RE: ISMS working group and charter problems

At 12:26 AM +0200 9/7/05, Harald Tveit Alvestrand wrote:
>>I believe that the ISMS WG's proposal is about ADDING the
>>possibility of SNMP over TCP, not about CHANGING SNMP to use TCP.
>>UDP will still work.

>From: Margaret Wasserman [mailto:margaret@thingmagic.com] 
>That is correct.  UDP and the current SNMPv3 USM security mechanisms 
>will still work.  They will also remain mandatory parts of SNMPv3.

Whoa, now, Margaret. Your statement is technically accurate that
traditional SNMPv3 USM will hopefully co-exist with ISMS indefinitely,
and therefore SNMP-over-UDP will remain viable within the historic USM
context. However, your statement is inaccurate within the context of
this discussion, which is ISMS.

I actively supported the formation of the ISMS WG through a series of
BOFs because I concluded years ago that SNMPv3 USM is inadequately
securable for large deployments (doesn't scale, no PFS, symmetric key
distribution problems, etc.), requires us to deploy a unique SNMP-only
authentication/authorization system that doesn't integrate with any
enterprise wide alternative, and is therefore needlessly expensive and
of dubious value within multi-vendor environments. 

By coupling ISMS with SSH, which currently only operates over TCP, the
current ISMS solution being forwarded by the WG is TCP-dependent. TCP
doesn't operate effectively in all parts of the deployments which which
I am associated. That is why I have been trying to encourage the WG to
enable ISMS to be flexibly designed to be deployable in a wide variety
of environments on a locally-appropriate manner (i.e., use TCP where it
works well and UDP where it works well). This has not happened. 

--Eric

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf