On Wed, Jun 25, 2008 at 09:52:42AM -0700, Randy Presuhn wrote: > I have another problem with both versions of the text in question: > both versions seem to imply that one must not use the USM method for > discovery, referenced in the last paragraph of section 2 of the > draft, and in contradiction to the first paragraph of section 3.2. > I think the statements about when this technique MUST be implemented > and SHOULD be used need to be more carefully scoped.
Any suggestion how to fix this? Would if be sufficient to add "if a security model does not provide a suitable discovery mechanism for contextEngineIDs", that is: If a device configuration permits non-secure SNMPv1/v2c access to a target system, then reading the snmpEngineID variable of the SNMP- FRAMEWORK-MIB will also reveal a suitable contextEngineID value for subsequent SNMPv3 usage. However, implementations should not rely on non-secure SNMPv1/v2c access and therefore MUST implement this specification to enable secure contextEngineID discovery if a security model does not provide a suitable discovery mechanism for contextEngineIDs. > BTW, I admit to being a bit baffled by the second paragraph of the > security considerations section - why are we worried about attackers > learning snmpEngineID values? Just exactly what attack would having > this information facilitate? Depending on how the snmpEngineID is constructed, it may contain the enterprise ID identifying the device manufacturer or it may contain a MAC address which is otherwise not accessibe (and which also gives a hint about the manufacturer), or it might contain an administratively assigned text that might be useful to further target an attack. Is this something to be seriously worried about? I can't judge. Do we have such text in USM RFC 3414? Obviously not. Is the fact that USM is silent about this sufficient to not be worried? Again, I can't judge. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
