a response from dr. snmp on behalf of the snmpv2* team
Jeff Case <case@cs.utk.edu> Thu, 31 August 1995 11:23 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa07133; 31 Aug 95 7:23 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa07129; 31 Aug 95 7:23 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa07394; 31 Aug 95 7:23 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa28854; 31 Aug 95 6:52 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa28850; 31 Aug 95 6:44 EDT
Received: from cs.utk.edu(128.169.94.1) by relay.tis.com via smap (g3.0.1) id xma003914; Thu, 31 Aug 95 06:34:04 -0400
Received: by CS.UTK.EDU (cf v2.9s-UTK) id GAA18192; Thu, 31 Aug 1995 06:44:26 -0400
Date: Thu, 31 Aug 1995 06:44:26 -0400
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Jeff Case <case@cs.utk.edu>
Message-Id: <199508311044.GAA18192@CS.UTK.EDU>
To: snmpv2@tis.com
Subject: a response from dr. snmp on behalf of the snmpv2* team
Cc: case@snmp.com
sorry to have to send this from my account at the university ... ever since we opened speedbump up to anonymous ftp, there have been unexplainable things happening to that machine (and others behind it) ... we are working with cert to explore the causes ... so, in the meantime, i'll post this message from here please send all replies to the list or to case@snmp.com thanks ----- marshall: i am writing to respond to your list of new features and new mechanisms you posted late last night in a note to aleksey the question on the table is, using your own words (so as to not open myself to accusations that i'm putting "spin" on them) as follows To what extent is "many of these are major changes to SNMP, none of them are in any of the real proposals; indeed, many have heretofore never discussed in public." in fact, true? first, the facts about the items in your list: (commentary follows) > new features: > - manager-to-manager communication without either having an agent see draft-ietf-snmpv2-adminv2-ds-02.txt, page 16, definition of a manager see also draft-ietf-snmpv2-proto-ds-01.txt, page 28, near the top both of these documents talk about manager-to-manager communications between two managers ... nowhere is there any clue that one needs to have an agent -- if there was a need to have an agent where is that stated? this is, after all, called a manager-to-manager communication, not called a dual-role entity communication to dual-role-entity communication CONCLUSION: This is not new stuff that has heretofore never been discussed in public > - multiple auth/priv protocols associated with one user see draft-kzm-snmpv2-adminv2-alt-00.txt throughout ... given that usec admin allows multiple models, potentially multiple user-based models, usec allows a single username to be associated with multiple combinations of model and qos, where qos selects a single auth/priv protocol combination the snmpv2* synthesis is similar in this regard, wherein a single username can be associated with multiple values of sPI where the spi is equivalent to the combination of a usec model and qos ... there is no basic difference between these approaches -- the primary difference is if the two concepts are encoded as two disparate fields or as 1 field which represents the cross product CONCLUSION: This is not new stuff that has heretofore never been discussed in public > - access control via context bit-masks this aspect of the mib design is a direct result of other design decisions and two are worth mentioning here first, the USEC design shifted the paradigm from having context names in simple agents administratively assigned by a system administrator to a new paradigm wherein context names are administratively assigned by agent implementors, as evidenced by the read-only nature of these entries in the USEC MIB for simple agents ... we agree with this design decision and incorporated it in the synthesis however, as a result of this paradigm shift in the design of the context table, it shouldn't be surprising that there are ripple effects in the tables which "point" to the context table since the administrator is no longer in complete control of the configuration this is especially critical in hot-swappable chassis with dynamically loadable contexts. second, see draft-ietf-snmpv2-adminv2-ds-02.txt page 50 near top where it states that every attempt has been made to minimize the amount of NV storage required ... we agree with this design decision and incorporated it in the synthesis CONCLUSION: This is not new stuff that has heretofore never been discussed in public > - "security" based on transport-addresses see draft-kornegay-snmpv2-emf-00.txt, page 4, near the middle and see draft-wijnen-snmpv2-snmpv2t-00.txt, page 6, near the end of the first paragraph of section 2.2 CONCLUSION: This is not new stuff that has heretofore never been discussed in public > - MIB-based configuration of community-based authentication see draft-ietf-snmpv2-party-ds-02.txt page 14, at the top, in conjunction with the bottom of page 20 and the top of page 21 (look for rfc1157noAuth) see also draft-ietf-snmpv2-tm-ds-02.txt page 14 i could cite more, but one example should be sufficient, and three should be more than sufficient CONCLUSION: This is not new stuff that has heretofore never been discussed in public > - grouping of transport addresses see draft-ietf-snmpv2-adminv2-ds-02.txt page 50 near top and similar comment above further, chairman bob posted a message to this list on behalf of case, mccloghrie, and rose on Tue, 25 Apr 1995 11:09:26 -0400 containing a proposal for a transportTable which is materially similar to the one found in the synthesis and there were multiple messages discussing this table in the months of april and may, including reports of implementation experience and feedback CONCLUSION: This is not new stuff that has heretofore never been discussed in public > - configuration of access-control (for an existing user) according to > the group a user is in. first, you need to get your terms correct ... the synthesis configures access control according to the group an identity is in, in contrast to configuring according to the group a user is in ... which, for some values of sPI, this identity maps to a username (this is the default) second, there is no requirement in the synthesis that the identity be in existence, there may or may not be an identity in any spi which corresponds to that group ... the synthesis allows a configured set of access rights for a group quite independently of whether there are zero, one, or many identities associated with that group ... this is an important isolation of the authentication from the access control third, this isn't new ... see draft-ietf-snmpv2-scm-ds-01.txt, especially scmUserCapIndex pointing into the scmCapTable CONCLUSION: This is not new stuff that has heretofore never been discussed in public > new mechanisms: Most of the "new mechanisms" you cite are bug fixes. These are fixes to bugs identified in the document entitled "Problems with the SNMPv2 Proposals". Glenn's posting of 26 Aug 1995 claims that several problems are not problems, and we, of course, disagree about this. Claims that problems are not problems is not a solution. You may reread the relevant areas of the previously provided text. > - ASCII-naming of Views ok, you have us here ... this is our most vulnerable spot we thought that if we are going to move from OIDs for contexts to user-friendly string-based names for contexts, and from parties named by OIDs to user-friendly string-based user names, that it was consistent to also name views by user-friendly string-based view names ... with the hook that in resource poor systems, i.e., those with precious little nvram resources, that the strings can be real short, like one byte, e.g., "1", "2", "3" etc this hardly seems the basis by which one would decide a set of documents totaling 200+ pages is/is not "new" CONCLUSION: This is new stuff, but inconsequential, but easily transformed back to small-valued integers if the Working Group so desires > - agentID changed to snmpID and the need for a manager to have one bug fix ... see "Problems with the SNMPv2 Proposal" page 7ff CONCLUSION: This is not new stuff that has heretofore never been discussed in public > - a scopedPDU SEQUENCE to provide naming of (proxy) contexts via snmpID bug fix ... see "Problems with the SNMPv2 Proposal" page 9ff CONCLUSION: This is not new stuff that has heretofore never been discussed in public > - receiver is the authoratitive source of clock for Informs bug fix ... see "Problems with the SNMPv2 Proposal" page 7ff CONCLUSION: This is not new stuff that has heretofore never been discussed in public in the final challenge of your note, you state: >further, i might add that the one thing that the "synthesis" non-proposal >did manage was to exclude use of public-key technology, i.e., it says > > > "transmitted on behalf of identity" > >Given that this is inconsistent with future support of asymmetric >cryptography, i'm not sure how the "synthesis" non-proposal can state >that all of the proposals had good things in them, when one of these >proposals was entirely about use of public-key technology. first, do you really think your repeated attempts to castigate the synthesis with these labels is effective? it makes you look increasingly desperate second, i have looked in the synthesis documents but cannot find the text you cite ... could you perhaps help me out with that with a document name/title and a page number? third, there is *nothing* in the synthesis that is incompatible with public key cryptography ... if you wish to assert that there is, could you please state the technical grounds for your beliefs? fourth, even after we prove that public-key technology does work, some readers will continue to be confused by your unsubstantiated claims. this is unfair to our synthesis and we respectfully request that you be more careful in the future. CONCLUSION: Like those above it, this assertion is false ----------------------------------------------------------------------------- DISCUSSION: i have responded to the technical content of your note, but have chosen not to respond at this time to the increasing frequency and boldness of the vindictive attacks contained in your recent notes, including this one for the best interests of the Working Group, i am continuing to resist the temptation to respond in kind to your rude jabs ... the Working Group doesn't need nor want to hear that kind of dialog and i'm trusting that they'll appreciate my restraint as a sign of strength rather than a position of weakness ... so i don't intend to stoop to your level by responding to these attacks if i properly understand your tactics, you are attempting to manipulate the Working Group by making certain claims about the synthesis documents you claimed (again, using your own words (so as to not be accused of putting my spin on them): "many of these are major changes to SNMP, none of them are in any of the real proposals; indeed, many have heretofore never discussed in public." it is my understanding that you hoped that through these declarations, you might be able to get the synthesis rejected, no matter how meritorious it might or might not be you challenged me to refute these claims, which i have done, with documentation yours might have been an effective tactic for manipulating the working group except for one detail ... your claims are unfounded and without basis META CONCLUSION: Your tactic has failed. Your best and only point is the choice of type for the index on the view table, and i can't imagine you'd be so foolish as to attempt to pin your hopes on such a weak point we'll save the discussion of the merits of the ideas for another note and limit this one to the legalistic claims you have made about the items you identified in the synthesis ... the discussion of the technical merits can be the topic of another note one final thought before closing: we've processed this list as if it were the list that our chairman, bob, tasked you to prepare although it isn't clear if you meant it to be so in that the message was addressed to aleksey ... since you aren't yet heeding other instructions in that message, perhaps you haven't seen it yet or perhaps your messages might have crossed in transit in either event, we will respond to any additional items you may wish to raise once you've taken the time to read the documents beyond the "cursory examination" you cite thus far ... perhaps if you take the time to read the synthesis, you'll even like it while we'll respond to additional items you may wish to raise, we feel it would be a much more worthwhile use of everyone's time and the bandwidth on the list to focus on the technical details of the synthesis and the merits of the design rather than to waste additional time on failed attempts to challenge the legitimacy of the synthesis based on some legalistic criteria if you'd like to help by point out the text which you find difficult to understand, please do so ... we merely request that you do so with substantive technical arguments which back up your assertions without all the emotional glop of course, you'll need to ask a complete question ... researching and preparing a thoughtful and courteous response to your list has consumed time and this time was unnecessarily long because of your vague assertions ... so, complete questions or comments are essential now, can we get back to substantive technical discussions? without all the emotions? thanks in advance regards, jdc
- a response from dr. snmp on behalf of the snmpv2*… Jeff Case
- Re: a response from dr. snmp on behalf of the snm… romanov
- Re: a response from dr. snmp on behalf of the snm… romanov
- Re: a response from dr. snmp on behalf of the snm… Jeffrey T. Johnson
- Re: a response from dr. snmp on behalf of the snm… Iain K. Hanson
- Re: a response from dr. snmp on behalf of the snm… Niall Teasdale
- Re: a response from dr. snmp on behalf of the snm… Niall Teasdale
- Re: a response from dr. snmp on behalf of the snm… Bob Stewart
- Re: a response from dr. snmp on behalf of the snm… Alex Alten
- Re: a response from dr. snmp on behalf of the snm… case