Re: draft-jones-opsec-01.txt comments: in-band management

["Joel N. Weber II" <ietf-opsec@joelweber.com>]

I wonder if it would make sense to explicitly mandate specific
encryption protocols for in-band management protocols.  For example,
for devices that support an in-band CLI, we could require sshv2.
There's a specific IETF-standardized secure syslog protocol, and
perhaps devices should be required to implement that.  I think some
version of SNMP gains certain sorts of security guarentees (though
perhaps not all the security guarentees one wants, but debating that
is beyond the scope of opsec), and perhaps implementing that should be
mandated.

Part of what I'm concerned about is that it would be easy to write the
opsec document such that good old telnet, run on top of IPsec, would
meet the requirements for secure in-band management.  I'm not sure
that that's actually all that useful though; I don't think I've ever
met anyone in the real world who's claimed to succeed at getting two
IPsec implementations that don't share a common source base to
interoperate usefully, and every now and then I talk to friends who
have just as much interest in switching from PPTP to IPsec as they did
a few years ago, if only they could figure out how to make IPsec work.

But the other thing is that it seems like if I have a laptop computer
with a usb to rs-232 adapter, and an RJ-45 ethernet port, and some
basic set of software, and the right collection of ethernet and serial
cables, that ought to be sufficient to manage any arbitrary network
device.  If there aren't several separate implementations of adaquate
software based on separate code bases, then it probably isn't really
all that standardized and non-proprietary...