[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Final MIB security guidelines

To: "C. M. Heard" <heard@pobox.com>, mibs@ops.ietf.org
Subject: RE: Final MIB security guidelines
From: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
Date: Tue, 7 Jan 2003 12:38:55 +0100

Inline

> -----Original Message-----
> From: C. M. Heard [mailto:heard@pobox.com]
> Sent: dinsdag 7 januari 2003 3:51
> To: mibs@ops.ietf.org
> Subject: Re: Final MIB security guidelines
> 
> 
> >>>>> On Tue, 7 Jan 2003, Wijnen, Bert (Bert) wrote:
> 
> Bert> -- for all MIBs you must evaluate
> Bert> 
> Bert>    Some of the readable objects in this MIB module (i.e., objects
> Bert>    with a MAX-ACCESS other than not-accessible) may be considered
> Bert>    sensitive or vulnerable in some network environments.  It is thus
> Bert>    important to control even GET access to these 
> objects and possibly
> -----------------------------------^^^^^^^^^^
> Bert>    to even encrypt the values of these objects when sending them over
> Bert>    the network via SNMP.  These are the tables and objects and their
> Bert>    sensitivity/vulnerability:
> Bert> 
> Bert>     <list the tables and objects and state why they are sensitive>
> 
> I though we had agreed to say "GET and/or NOTIFY access" here.
> 
Yep... sorry that I missed it.

> Bert>    Further, deployment of SNMP versions prior to SNMPv3 is NOT
> Bert>    RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
> Bert>    enable cryptographic security.  It is then a customer/operator
> Bert>    responsibility to ensure that the SNMP entity giving access to
> Bert>    an instance of this MIB module, is properly configured to give
> ---------------------------------------^
> Bert>    access to the objects only to those principals (users) that have
> Bert>    legitimate rights to indeed GET or SET (change/create/delete) them.
> 
> That comma needs to be removed.
> 
OK, can do that too, and maybe we already agreed to that as well.

> 
> >>>>> On Mon, 6 Jan 2003, Wes Hardaker wrote:
> 
> Wes> No references?
> 
> I recommend either to refer the reader to the boilerplate or 
> to copy the Informative References part from the boilerplate:
> 
> y. Informative References
> 
>    [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
>              "Introduction and Applicability Statements for Internet-
>              Standard Management Framework", RFC 3410, December 2002.
> 
> Either way should do, because all MIB modules need the boilerplate.
> 
I indeed have 3410 added as reference. It will be on the web page
(soon I hope), although the above fixes may take longer.

Bert
> //cmh
>

Prev by Date: Re: Final MIB security guidelines
Next by Date: OID Registration -- Rules versus BCP (fwd)
Previous by thread: Re: Final MIB security guidelines
Next by thread: OID Registration -- Rules versus BCP (fwd)
Index(es):
- Date
- Thread