RE: [ipcdn] draft-ietf-ipcdn-device-mibv2-01.txt

["Wijnen, Bert (Bert)" <bwijnen@lucent.com>]

I am working on a revised text for the guideline.

Bert 

> -----Original Message-----
> From: RJ Atkinson [mailto:rja@extremenetworks.com]
> Sent: Thursday, April 18, 2002 7:13 PM
> To: Woundy, Richard
> Cc: 'mibs@ops.ietf.org'; IPCDN (E-mail)
> Subject: Re: [ipcdn] draft-ietf-ipcdn-device-mibv2-01.txt
> 
> 
> 
> On Thursday, April 18, 2002, at 12:59 , Woundy, Richard wrote:
> 
> > Folks,
> >
> > The current Security Guidelines uses the following text to 
> warn against
> > using SNMPv1:
> >
> >    SNMPv1 by itself is not a secure environment.  Even if 
> the network
> >    itself is secure (for example by using IPSec), even 
> then, there is no
> >    control as to who on the secure network is allowed to access and
> >    GET/SET (read/change/create/delete) the objects in this MIB.
> >
> > Shouldn't this text also point out that SNMPv2c suffers 
> from the same
> > security vulnerabilities? Note that SNMPv2c is explicitly 
> mentioned in 
> > the
> > standard MIB boilerplate 
<http://www.ops.ietf.org/mib-boilerplate.html>.

	Thanks.

MIB Folks,

	It should also explicitly note that SNMPv1 and SNMPv2c both use 
clear-text
disclosing passwords -- which are not considered to provide acceptable
security for an IETF protocol.

	We need to start having MIBs mandate that implementers implement
SNMPv3 now that has advanced to Full Standard, IMHO.

Ran