At 12:26 AM +0200 9/7/05, Harald Tveit Alvestrand wrote:
I believe that the ISMS WG's proposal is about ADDING the
possibility of SNMP over TCP, not about CHANGING SNMP to use TCP.
UDP will still work.
From: Margaret Wasserman [mailto:margaret(_at_)thingmagic(_dot_)com]
That is correct. UDP and the current SNMPv3 USM security mechanisms
will still work. They will also remain mandatory parts of SNMPv3.
Whoa, now, Margaret. Your statement is technically accurate that
traditional SNMPv3 USM will hopefully co-exist with ISMS indefinitely,
and therefore SNMP-over-UDP will remain viable within the historic USM
context. However, your statement is inaccurate within the context of
this discussion, which is ISMS.
I actively supported the formation of the ISMS WG through a series of
BOFs because I concluded years ago that SNMPv3 USM is inadequately
securable for large deployments (doesn't scale, no PFS, symmetric key
distribution problems, etc.), requires us to deploy a unique SNMP-only
authentication/authorization system that doesn't integrate with any
enterprise wide alternative, and is therefore needlessly expensive and
of dubious value within multi-vendor environments.
By coupling ISMS with SSH, which currently only operates over TCP, the
current ISMS solution being forwarded by the WG is TCP-dependent. TCP
doesn't operate effectively in all parts of the deployments which which
I am associated. That is why I have been trying to encourage the WG to
enable ISMS to be flexibly designed to be deployable in a wide variety
of environments on a locally-appropriate manner (i.e., use TCP where it
works well and UDP where it works well). This has not happened.
--Eric
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf