[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments

To: opsec <opsec@ops.ietf.org>
Subject: Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
From: ericb@digitaljunkyard.net
Date: 24 Oct 2003 22:54:51 +0000
In-reply-to: <Pine.LNX.4.53.0310241731490.18528@mall.pulltheplug.com>
References: <0AAF93247C75E3408638B965DEE11A7002716E71@i2km41-ukdy.domain1.systemhost.net> <Pine.LNX.4.53.0310241731490.18528@mall.pulltheplug.com>
User-agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)

 "gj" == George Jones <gmj@pobox.com> writes:

>> I suspect we want to require that there always be a way to get full
>> access to change the configuration on the device on the OOB
>> management port without rebooting it, and without the device
>> consulting any other devices to determine authentication.

gj> without rebooting ?

Do you mean something similar to configuring RADIUS for normal usage
(including OOB serial console), but with a fallback to some fixed
local authenticator in case of RADIUS failure?

Or do you mean ability to do password recovery without rebooting?

I'd agree with the first, disagree with the second.

I think it should be "MUST be possible to configure", not "MUST be
possible".  I can see environments where fixed local authenticators
are less desireable than access when the AAA protocol is down.

ericb

References:
- RE: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: <nick.edwards@bt.com>
- RE: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
  - From: George Jones <gmj@pobox.com>

Prev by Date: RE: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
Next by Date: Re: draft-jones-opsec-01.txt comments: in-band management
Previous by thread: RE: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
Next by thread: Why can't all my routers do FOO ?
Index(es):
- Date
- Thread