[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: COPS vs. SNMP
> -----Original Message-----
> From: Wijnen, Bert (Bert) [mailto:bwijnen@lucent.com]
>
> David, I am not sure what you are trying to tell people?
[Dave] That before we start calling SNMPConf Done, we should take a step
back and carefully consider the security issues associated with allowing
local scripts to control the configuration of a device. Seems there is more
work to do here.
>
> The SNMP CERT advisories have NOT talked about a flaw
> in the SNMP Protocol at all. They have talked about implementation
> bugs. Further, it seems that most implementation bugs have been
> in the area of not properly decoding BER encoded SNMP packets.
>
[Dave] Perhaps, but that raises serious questions about using the current
installed base of SNMP for configuration. It is not clear to me where a
problem with implementations is to blame vs. the protocol definitions. There
are a lot of SHOULDs and MAYs in the specs that help contribute to
implementations going awry.
> Since the COPS-PR with PIB approach also uses BER encoding for
> sending the configuration/policy information, I would suspect
> that COPS-PR implementations have the same potential risks!!!
>
[Dave] COPS and COPS-PR security mechanisms are NOT BER-based. The security
mechanisms use fixed size COPS objects and tried & true TCP security
mechanisms. Once the persistent & secure client/server communication is
established, only then does BER come into play. Even then, the BER objects
are still wrapped in COPS objects, providing an extra level of validation to
avoid buffer overruns and the like.
... But I think it is good to analyze COPS-PR in this regard. Certainly, we
should be assured that CERT will have no issues with COPS-PR in the future.
> Bert
>
> > -----Original Message-----
> > From: Durham, David [mailto:david.durham@intel.com]
> > Sent: Monday, February 25, 2002 7:32 PM
> > To: 'Tricha Anjali'; rap@ops.ietf.org
> > Cc: Ian F. Akyildiz
> > Subject: RE: COPS vs. SNMP
> >
> >
> > I'm interested in what the industry adoption of SNMPConf is/will be.
> > Particularly given that CERT is already advising that
> > administrators TURN
> > SNMP OFF! Eg. SNMP is currently undergoing a maelstrom of
> > CERT advisories
> > and other bad press due to its
> > troubling susceptibilities. Now just imagine allowing people
> > to actually
> > download viruses and worms via SNMPConf PM MIB's Scripts.
> > -Dave
> >
> > http://www.internetwk.com/story/INW20020213S0002
> >
> > > -----Original Message-----
> > > From: Tricha Anjali [mailto:tricha@ece.gatech.edu]
> > > Sent: Monday, February 25, 2002 9:38 AM
> > > To: rap@ops.ietf.org
> > > Cc: Ian F. Akyildiz
> > > Subject: COPS vs. SNMP
> > >
> > >
> > >
> > > Hello,
> > >
> > > We have been following the IETF activities concerning the
> > > ongoing work in
> > > the fields of SNMP and COPS. It seems that at the meeting in
> > > March 2000 in
> > > Adelaide, the snmpconf working group was formed for issues
> > > dealing with
> > > policy-based network management after the BOF about network
> > > management in
> > > Dec 1999. However, now the group seems to have accomplished
> > > its charter
> > > and finished. Does this mean that the discussion has been resolved?
> > >
> > > We would like to know if the resource reservation in a
> > > network can/should
> > > be achieved via COPS? If yes, how is it advantageous over SNMP?
> > >
> > > Any help will be appreciated!
> > >
> > > Thanks in advance,
> > >
> > > Tricha
> > >
> > > -------------------------------
> > > Tricha Anjali
> > > Broadband & Wireless Networking Lab
> > > School of Electrical and Computer Engineering
> > > Georgia Institute of Technology
> > > http://users.ece.gatech.edu/~tricha/
> > >
> > >
> > >
> > >
> >