Re: ISMS working group and charter problems
Pekka Savola <pekkas@netcore.fi> Tue, 06 September 2005 18:58 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECiei-00054A-PH; Tue, 06 Sep 2005 14:58:52 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECieg-00053u-Sd; Tue, 06 Sep 2005 14:58:50 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA13371; Tue, 6 Sep 2005 14:58:49 -0400 (EDT)
Received: from netcore.fi ([193.94.160.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECihg-0005YZ-6k; Tue, 06 Sep 2005 15:01:58 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id j86IvDK19497; Tue, 6 Sep 2005 21:57:13 +0300
Date: Tue, 06 Sep 2005 21:57:13 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: Eliot Lear <lear@cisco.com>
In-Reply-To: <431DE1C9.8000207@cisco.com>
Message-ID: <Pine.LNX.4.61.0509062143070.19070@netcore.fi>
References: <431DD3BD.9090108@cisco.com> <431DD94C.8070907@dcrocker.net> <6.2.3.4.2.20050906141658.07a04e08@mail.amaranth.net> <431DE1C9.8000207@cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: IETF Discussion <ietf@ietf.org>, iesg@ietf.org
Subject: Re: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
On Tue, 6 Sep 2005, Eliot Lear wrote: > All solutions will use a different SSH port as part of the standard just > so that firewall administrators have the ability to block. FWIW, I'm a bit concerned as well. I don't see clearly which scenarios you have in mind when you say you want better firewall/NAT traversal capabilities. In the scenarios I see, it's a Good Thing that as a network admin I can block all [incoming] SNMP traffic (whether ISMS or not), and moreover, that it's blocked by default if I create a typical policy; I want to do that in the future too. Using a different port is obviously the first step here. But if a different port is being used, I don't see what more is absolutely required. Are you saying some of the following: 1) ISMS specs should specify that the monitored hosts can/should certainly keep open a TCP session so the network management (in both ways) can happen over that session. (This seems pretty trivial..) 2) We should specify how network management hosts could reside behind a firewalls which block the management ports (I don't think this is needed or should be done). 3) ISMS specs should specify network management hosts' capability to poll hosts behind a firewall, which blocks incoming ISMS port by default -- by using a mechanism where outgoing "I want to be monitored using ISMS!" messages would open pinholes in the firewalls. (Is there sufficient benefit in this compared to 1) as you still can't monitor the hosts when you want to unless they are constantly polling you?) Something else? Please be a bit more specific about what you think the "NAT/FW problem" is in this context, and what you'd like to see done about it. (Personally, I'm not sure if I buy the whole ISMS thing at the moment, because the operators AFAICT are sufficiently happy with the SNMPv1/2 security model -- so whatever you build, it has to be at least that simple otherwise it won't be used.) -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Pekka Savola
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- RE: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Randy Presuhn
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Dave Singer
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Brian E Carpenter
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Firewall considerations (Re: ISMS working group a… Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Melinda Shore
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Margaret Wasserman
- Confusion about ISMS rechartering Sam Hartman
- Re: Confusion about ISMS rechartering Dave Crocker
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Margaret Wasserman
- RE: ISMS working group and charter problems Fleischman, Eric
- Re: ISMS working group and charter problems Spencer Dawkins
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Daniel Senie
- RE: ISMS working group and charter problems Nelson, David
- Re: ISMS working group and charter problems Tom Petch
- Fwd: ISMS working group and charter problems Rich Morin
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Wes Hardaker
- ISMS working group and charter problems Brent Chapman