[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-jones-opsec-01.txt comments: in-band management

To: "Joel N. Weber II" <ietf-opsec@joelweber.com>
Subject: Re: draft-jones-opsec-01.txt comments: in-band management
From: George Jones <gmj@pobox.com>
Date: Thu, 23 Oct 2003 11:33:21 -0400 (EDT)
Cc: opsec@ops.ietf.org
In-reply-to: <E1ACWXM-0003oC-00@xanthine.gratuitous.org>
References: <E19pxTV-0004du-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0308261246570.12054@mall.pulltheplug.com> <E19zpMk-0007kg-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0309180944000.14813@mall.pulltheplug.com> <E1ACWXM-0003oC-00@xanthine.gratuitous.org>
Reply-to: gmj@pobox.com

On Wed, 22 Oct 2003, Joel N. Weber II wrote:

> I wonder if it would make sense to explicitly mandate specific
> encryption protocols for in-band management protocols.  For example,
> for devices that support an in-band CLI, we could require sshv2.
> There's a specific IETF-standardized secure syslog protocol, and
> perhaps devices should be required to implement that.

So, the approach I've been taking is to make the requirement
generic "secure in band management" with the example citing
one or more current technologies/praticies as as SUGGESTIONS
of ways to meet the requirement.   The idea is that SSH
or IPsec or RADIUS/DIAMETER/KERBEROS may not be best
way to implement FOO 5 years from now and we want the
requirement (but probably not the implementation) to
age as gracefully as possible.

If people have suggestions for ways to tie the current
implementations more strongly to the requirements
without precuding better implemetaionts later, I'm all for
it.

I'd love to say "SSH, no telnet", "SNMPv3, no SNMPv1",
"SCP/SFTP, no TTP".

[more later...gotta go...looks like I may be editing past Friday
at this rate]

Thanks,
----George

Follow-Ups:
- Re: draft-jones-opsec-01.txt comments: in-band management
  - From: "Joel N. Weber II" <ietf-opsec@joelweber.com>

References:
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>
- Re: draft-jones-opsec-01.txt comments: in-band management
  - From: "Joel N. Weber II" <ietf-opsec@joelweber.com>

Prev by Date: Re: draft-jones-opsec-01.txt comments: in-band management
Next by Date: RE: More BCP: revenge of RS232 and CLIs
Previous by thread: Re: draft-jones-opsec-01.txt comments: in-band management
Next by thread: Re: draft-jones-opsec-01.txt comments: in-band management
Index(es):
- Date
- Thread