[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: User Readable Config File (2.4.7)

To: Merike Kaeo <kaeo@merike.com>
Subject: Re: User Readable Config File (2.4.7)
From: "Joel N. Weber II" <ietf-opsec@joelweber.com>
Date: Thu, 23 Oct 2003 13:42:27 -0400
Cc: gmj@pobox.com,opsec@ops.ietf.org
In-reply-to: <5.2.1.1.2.20031023004115.027ce0a0@mail.merike.com> (message from Merike Kaeo on Thu, 23 Oct 2003 00:48:55 -0700)
References: <5.2.1.1.2.20031023004115.027ce0a0@mail.merike.com>

> Should it explicitly state that there MUST be support in the device to 
> encrypt all passwords and secret and private keys (SNMP community strings, 
> NTP authentication, routing authentication, AAA server keys, what else?) 
> when displaying a user readable config file ?

Possibly.  Though it is also valuable to have a way to dump the config
with all such sensitive things completely omitted (perhaps with some
sort of indication that they would be there if you had the uncensored
version), because in general, it's very hard to obscure passwords well
enough to be certain that a determined attacker can't recover them.

(And I've certainly encountered cases of sending a config file to a
router vendor's tech support, where completely omitting passwords
would be the desireable thing.)

Follow-Ups:
- Re: User Readable Config File (2.4.7)
  - From: George Jones <gmj@pobox.com>

References:
- User Readable Config File (2.4.7)
  - From: Merike Kaeo <kaeo@merike.com>

Prev by Date: Re: draft-jones-opsec-01.txt comments: in-band management
Next by Date: Re: More BCP: revenge of RS232 and CLIs
Previous by thread: User Readable Config File (2.4.7)
Next by thread: Re: User Readable Config File (2.4.7)
Index(es):
- Date
- Thread