Re: ISMS working group and charter problems
"Steven M. Bellovin" <smb@cs.columbia.edu> Tue, 06 September 2005 23:14 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECmde-0003PU-EG; Tue, 06 Sep 2005 19:14:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ECmdb-0003OB-Ts; Tue, 06 Sep 2005 19:14:00 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA13010; Tue, 6 Sep 2005 19:13:56 -0400 (EDT)
Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ECmge-0000AO-Mh; Tue, 06 Sep 2005 19:17:09 -0400
Received: by machshav.com (Postfix, from userid 512) id 913AFFB24A; Tue, 6 Sep 2005 19:13:57 -0400 (EDT)
Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id A98C1FB23C; Tue, 6 Sep 2005 19:13:56 -0400 (EDT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by berkshire.machshav.com (Postfix) with ESMTP id 7FBD73BFD6F; Tue, 6 Sep 2005 19:13:55 -0400 (EDT)
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Eliot Lear <lear@cisco.com>
In-Reply-To: Your message of "Tue, 06 Sep 2005 19:37:01 +0200." <431DD3BD.9090108@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 06 Sep 2005 19:13:55 -0400
Message-Id: <20050906231355.7FBD73BFD6F@berkshire.machshav.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
Cc: nanog@merit.edu, IETF Discussion <ietf@ietf.org>, iesg@ietf.org
Subject: Re: ISMS working group and charter problems
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
In message <431DD3BD.9090108@cisco.com>, Eliot Lear writes: > >More and more voice over ip (VoIP) has gained acceptance in the market >place. However, the ability to debug end points real time is limited. >Wouldn't it be nice for a manager to query a phone to determine how >many data packets it thinks it has sent to a far end and then follow >that stream to determine who is dropping? In order to accomplish this >task, the manager has to have access to a phone which, if remote, may >well be sitting behind a firewall such as the one you have at home. Eliot, I have very grave reservations about this. Quite frankly, I don't think that arbitrary management stations should have any right whatsoever to connect to my devices. I agree that the functionality you suggest is useful. The trick is to permit that without permitting misbehavior. (I'll note here that the interests of vendors and the interests of users are not identical. More and more, vendors like subscription-based models, where users keep on paying, to give just one example.) This requires not just a view-based access control model -- where the view might be "MIB variables for this call only" -- but an express intent by the user to permit the access for that particular call. This demands a different notion of "view" than has been traditional; it also implies a user interface issue and -- given the existence of firewalls -- a multi- party protocol: my endpoint, your endpoint, my management proxy (which is accessible through the firewall), your management proxy, and the vendor's diagnostic station. I'd be hard-pressed to see this as within scope for ISMS. It may, however, be a very nice subject for a separate working group. >Furthermore, if the phone wants to send a notification to a manager, it >too is likely to reside behind a firewall. Not if the site is properly managed. The manager's port should be exposed to the outside. Just as web servers have to permit inbound port 80 and mail servers have to permit inbound port 25, a management station has to accept its own traffic. A firewall can, at best, protect the other ports on the machine -- but those should be turned off anyway. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Pekka Savola
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Dave Crocker
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- RE: ISMS working group and charter problems Daniel Senie
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- RE: ISMS working group and charter problems Thomas Gal
- Re: ISMS working group and charter problems Steven M. Bellovin
- Re: ISMS working group and charter problems Randy Presuhn
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Dave Singer
- Re: ISMS working group and charter problems Iljitsch van Beijnum
- Re: ISMS working group and charter problems Brian E Carpenter
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Jari Arkko
- Firewall considerations (Re: ISMS working group a… Harald Tveit Alvestrand
- Re: ISMS working group and charter problems Melinda Shore
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Margaret Wasserman
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Margaret Wasserman
- Confusion about ISMS rechartering Sam Hartman
- Re: Confusion about ISMS rechartering Dave Crocker
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Fleischman, Eric
- RE: ISMS working group and charter problems Margaret Wasserman
- RE: ISMS working group and charter problems Fleischman, Eric
- Re: ISMS working group and charter problems Spencer Dawkins
- Re: ISMS working group and charter problems Michael Thomas
- Re: ISMS working group and charter problems Sam Hartman
- Re: ISMS working group and charter problems Juergen Quittek
- Re: ISMS working group and charter problems Daniel Senie
- RE: ISMS working group and charter problems Nelson, David
- Re: ISMS working group and charter problems Tom Petch
- Fwd: ISMS working group and charter problems Rich Morin
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Eliot Lear
- Re: ISMS working group and charter problems Wes Hardaker
- ISMS working group and charter problems Brent Chapman