Re: [Isms] Transport protocol discussion

To: Wes Hardaker <hardaker at tislabs.com>
Subject: Re: [Isms] Transport protocol discussion
From: Juergen Schoenwaelder <j.schoenwaelder at iu-bremen.de>
Date: Tue, 2 Aug 2005 12:48:23 +0200
Cc: dbharrington at comcast.net, isms at ietf.org
In-reply-to: <sdoe8giswu.fsf@wes.hardakers.net>
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Mail-followup-to: Wes Hardaker <hardaker at tislabs.com>, EKR <ekr at rtfm.com>, dbharrington at comcast.net, isms at ietf.org
References: <200508011412.KAA11431@ietf.org> <867jf5bppx.fsf@romeo.rtfm.com> <sdoe8giswu.fsf@wes.hardakers.net>
Reply-to: j.schoenwaelder at iu-bremen.de
Sender: isms-bounces at lists.ietf.org
User-agent: Mutt/1.5.9i

On Tue, Aug 02, 2005 at 02:34:25AM -0700, Wes Hardaker wrote:

[...]

> My worry is that coding that human decision process about when to
> restart a broken TCP session because recovery will be faster by
> restarting than waiting for the TCP stack to fix the session will be
> impossible.  I'm not at all convinced that TCP sessions are stable,
> based on my experience over the last few years.  I do think they've
> gotten better, but I'm not willing to bet the management of my network
> on it.

SNMP stacks usually come with a default retry/timeout strategy and
they report some 'noResponse' error once you have had your retries.
What happens next is either left to a human or some magic - I am not
sure there is at the end that much difference in the magic here.

[Yes, there are several technical differences I am ignoring here,
 but the point is that even with SNMPv1 you have to have some logic
 do deal with situations where your network is in trouble.]

We simply have to give up the idea of a "one size fits all" security
model. There are several trade offs to be made and operational
requirements differ between environments.

Personally, I see practical value in SNMP/SSH because it would enable
me to transition to a secure version of SNMP with close to zero
deployment costs. Eric Fleischman lives in a different environment and
he surely likes to have SNMP/Kerberos because it allows him to
transition to a secure version of SNMP with close to zero deployment
costs.

The question for me is whether we want to enable people to make such
"close to zero deployment costs" transitions to secure SNMP or whether
we continue to work on the "one size fits all" security approach,
something we have been doing not too successful for more than a dozent
years now.

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

References:
- [Isms] Transport protocol discussion
  - From: David B Harrington
- Re: [Isms] Transport protocol discussion
  - From: Eric Rescorla
- Re: [Isms] Transport protocol discussion
  - From: Wes Hardaker

Prev by Date: Re: [Isms] Transport protocol discussion
Next by Date: Re: [Isms] Comments on the BTSMS proposal
Previous by thread: Re: [Isms] Transport protocol discussion
Next by thread: RE: [Isms] Transport protocol discussion
Index(es):
- Date
- Thread

Re: [Isms] Transport protocol discussion

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.