[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Definitions of "Console" and "CLI" expanded

To: Mike O'Connor <mjo@dojo.mi.org>
Subject: Re: Definitions of "Console" and "CLI" expanded
From: Perry E.Metzger <perry@piermont.com>
Date: Wed, 26 Nov 2003 20:31:00 -0500
Cc: opsec@ops.ietf.org
In-reply-to: <031126195020.mjo@dojo.mi.org> (Mike O'Connor's message of "Wed, 26 Nov 2003 19:50:20 -0500 (EST)")
References: <031126195020.mjo@dojo.mi.org>
User-agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (berkeley-unix)

Mike O'Connor <mjo@dojo.mi.org> writes:
> :> It would be nice if the language didn't imply that HTTP/HTML is the
> :> preferred replacement for a CLI over RS232...
> :
> :Well, this (including private replies) is sounding unanimous....
>
> I agree completely with the sentiment that HTTP should not necessarily
> be presented as the "preferred" replacement.  I cited it as reflective
> of what I think is coming down the pipe.  USB may be another interface
> option.  Finding builtin serial on new laptops gets harder.

Well, sure, but HTTP is an application protocol. Ethernet is a kind of
communications hardware. Saying "Ethernet or USB console" is one
thing. Saying "HTTP instead of SSH CLI" is another. Mixing apples and
oranges here is bad.

> I disagree that it's impossible for "dumb HTTP" to function as a dumb 
> management interface, as long as it's dumbed down sensibly.

It is a pain having to build screen scrapers for HTTP. HTTP makes
things easy only if a human is the thing managing the box. Most of us
try to have machines do that sort of thing, and machines don't prefer
HTML web pages. CLIs are not really optional for us.

> I think that SSL/SSH/other encryption over the management interface
> would be equally necessary (or unnecessary) in the RS232 space.  It's
> about as easy to sniff RS232 connections as IP.

By what mechanism would you sniff an RS232 connection? Perhaps you
would argue that the serial line will tend to radiate and can be
listened in on with TEMPEST gear, but then again the box is probably
not proof against that either.

> But adding strong
> crypto to the management interface equation, whatever flavor, makes
> things decidedly not dumb.  Folks have gotten working TCP stacks in
> 256 bytes of code embedded on PICs, which fits my definition of "dumb". 

That's not true. No one has ever gotten TCP into 256 bytes of
code. People do have small TCP stacks -- I have one that fits in a few
k. 256 bytes is impossible.

Anyway, you can now fit strong crypto into a smart card, which is
about as small as systems often get, so on a modern system, there is
really not much of an issue any more.

> Securing the networking that connects the management client to the
> management port is as "out of scope" as securing the management client
> itself, AFAICT.

That's really untrue. You need secure access to your boxes to manage
them. That's not "securing the network" -- that's just providing for
the use of secure protocols like ssh or ssl.

-- 
Perry E. Metzger		perry@piermont.com

Follow-Ups:
- Re: Definitions of "Console" and "CLI" expanded
  - From: Mike O'Connor <mjo@dojo.mi.org>

References:
- Re: Definitions of "Console" and "CLI" expanded
  - From: Mike O'Connor <mjo@dojo.mi.org>

Prev by Date: Re: Definitions of "Console" and "CLI" expanded
Next by Date: Re: Definitions of "Console" and "CLI" expanded
Previous by thread: Re: Definitions of "Console" and "CLI" expanded
Next by thread: Re: Definitions of "Console" and "CLI" expanded
Index(es):
- Date
- Thread