RE: [Isms] #2: is server authentication a requirement that SNMP willrequire

["Kaushik Narayan \(kaushik\)" <kaushik at cisco.com>]

Hi Juergen,

Please find my reply inline.

<snipped>

Management applications at the very end also have a human being
involved. I don't see a reason why a management application can't do the
same as my ssh client does when you hit a box you have not talked to
before. Initiate a dialog with a human decision maker, open a ticket in
a trouble ticket system or whatever the app writer seeks appropriate to
get an OK to accept the key. This is all implementation detail for me.


<Kaushik>

Although management applications have a human involved, the
communication with the device might not happen in real time. Almost all
changes to the network (configuration) and all collection (inventory,
fault, performance) of data from the network happens at a time that is
least disruptive to the network. Also there are cases wherein devices
need to be pre-provisioned where the operator might not be in the loop
when the sign-of-life shows up from the device.

This does raise the requirement for the public keys being available to
the NMS before communication to the device happens, this will have to be
done manually for a start and X.509 certs support in SSH will reduce
this administrative burden. Again these may well be seen outside the
realm of SSHSM but I think we need to make sure that operators are aware
of the administrative chores required to deploy SSHSM since deployment
was a key barrier to entry for USM and a main reason why ISMS was
created.

Regards,
  kaushik!

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms