RE: IPSEC MIBs?

Paul Koning <pkoning@xedia.com> Thu, 28 May 1998 13:05 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id JAA26784 for ipsec-outgoing; Thu, 28 May 1998 09:05:21 -0400 (EDT)
Date: Thu, 28 May 1998 09:19:58 -0400
Message-Id: <199805281319.JAA21796@tonga.xedia.com>
From: Paul Koning <pkoning@xedia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: ipsec@tis.com
Subject: RE: IPSEC MIBs?
References: <250F9C8DEB9ED011A14D08002BE4F64C01959171@wade.reo.dec.com>
X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

 -----Original Message----- From: Ran Atkinson
 Ran> [SMTP:rja@inet.org] Sent: Thursday, May 28, 1998 3:11 AM To:
 Ran> Ran Waters Subject: Re: IPSEC MIBs?

 Ran> Doing a useful MIB for IPsec would tend to reduce the
 Ran> security of an IPsec implementation to the min(IPsec
 Ran> security, SNMP security).  The latter (SNMP Security) is
 Ran> generally accepted to be weaker (especially pre-SNMPv3, but
 Ran> even with SNMPv3 in place).

 Ran> I'd suggest that weakening the security of an implementation
 Ran> of a security protocol is probably not a good global
 Ran> optimisation.

True.  But any IPSEC implementation will have management, and any
implementation of IPSEC has the property that it is as strong as its
weakest link.  It strikes me that replacing proprietary MIBs by a
standard MIB can only improve matters.

As Stephen Waters pointed out, quite apart from whatever mechanisms
SNMP itself may have (adequate or not), one can protect SNMP by
carrying it over IPSEC once IPSEC has been bootstrapped using local
management.

	paul

IPSEC MIBs? Stephen Waters
Re: IPSEC MIBs? Robert Moskowitz
RE: IPSEC MIBs? Stephen Waters
RE: IPSEC MIBs? Paul Koning
RE: IPSEC MIBs? Cliff Wang