RE: [Isms] #32: is the securityName=username default OK?

["Nelson, David" <dnelson at enterasys.com>]

Uri Blumenthal writes...

> You wanted an example of such security model - you were provided an
> example (which, as I said, was implemented and deployed - though not
> widely).

OK, fair enough.

> > Sigh.  Having chosen SSH as the security transport, let's not 
> > lose sight of the fact that the original problem was to 
> > integrate SNMPv3 security with existing authentication 
> > infrastructures.
> 
> Which for some are local password files.

I guess a local password file is a *form* of infrastructure.   IMHO, a
degenerate case.

> > That has to include AAA systems, as well as KDC systems.
> 
> But not PKI? :-)

Many AAA systems will back-end to PKI and use X.509 certificates as
credentials.

> People apparently aren't bothered by "scalability" - they simply don't
> want YET ANOTHER infrastructure to manage.

OK.  I'll agree that describes a segment of the user population.
Although I certainly hope that somebody cares about scalability!  :-)

> If today they're happy with local password files (or domain 
> logins) - that's what they want SNMP to use for security. Of 
> course Kerberos users want Kerberos, and AAA users want AAA.

Yes.  As long as the Kerberos users and AAA users aren't saddled with
the requirement to implement and configure localized user authentication
information in the managed entity, I suppose that's all fine.


_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms