[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments

To: gmj@pobox.com
Subject: Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
Date: Thu, 23 Oct 2003 14:06:16 -0400
Cc: "Joel N. Weber II" <ietf-opsec@joelweber.com>, opsec@ops.ietf.org
In-reply-to: <Pine.LNX.4.53.0310231024200.30306@mall.pulltheplug.com> (message from George Jones on Thu, 23 Oct 2003 11:17:15 -0400 (EDT))
References: <E19pxTV-0004du-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0308261246570.12054@mall.pulltheplug.com> <E19zpMk-0007kg-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0309180944000.14813@mall.pulltheplug.com> <E1ACWBb-0003li-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0310231024200.30306@mall.pulltheplug.com>

> > What I was thinking about there was more what sort of infrastructure
> > you could afford to rely on for the different classes of users.  There
> > are some authentication technologies out there which simply cannot
> > work when the only thing on the device that's working is an ASCII
> > console port.  Yet some of those technologies that require some more
> > infrastructure are more usable/scalable in a large environment.
>
> e.g. biometrics, remote auth-servers (no IP to reach them), others ?

Yeah.  I was mostly thinking of remote authentication servers
(Kerberos, RADIUS, on line verification that a certificate hasn't been
revoked, etc), though.  I don't know anything about how biometrics
work wrt interfacing to computers/network devices, so I can't comment
on that.

An interesting question is whether it's ever appropriate to rely on a
remote auth server if the server lives on the management network side
of your universe, if you have a management network.  If there's an
auth server in every POP with a local copy of the database, or perhaps
two such servers, can you make a reasonable argument that you
absolutely must have a strictly local authentication method?

(Of course, the inevitable problem with that is that one year, someone
will decide to renumber one of the auth servers, and forget to update
some device.  That device will keep working, because the other auth
server is there, until two years later that auth server that the
device was still talking to finally randomly breaks...)

> I think what's missing is something that specifies a local enable
> password (in IOS terms) or root user (unix) that will *always*
> work, network or no, special devices or no...that and possibly
> "password recovery" functionality with physical access.

yeah, something like that.

You always need to have a way to recover if the password is long lost,
but maybe that doesn't need to imply giving you a copy of the
configuration that had been on the device.

I suspect we want to require that there always be a way to get full
access to change the configuration on the device on the OOB management
port without rebooting it, and without the device consulting any other
devices to determine authentication.

References:
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>

Prev by Date: Re: More BCP: revenge of RS232 and CLIs
Next by Date: Re: draft-jones-opsec-01.txt comments: in-band management
Previous by thread: Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
Next by thread: Re: draft-jones-opsec-01.txt comments: in-band management
Index(es):
- Date
- Thread