RE: Pls check: draft-rja-ripv2-auth-03.txt (Proposed Standard)

["C. M. Heard" <heard@pobox.com>]

On Fri, 2 Dec 2005, Romascanu, Dan (Dan) wrote:
[ much good stuff snipped ]

I am in general agreement with Dan's comments:  it's perfectly
reasonable to say "use a key management protocol to managage
keys, not SNMPv3"  but it is less reasonable to demand that
there be no way to read e.g. authentication type via SNMPv3.

>   Also, the use of SNMP to configure which form of RIPv2
>   authentication is in use is also NOT RECOMMENDED because of a
>   similar cascading failure issue.  Any future revision of the
>   RIPv2 Management Information Base (MIB) should deprecate or omit
>   any MIB objects that would permit modification of the RIPv2
>   Authentication mode (e.g. none, cleartext password,
>   RIPv2 Cryptographic Authentication) in use.
> 
> This seems OK to me, but I would add a reference to the document that
> needs to be modified. It would also be useful to mention what means of
> configuration are acceptable.

FYI, the document in question is RFC 1724.  The offending object is
rip2IfConfAuthType.  It needs to have a new enum value added to
accomodate the new auth type specified in
draft-rja-ripv2-auth-03.txt.  In addition, the compliance statement
does not have a MIN-ACCESS for this read-create object;  at a
minimum, a new compliance statement should be written that allows
this object to be implemented as read-only.

rip2IfConfAuthKey is the object with the key, and it also lacks a
MIN-ACCESS clause.  Since this object always returns ''H when read,
it is reasonable for its MIN-ACCESS to be not-accessible.  (It would
also be OK to deprecate or obsolete the object, I think.)

//cmh