Hi Juergen,
2) It is important to talk about ssh and to not reduce the problem to
just TCP. ...
This is very true. Your SNMP-over-TCP (RFC 3430) is still based on
each message carrying all of its own security. In contrast, the not
yet complete proposal for SNMP-over-SSH is different because each SNMP
message is going to inherent security properties from the SSH session.
So, for example, if requests are allowed to be sent in both directions
across the same session, then a request sent in one direction across a
session are sent by the same user as a request sent in the other
direction over the same session.
I agree with those who said that CH is an architectural change and I
have yet to see a concrete proposal how CH via ssh can be achieved.
As I see it, to prevent SNMP-over-SSH from being the same architectural
change, constraints need to be imposed on which SNMP messages can be
sent in which direction on a SSH session. The decision on whether to
have such constraints is within the proposed scope of the WG. Thus,
that architectural change is within the scope of the WG, and therefore
requiring the same architectural change is not a valid reason to rule
Call Home out-of-scope.
Keith.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf