[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Updating the MIB security guidelines
At 12/31/2002:02:53 PM, Randy Presuhn wrote:
>> I guess one could limit access to a specific column to exlcude
>> some indices and not others....
>> Oh well... that is where I find VACM went overboard (mea culpa,
>> I am co-author/editor).
>I think the fine-grained access control is actually one of
>the things we did right in VACM. Any of the alternatives
>considered would require a master agent to have knowledge of
>MIB structure, requiring a huge increase in complexity.
While we could debate the meaning of "huge", I would argue
that there would have been some increase in the complexity
of master agents but that (1) most of the required generic
functionality is already coded in libraries anyway, and (2)
above all, the benefits (in terms of functional capabilities
and operational efficiencies) of having MIB meta-data knowledge
(not instrumentation) in the master agent would have far out-
weighed any such costs in increased complexity.
That is, overall system complexity would have been lower (and,
as a result SNMPv3 usage would be more prevalent).
Of course, all of this is water under the bridge at this
point...just interesting (I hope) food for thought.