[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Review: IESG Agenda and Package for January 22, 2004 Telechat
> > SNMP community strings are not passwords. A better analogy is that a
> > SNMP community string is like a groupname to which multiple users
> > belong. RFC 1157 says:
> > An SNMP message originated by an SNMP application entity that in fact
> > belongs to the SNMP community named by the community component of
> > said message is called an authentic SNMP message. The set of rules
> > by which an SNMP message is identified as an authentic SNMP message
> > for a particular SNMP community is called an authentication scheme.
> > ... Some SNMP implementations may wish to support only a trivial
> > authentication service that identifies all SNMP messages as
> > authentic SNMP messages.
> > So, with trivial authentication, the community string identifies a group
> > of originators, and any message which correctly identifies the group is
> > automatically authentic.
> The quoted text talks several times about "authentication" of SNMP
> messages. For most people, a string that is used to "authenticate"
> a message is considered to be a password, regardless whether this
> string is to be shared by a group or not.
> BTW, when I read the first time RFC 1157 many years ago, the concept
> of communities was the most puzzling thing for me to understand. It
> took some time until I realized that these are just passwords. ;-)
It's true that the non-technical definition, from a dictionary, e.g.,
1: something that enables one to pass or gain admission: as a) a
spoken word or phrase required to pass by a guard, b) a sequence of
characters required for access to a computer system.
is close to the meaning of a SNMP community string.
But, I can't agree that commuinity string is close to the more technical
definition of a password where each user has a different password, and
knowing the password serves to authenticate you as that user. In this
technical sense, a community string is closer to a username. If you
had "realized that they are just" usernames, would that similarly
have triggered the understanding ??
So, my assertion is that describing an SNMP community string as a
password is only OK if the document in question is aimed at a