[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-jones-opsec-01.txt comments: in-band management

To: gmj@pobox.com
Subject: Re: draft-jones-opsec-01.txt comments: in-band management
From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
Date: Thu, 23 Oct 2003 14:19:42 -0400
Cc: "Joel N. Weber II" <ietf-opsec@joelweber.com>, opsec@ops.ietf.org
In-reply-to: <Pine.LNX.4.53.0310231124410.30306@mall.pulltheplug.com> (message from George Jones on Thu, 23 Oct 2003 11:33:21 -0400 (EDT))
References: <E19pxTV-0004du-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0308261246570.12054@mall.pulltheplug.com> <E19zpMk-0007kg-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0309180944000.14813@mall.pulltheplug.com> <E1ACWXM-0003oC-00@xanthine.gratuitous.org> <Pine.LNX.4.53.0310231124410.30306@mall.pulltheplug.com>

> So, the approach I've been taking is to make the requirement
> generic "secure in band management" with the example citing
> one or more current technologies/praticies as as SUGGESTIONS
> of ways to meet the requirement.   The idea is that SSH
> or IPsec or RADIUS/DIAMETER/KERBEROS may not be best
> way to implement FOO 5 years from now and we want the
> requirement (but probably not the implementation) to
> age as gracefully as possible.
>
> If people have suggestions for ways to tie the current
> implementations more strongly to the requirements
> without precuding better implemetaionts later, I'm all for
> it.
>
> I'd love to say "SSH, no telnet", "SNMPv3, no SNMPv1",
> "SCP/SFTP, no TTP".

We can always update the document in five years.  The C in BCP does
stand for something...

RADIUS/DIAMETER/KERBEROS may be something where we don't want to
mandate any one protocol, and be very deliberately vague.

I suspect we can easily get rough consensus that SSH is the only
widely deployed secure remote terminal protocol, and therefore it is a
reasonable lowest common denominator that everyone should support.  If
something better comes along three years from now, vendors can
implement that in addition to the required SSH.  (And we should
probably explicitly say SSHv2.  What I've seen of the SSH working
group leaves me with the impression that the SSHv2 protocol is
generally quite adaquate, and it seems to generally have extensibility
in the right places, more or less, and I'm kind of skeptical that we
will ever see an SSHv3 protocol.)

Has anyone got experience with the syslog-sign protocol, and the
reliable delivery protocol for syslog?

Is there anyone who's actually going to object if we mandate that STFP
and SNMPv3 be available?

(I'm assuming that the old insecure protocols can be left available at
the vendor's discretion, as long as they aren't enabled by default.)

Follow-Ups:
- Re: draft-jones-opsec-01.txt comments: in-band management
  - From: ericb@digitaljunkyard.net

References:
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
- Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>
- Re: draft-jones-opsec-01.txt comments: in-band management
  - From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
- Re: draft-jones-opsec-01.txt comments: in-band management
  - From: George Jones <gmj@pobox.com>

Prev by Date: Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
Next by Date: Re: More BCP: revenge of RS232 and CLIs
Previous by thread: Re: draft-jones-opsec-01.txt comments: in-band management
Next by thread: Re: draft-jones-opsec-01.txt comments: in-band management
Index(es):
- Date
- Thread