Re: [midcom] security recommendations in MIDCOM MIB draft
Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 05 July 2007 11:20 UTC
Return-path: <midcom-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I6PNy-0006Yi-MP; Thu, 05 Jul 2007 07:20:34 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I6PNx-0006YV-4c for midcom@ietf.org; Thu, 05 Jul 2007 07:20:33 -0400
Received: from mailgw3.ericsson.se ([193.180.251.60]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I6PNt-0006eD-Ad for midcom@ietf.org; Thu, 05 Jul 2007 07:20:33 -0400
Received: from mailgw3.ericsson.se (unknown [127.0.0.1]) by mailgw3.ericsson.se (Symantec Mail Security) with ESMTP id AE72120C5C; Thu, 5 Jul 2007 13:20:28 +0200 (CEST)
X-AuditID: c1b4fb3c-b0e80bb0000007e1-56-468cd3fce704
Received: from esealmw127.eemea.ericsson.se (unknown [153.88.254.122]) by mailgw3.ericsson.se (Symantec Mail Security) with ESMTP id 9E5C720AF3; Thu, 5 Jul 2007 13:20:28 +0200 (CEST)
Received: from esealmw127.eemea.ericsson.se ([153.88.254.175]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 5 Jul 2007 13:20:28 +0200
Received: from [147.214.30.247] ([147.214.30.247]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 5 Jul 2007 13:20:28 +0200
Message-ID: <468CD3FB.4040203@ericsson.com>
Date: Thu, 05 Jul 2007 13:20:27 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: Juergen Quittek <quittek@netlab.nec.de>
Subject: Re: [midcom] security recommendations in MIDCOM MIB draft
References: <6AFFE92CEE03A3E6C2E61771@753F3B888A9969457862729D>
In-Reply-To: <6AFFE92CEE03A3E6C2E61771@753F3B888A9969457862729D>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 05 Jul 2007 11:20:28.0114 (UTC) FILETIME=[7D8F8B20:01C7BEF6]
X-Brightmail-Tracker: AAAAAA==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: midcom@ietf.org, Tim Polk <tim.polk@nist.gov>
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: midcom.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
Errors-To: midcom-bounces@ietf.org
Juergen Quittek skrev: > Dear all, > > The MIDCOM MIB is progressing and currently under IESG review. > Tim Polk made a comment that I would like to discuss here on this list. > > In the draft, we explicitly state hat a MIDCOM MIB implementation > MUST support SNMPv3. However, we pass the responsibility of switching > on SNMPv3 to the operator. The operator may still run SNMPv1 or SNMPv2 > if security is provided otherwise: > > "Compliant MIDCOM MIB implementations MUST support SNMPv3 security > services including data integrity, data origin authentication and > data confidentiality. > > It is REQUIRED that the implementations support the security features > as provided by the SNMPv3 framework. Specifically, the use of the > User-based Security Model RFC 3414 [RFC3414] and the View- based > Access Control Model RFC 3415 [RFC3415] is RECOMMENDED. > > It is then a customer/operator responsibility to ensure that the SNMP > entity giving access to an instance of this MIB, is properly > configured to give access to the objects only to those principals > (users) that have legitimate rights to indeed GET or SET > (change/create/delete) them." > > Now, Tim suggests to explicitly deprecate the use of (insecure) previous > versions of SNMP, for example with a phrase like > > "Deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. > Instead it is RECOMMENDED to deploy SNMPv3 and to enable > cryptographic security." > > Are there any opinions about adding such a phrase to the security > considerations? > To make sure I understand this correctly. Without SNMPv3 and its security functions the MIDCOM MIB will not reach the security requirements identified? If this is true, I think it is quite clear that MIDCOM MIB should only be used with SNMPv3. Cheers Magnus Westerlund IETF Transport Area Director & TSVWG Chair ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM/M ---------------------------------------------------------------------- Ericsson AB | Phone +46 8 4048287 Torshamsgatan 23 | Fax +46 8 7575550 S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ---------------------------------------------------------------------- _______________________________________________ midcom mailing list midcom@ietf.org https://www1.ietf.org/mailman/listinfo/midcom
- [midcom] security recommendations in MIDCOM MIB d… Juergen Quittek
- Re: [midcom] security recommendations in MIDCOM M… Lars Eggert
- Re: [midcom] security recommendations in MIDCOM M… Lars Eggert
- Re: [midcom] security recommendations in MIDCOM M… Magnus Westerlund
- Re: [midcom] security recommendations in MIDCOM M… Juergen Quittek
- Re: [midcom] security recommendations in MIDCOM M… Wes Hardaker
- Re: [midcom] security recommendations in MIDCOM M… Magnus Westerlund
- Re: [midcom] security recommendations in MIDCOM M… Melinda Shore
- Re: [midcom] security recommendations in MIDCOM M… Wes Hardaker
- Re: [midcom] security recommendations in MIDCOM M… Melinda Shore
- Re: [midcom] security recommendations in MIDCOM M… Wes Hardaker