > SNMP community string is like a groupname to which multiple users
> > belong.  RFC 1157 says:
> > 
> >    An SNMP message originated by an SNMP application entity that in fact
> >    belongs to the SNMP community named by the community component of
> >    said message is called an authentic SNMP message.  The set of rules
> >    by which an SNMP message is identified as an authentic SNMP message
> >    for a particular SNMP community is called an authentication scheme.
> >    ...  Some SNMP implementations may wish to support only a trivial
> >    authentication service that identifies all SNMP messages as
> >    authentic SNMP messages.
> > 
> > So, with trivial authentication, the community string identifies a group
> > of originators, and any message which correctly identifies the group is
> > automatically authentic.
> 
> The quoted text talks several times about "authentication" of SNMP 
> messages. For most people, a string that is used to "authenticate" 
> a message is considered to be a password, regardless whether this 
> string is to be shared by a group or not.
> 
> BTW, when I read the first time RFC 1157 many years ago, the concept
> of communities was the most puzzling thing for me to understand. It
> took some time until I realized that these are just passwords. ;-)

It's true that the non-technical definition, from a dictionary, e.g.,

   1: something that enables one to pass or gain admission: as a) a
   spoken word or phrase required to pass by a guard, b) a sequence of
   characters required for access to a computer system.

is close to the meaning of a SNMP community string.

But, I can't agree that commuinity string is close to the more technical
definition of a password where each user has a different password, and
knowing the password serves to authenticate you as that user.  In this
technical sense, a community string is closer to a username.  If you
had "realized that they are just" usernames, would that similarly
have triggered the understanding ??

So, my assertion is that describing an SNMP community string as a
password is only OK if the document in question is aimed at a
non-technical audience.

Keith.