[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[midcom] security recommendations in MIDCOM MIB draft
Dear all,
The MIDCOM MIB is progressing and currently under IESG review.
Tim Polk made a comment that I would like to discuss here on this list.
In the draft, we explicitly state hat a MIDCOM MIB implementation
MUST support SNMPv3. However, we pass the responsibility of switching
on SNMPv3 to the operator. The operator may still run SNMPv1 or SNMPv2
if security is provided otherwise:
"Compliant MIDCOM MIB implementations MUST support SNMPv3 security
services including data integrity, data origin authentication and
data confidentiality.
It is REQUIRED that the implementations support the security features
as provided by the SNMPv3 framework. Specifically, the use of the
User-based Security Model RFC 3414 [RFC3414] and the View- based
Access Control Model RFC 3415 [RFC3415] is RECOMMENDED.
It is then a customer/operator responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly
configured to give access to the objects only to those principals
(users) that have legitimate rights to indeed GET or SET
(change/create/delete) them."
Now, Tim suggests to explicitly deprecate the use of (insecure) previous
versions of SNMP, for example with a phrase like
"Deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED.
Instead it is RECOMMENDED to deploy SNMPv3 and to enable
cryptographic security."
Are there any opinions about adding such a phrase to the security
considerations?
Thanks,
Juergen
--
Juergen Quittek quittek at netlab.nec.de Tel: +49 6221 4342-115
NEC Europe Limited, Network Laboratories Fax: +49 6221 4342-155
Kurfuersten-Anlage 36, 69115 Heidelberg, Germany http://www.netlab.nec.de
Registered Office: NEC House, 1 Victoria Road, London W3 6BL, UK
Registered in England 2832014
_______________________________________________
midcom mailing list
midcom at ietf.org
https://www1.ietf.org/mailman/listinfo/midcom