[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Response to opsec issues raised by Russ White

To: Russ White <riw@cisco.com>
Subject: Re: Response to opsec issues raised by Russ White
From: George Jones <gmj@pobox.com>
Date: Mon, 29 Mar 2004 03:23:33 -0800 (PST)
Cc: opsec@ops.ietf.org, Alex Zinin <zinin@psg.com>
In-reply-to: <Pine.WNT.4.53.0403261144490.1396@russpc.Whitehouse.intra>
References: <Pine.LNX.4.50.0403150546280.10942-100000@tornado.he.net> <182555077298.20040316095042@psg.com> <Pine.LNX.4.50.0403161059330.10896-100000@tornado.he.net> <10564991114.20040316123556@psg.com> <Pine.WNT.4.53.0403162158340.388@russpc.Whitehouse.intra> <19014080366.20040316194635@psg.com> <Pine.WNT.4.53.0403170629280.2448@russpc.Whitehouse.intra> <Pine.LNX.4.50.0403260535090.23539-100000@tornado.he.net> <Pine.WNT.4.53.0403261144490.1396@russpc.Whitehouse.intra>
Reply-to: gmj@pobox.com

On Fri, 26 Mar 2004, Russ White wrote:

> > rw> Should you refer to the idr draft about choosing good MD5 keys at some point in the 2.2.3 area, maybe?
> >
> > I-D.orman-public-key-lengths ?
> >
> > That's about key lengths and strength, and hence cited in 2.2.2 which is
> > about cryptographic strength.  2.2.3 is about open review of protocols.
>
> I was thinking about 3562. I don't know if that would fit in here anyplace,
> but it might be a useful reference (?).

Citation added.  Thanks.

> > rw> 2.4 Configuration and Management Interface Requirements
> > rw>
> > rw> I think you need better justification for this section than what
> > rw> you've given here. This section is more of a wish list of what the UI
> > rw> should support, and there's seems to be little justification given
> > rw> for why these things make a network more secure (?).
> >
> > I disagree.   I just re-read all the justification sections in 2.4.x
> > and I think each one of them gives adequate security-related rational
> > for the individual requirement.   Show me which ones you think are weak
> > on security rational ?
>
> Well, why is it important that the interface be scriptable or
> > programmatic?

One word: scale.

I reworded the justification:

04>   Justification.
04>
04>      During the handling of security incidents, it is often necessary
04>      to quickly make configuration changes on large numbers of
04>      devices.  Doing so manually is error prone and slow.  Vendor
04>      supplied management solutions do not always foresee or address
04>      the type or scale of solutions that are required.  The ability
04>      to script provides a solution to these problems.

> Thanks!

Thank you.

---George Jones

Follow-Ups:
- Re: Response to opsec issues raised by Russ White
  - From: Russ White <ruwhite@cisco.com>

References:
- Response to opsec issues raised by Russ White
  - From: George Jones <gmj@pobox.com>
- Re: Response to opsec issues raised by Russ White
  - From: Russ White <ruwhite@cisco.com>

Prev by Date: RE: draft-jones-opsec-04 comments
Next by Date: Re: Response to opsec issues raised by Russ White
Previous by thread: Re: Response to opsec issues raised by Russ White
Next by thread: Re: Response to opsec issues raised by Russ White
Index(es):
- Date
- Thread