"JQ" == Juergen Quittek <quittek at netlab.nec.de> writes:
JQ> I don't think it would be appropriate to mandate in the MIDCOM MIB
JQ> draft a specific way of achieving a sufficient level of security.
I believe the wording I've seen doesn't do this. It uses RECOMMENDED
and SHOULD to specify which particular implementation and deployment
details are the best at this time (and maybe adding "at the time of this
writing" is a good way forward as well). But, the important REQUIRED that
should stay a REQUIRED is this one:
It is REQUIRED that the implementations support the security features
as provided by the SNMPv3 framework.
Which merely says you must implement the security features in the
framework. I believe the framework implies "a security model" and "an
access control model", but not necessarily USM and VACM. The
recommendations for USM and VACM come in the next sentence, which is
relaxed to a RECOMMENDED to allow for other choices.
It does also say that:
In the draft, we explicitly state hat a MIDCOM MIB implementation
MUST support SNMPv3.
That's the only protocol-secure alternative at this time at least, and
require implementations to support it makes sense. At this time. In
the future if netconf or some other new protocol has the ability to
access the MIDCOM MIB through a secure means, then it seems reasonable
to let them not implement SNMPv3. At this time, however, that's not
possible and SNMPv3 should be a MUST. Again, wording that allows for
future deviations is a way around this.