Hi - > From: "Juergen Schoenwaelder" <[EMAIL PROTECTED]> > To: "Brian E Carpenter" <[EMAIL PROTECTED]> > Cc: "General Area Review Team" <[email protected]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Wednesday, June 25, 2008 12:23 AM > Subject: Re: [OPSAWG] Gen-ART LC reviewof > draft-ietf-opsawg-snmp-engineid-discovery-02.txt ... > > 5. Security Considerations > > ... > > If a device configuration permits non-secure SNMPv1/v2c access to a > > target system, then reading the snmpEngineID variable of the SNMP- > > FRAMEWORK-MIB will also reveal a suitable contextEngineID value for > > subsequent SNMPv3 usage. However, implementations should not rely on > > non-secure SNMPv1/v2c access and therefore MUST implement this > > specification to enable secure contextEngineID discovery. > > > > This is a little odd, since, as the previous paragraph indicates, > > the localEngineID mechanism is not intrinsically secure. I think the > > second sentence should be extended to: > > > > However, implementations should not rely on > > non-secure SNMPv1/v2c access and therefore MUST implement this > > specification to enable secure contextEngineID discovery whenever > > an SNMPv3 security mechanism is in use. > > The paragraph in question establishes an implementation requirement. > Your proposed addition "whenever an SNMPv3 security mechanisms is in > use" hints to a deployment decision, which for me does not go along > with an implementation requirement.
I have another problem with both versions of the text in question: both versions seem to imply that one must not use the USM method for discovery, referenced in the last paragraph of section 2 of the draft, and in contradiction to the first paragraph of section 3.2. I think the statements about when this technique MUST be implemented and SHOULD be used need to be more carefully scoped. BTW, I admit to being a bit baffled by the second paragraph of the security considerations section - why are we worried about attackers learning snmpEngineID values? Just exactly what attack would having this information facilitate? Randy _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
