Dear all,
The MIDCOM MIB is progressing and currently under IESG review.
Tim Polk made a comment that I would like to discuss here on this list.
In the draft, we explicitly state hat a MIDCOM MIB implementation
MUST support SNMPv3. However, we pass the responsibility of switching
on SNMPv3 to the operator. The operator may still run SNMPv1 or SNMPv2
if security is provided otherwise:
"Compliant MIDCOM MIB implementations MUST support SNMPv3 security
services including data integrity, data origin authentication and
data confidentiality.
It is REQUIRED that the implementations support the security features
as provided by the SNMPv3 framework. Specifically, the use of the
User-based Security Model RFC 3414 [RFC3414] and the View- based
Access Control Model RFC 3415 [RFC3415] is RECOMMENDED.
It is then a customer/operator responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly
configured to give access to the objects only to those principals
(users) that have legitimate rights to indeed GET or SET
(change/create/delete) them."
Now, Tim suggests to explicitly deprecate the use of (insecure) previous
versions of SNMP, for example with a phrase like
"Deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED.
Instead it is RECOMMENDED to deploy SNMPv3 and to enable
cryptographic security."
Are there any opinions about adding such a phrase to the security
considerations?