RE: comments

["Smith, Donald" <Donald.Smith@qwest.com>]

 Your right anywhere you have a should if you REALLY want it
your going to have to say MUST. Vendors will at least try to implement all
the musts if we (collective community) demand complilence with this rfc.

As for default passwords. I dont see that as a vendor issue.
Everything comes with defaults. The end user MUST change them.
Maybe the vendors should document the need to change the defaults.
But for example the cisco default has been WELL documented for a long time.
In fact there isnt a default password in most cisco routers.
Every one of their install manuals I have ever read strongly encourges the
user to choose a hard to guess password. Many users just type the 
cisco password from the install manual.


-----Original Message-----
From: Dan Hollis
To: opsec@ops.ietf.org; opsec@psg.com
Sent: 6/13/2003 6:26 PM
Subject: re: comments

2.3.12 Ability to Disable Directed Broadcasts
'These SHOULD be the default settings.'

s/SHOULD/MUST/

If you give vendors leeway to make stupid defaults, they WILL choose the

stupid ones. History has conclusively proven this. Look at all the open 
smtp relays, and open proxies out there.

This RFC MUST be far more anal with defaults.

Basically, the opsec RFC should mandate that a device plugged into a 
network with its default settings and no changes from defaults
whatsoever 
MUST NOT be able to be exploited or used for any known attack.

There doesnt seem to be anything regarding default passwords, which is a

known avenue of attack on many devices.

-Dan