The problem that you have with TCP (and made worse by SSH tunneling on top of it) is that the number of round trips needed to successfully get a data packet through is unreasonably high in a situation where you are attempting to diagnose a network fault.
The other choice is to leave a LOT of state open (ie. TCP connections) requiring a lot of extra memory, etc. on the device. That said there is no reason why you can not create a tunnel to a secure environment and run your SNMP traffic from there. Bill On Wed, Aug 06, 2003 at 08:42:49AM -0700, Fleischman, Eric wrote: > I am seeking to secure SNMPv3 communications (e.g., RFC 3414), trying to protect > against its well-known vulnerabilities such as spoofing. Had SNMPv3 run over TCP, > instead of UDP as it does, then I perhaps may attempt to protect it via SSH port > forwarding (i.e., SSH tunneling). Coincidentally, I've just read a description in > Bob Toxen's book "Real World Linux Security" (page 141) about an approach he has > apparently used of wrapping UDP in TCP and SSH in order to accomplish SSH port > forwarding for UDP-based protocols as well. This makes me wonder whether SNMPv3 may > be a viable candidate for SSH tunneling after all. I am wondering whether anybody in > the list has any insights as to the viability and weaknesses of this suggested > approach. I am especially interested in learning how people on this list secure > SNMPv3. Thank you.
