[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [ipcdn] draft-ietf-ipcdn-device-mibv2-01.txt
Hi -
> Message-Id: <5.1.0.14.2.20020422100816.02396570@fedex.cisco.com>
> Date: Mon, 22 Apr 2002 10:24:16 -0700
> To: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
> From: Andy Bierman <abierman@cisco.com>
> Subject: RE: [ipcdn] draft-ietf-ipcdn-device-mibv2-01.txt
> Cc: RJ Atkinson <rja@extremenetworks.com>,
> "Woundy, Richard" <RWoundy@broadband.att.com>,
> "'mibs@ops.ietf.org'" <mibs@ops.ietf.org>,
> "IPCDN (E-mail)" <ipcdn@ietf.org>
> In-Reply-To: <A451D5E6F15FD211BABC0008C7FAD7BC0DB80B8B@nl0006exch003u.nl
> .lucent.com>
...
>
> SNMPv1 by itself is not a secure environment. Even if the network
> itself is secure (for example by using IPSec), even then, there is no
> control as to who on the secure network is allowed to access and
> GET/SET (read/change/create/delete) the objects in this MIB.
>
> This statement seems to suggest that implementations must differentiate
> operations by security user (i.e., use VACM and USM).
> I think such features should not be mandated. SNMPv1(2c) over IPSEC should
> be considered secure enough.
...
I find it hard to believe that granting all users the same
access rights to everything could be considered "secure
enough". Even the desktop systems we love to hate do better
than that.
Privacy and authentication are pointless without access
control.
------------------------------------------------------
Randy Presuhn BMC Software, Inc. 1-3141
randy_presuhn@bmc.com 2141 North First Street
Tel: +1 408 546-1006 San Jose, California 95131 USA
------------------------------------------------------
My opinions and BMC's are independent variables.
------------------------------------------------------