Re: [netmod] Adoption of: draft-bjorklund-netmod-snmp-cfg-02 (respondby 20120420)

[Wes Hardaker <wjhns1@hardakers.net>]

"Randy Presuhn" <randy_presuhn@mindspring.com> writes:

> There have been lots of different technologies thrown at the key
> management problem space over the years.  I think it would be
> worthwhile to have a security guru specializing in that topic (and
> that's certainly not me!!) give the WG some pointers to what the
> current state of the art is

I think the current state of the art with respect to shared secrets (eg,
passwords) is quite simple: don't do it.  For exactly the reasons that
are coming up here: configuring a bunch of boxes with a shared secret
means all boxes have access to it (or in the case of USM, a fortunately
local copy).  I'd say the management station should be delivering
localized keys and that's the best you can achieve. Netconf,
fortunately, should always run over an encrypted protocol and thus is
safe to deliver a localized copy.  You could, if really paranoid, define
a negotiated feature such that the localized key config object would
only be available when an encrypted session was in use.

[I understand the desire to not deliver even those like the keychange
algorithm achieves, but even the USM is typically configured the first
time by manual initialization of the secret outside USM and probably
frequently still over the network].

The state of the art, however, is typically to use public/private key
solutions instead and thus delivery of the public key of the opposite
side only requires that it not be modified and disclosure isn't a
concern.  IE, SNMP over (D)TLS (RFC6353: configuration of which is
defined in the draft) or SNMP over SSH (RFC5592: which there are not
configuration objects for at the moment).
-- 
Wes Hardaker
SPARTA, Inc.