Re: [midcom] security recommendations in MIDCOM MIB draft

Melinda Shore <> Thu, 12 July 2007 15:40 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1I90md-00050l-0W; Thu, 12 Jul 2007 11:40:47 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1I90mc-0004xB-EO for; Thu, 12 Jul 2007 11:40:46 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1I90mX-0006MC-Mf for; Thu, 12 Jul 2007 11:40:46 -0400
Received: from ([]) by with ESMTP; 12 Jul 2007 11:40:23 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao8CAITnlUZAZnme/2dsb2JhbAA
X-IronPort-AV: i="4.16,533,1175486400"; d="scan'208"; a="65010298:sNHT48915879514"
Received: from ( []) by (8.12.11/8.12.11) with ESMTP id l6CFeNWn011799; Thu, 12 Jul 2007 11:40:23 -0400
Received: from ( []) by (8.12.10/8.12.6) with ESMTP id l6CFeFsa009751; Thu, 12 Jul 2007 15:40:23 GMT
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.1830); Thu, 12 Jul 2007 11:40:18 -0400
Received: from ([]) by ([]) via Exchange Front-End Server ([]) with Microsoft Exchange Server HTTP-DAV ; Thu, 12 Jul 2007 15:40:18 +0000
User-Agent: Microsoft-Entourage/
Date: Thu, 12 Jul 2007 11:40:15 -0400
Subject: Re: [midcom] security recommendations in MIDCOM MIB draft
From: Melinda Shore <>
To: Magnus Westerlund <>, Wes Hardaker <>
Message-ID: <>
Thread-Topic: [midcom] security recommendations in MIDCOM MIB draft
Thread-Index: AcfEmvD1L783JDCOEdyO5AAKleNSdA==
In-Reply-To: <>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 12 Jul 2007 15:40:18.0778 (UTC) FILETIME=[F33653A0:01C7C49A]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1109; t=1184254823; x=1185118823; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20Melinda=20Shore=20<> |Subject:=20Re=3A=20[midcom]=20security=20recommendations=20in=20MIDCOM=2 0MIB=20draft |Sender:=20 |To:=20Magnus=20Westerlund=20<>, =0A=20=20=2 0=20=20=20=20=20Wes=20Hardaker=20<>; bh=Tj/WPR+ildcrYWwd8OUhFh+ggdGNnrwwP0InVMa9lgM=; b=V+Zvv2bR5TjXC2Tj894whgV1elxl3Uedx2LWLikOUeuUMRtEf6MAzDJCzMtBJ/Ad2pktf64K P+ktNmi4fKrBWz48FRg4bqi34YDaf1SeG9kCwYQfTzxUcWfdXrGtyFjP;
Authentication-Results: rtp-dkim-1;; dkim=pass ( sig from verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7d33c50f3756db14428398e2bdedd581
Cc:, Tim Polk <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On 7/12/07 7:51 AM, "Magnus Westerlund" <>
> Can we please come to consensus on this topic. And if there are text
> changes to implement the consensus, please provide them as RFC-editor
> notes to me.

The starting point is: requesting services from a middlebox must
be secure.  If that's to be done cryptographically, it requires
SNMPv3.  If it's not to be done cryptographically it suggests that
the protocol is being run over a "secure" network.  The latter was
not considered acceptable by the responsible area director at the
time that the work was ramping up, and it seems to me the question
of whether or not SNMPv3 is to be required hinges on whether or
not we can now permit an assumption of a "secure" network (for example,
running it over an IPSec tunnel).  It seems to me that if we
can't assume the use of a secure network in some deployments then
SNMPv3 has to be required, since sending firewall requests and
NAT answers insecurely is obviously unacceptable.  Do you think
the assumption of a secure network would pass review?


midcom mailing list