[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-jones-opsec-01.txt comments: in-band management
On Thu, 23 Oct 2003, Joel N. Weber II wrote:
> It seems like opsec is not really the right scope to be mandating
> lowest common denominator profiles for IPsec. I think we ought to be
> able to just say ``IPsec'', and let the IPsec people take care of the
> rest.
Thank-you. Agreed.
> opsec is about listing existing technologies that actually
> already work,
I might add work well, work simply, work widely, work without the
need for endless debates/drafts/training classes/armies of
consultants. SSH "just works". Syslog (for all its falults)
works...mostly. Radius and TACACS work.
and specifying that it is important to implement them,
> mostly.
>
> Of course, if someone can speak up and say ``I've been using these
> IPsec implementations that come from these diverse source bases, with
> this profile, and I find it works well, and opsec should use this
> profile'', then I think we should consider that.
Right. If someone can show succes stories of quick, painless rollout
of IPsec in a large multi-vendor environemnt without the need to get
vendors and testing labs involved to resolve incompatabilites and
point a 5 page or less "Here's how I did it, and how you can do it to"
writeup" I'd be willing to be convinced.
Thanks,
--George