[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: comments on draft-jones-opsec-02

To: <gmj@pobox.com>, "Mike O'Connor" <mjo@dojo.mi.org>
Subject: RE: comments on draft-jones-opsec-02
From: "Smith, Donald" <Donald.Smith@qwest.com>
Date: Fri, 21 Nov 2003 15:49:30 -0700
Cc: <opsec@ops.ietf.org>


h8Hz
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC



> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com]On Behalf Of
> George Jones
> Sent: Friday, November 21, 2003 3:14 PM
> To: Mike O'Connor
> Cc: opsec@ops.ietf.org
> Subject: Re: comments on draft-jones-opsec-02
> 
> 
> [Reply CCed to opsec with permission ---gmj]
> 
> On Thu, 20 Nov 2003, Mike O'Connor wrote:


<SNIP>
> >
> > How about "General purpose hosts not acting as a router/switch"?
> > "I run NTP on my router" shouldn't mean it's less of a router for
> > purposes of applying these sorts of things.  That's common sense,
> > but I think less wiggle-room is in order.
> 
> Changed to:
> 
>   "General purpose hosts that do not transit traffic"

What about a 1 armed BGP peering router? It wouldnt transit traffic but I want it to adhere
to the network element (router) requirements.


<SNIP> 
> 
> > 2.4.6/2.4.8
> >
> > These imply that a router/switch much support a way to extract
> > passwords to a remote config file.  2.4.8 specifies that it is
> > human-readable no less, though perhaps encrypted password fields
> > count for something.  This may be at odds with how some vendor
> > implemented passwording.  Suppose a vendor scribbles the password
> > on a PROM or logic board they _can't_ extract from.  Saving a
> > remote config wouldn't save the passwords and would violate 2.4.6.

Then how do they read it? If you can read it you can extract it. Are you talking two factor
crypto? (even then to decrypt data you need to be able to read the secretkey).

This does bring up an issue that is probably addressed but I dont recall.
There needs to be a reasonable method to update the passwords (other then etching a eeprom).


> 
> Added "Sensitive information such as passwords that could be used to
> compromise the security of the device MAY be excluded from the saved
> configuration" to 2.4.6 and 2.4.8.
> 
<SNIP>

Prev by Date: Re: comments on draft-jones-opsec-02
Next by Date: Definitions of "Console" and "CLI" expanded
Previous by thread: Re: Definitions of "Console" and "CLI" expanded
Next by thread: RE: Definitions of "Console" and "CLI" expanded
Index(es):
- Date
- Thread