RE: [Isms] #2: is server authentication a requirement that SNMPwillrequire

["Kaushik Narayan \(kaushik\)" <kaushik at cisco.com>]

Hi Sam,

Please find my reply inline.

<snipped> 

First, leap of faith (trust the first hostkey you get) probably would be
sufficient for this situation.

Second, I do understand the value of PKI.  I understand that in some
environments it will be used.  ISMS needs to support that.

But the charter goal of ISMS is to work with authentication people use
today.  Today, people do not use X.509 with ssh.  No matter how much
you, I or anyone else wants them to, it simply is not what people
currently do.  So, while ISMS should support it, and while you can (and
should when appropriate) sell products that rely on it, it cannot be our
primary focus.

<Kaushik>

Today the predominant management protocol beyond SNMP (and Syslog) is a
human interface (CLI) where the use of SSH with host keys will work just
fine since the operator is in the loop. The use of CLI as a programmatic
interface within our NMS systems requires manual provisioning of the
device host keys and this is a significant overhead when managing
thousands of devices, additionally pre-provisioning is major use case
within network management systems where the device host keys are not
known in advance. 

Also, even if X.509 is not in use for SSH, other management protocols
that use TLS such as Syslog and NetConf (over BEEP, SOAP) will move
devices in that direction.

Regards,
  kaushik!

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms