> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave Shield
> Sent: Thursday, January 31, 2008 1:40 AM
> On 30/01/2008, Mike Ayers <[EMAIL PROTECTED]> wrote:
> > This much I can tell you - communities were never
> (OK - the SNMPv3 specs talk in terms of "entities" rather than
> "agents" or "clients", but the essence is much the same).
Sorta - the term enity was chosen as a direct reference to the entity
MIB, IIRC, which was trying to address the problem of multiple managable units
with a single network address. The movement to find a unified solution
faceplanted, however, and the context became a darn good way to address units,
especially when the units all host their own engines (e.g., SNMP through NAT).
Note that the reference to the use of contexts also does not refer to "engines"
- also deliberate.
> In contrast, the SNMPv1 idea of a community is explicitly applied
> to the *combination* of agent and client apps. RFC 1157,
> section 3.2.5:
> "A pairing of an SNMP agent with some arbitrary set of SNMP
> application entities is called an SNMP community."
Looks good to me...
> So yes - an SNMP community includes the later concept of the SNMPv3
> context. But it also has elements of authentication - or
> more strictly,
> of access control.
This is where we diverge. This divergence, which reflects that of the
user community, stems not from out interpretation of the text so much as from
our interpretation of the world around us. The question is whether we are
trying to protect against inadvertent clobering or malicious attacks, which
says a bit about how we see the world. "Security", by consensus (at least as
far as I have seen), deals with the latter. I know of no term for the former,
and think such a term would be darn handy - we might even be able to talk about
this issue and agree on the wording (I don't think we disagree about any of the
principles)
> SNMPv1 comes from an older, more trusting era - when ideas about
> security were less well codified. You could leave your door unlocked
> at night, children could play in the street without fears of
> them being
> abducted or run over, and we didn't view other users of the Internet
> with the same suspicion and mistrust that we do now. Ah, those were
> the days.....
I have a friend who lives in a small town in Pennsylvania. I am
certain that his front door is open now, even if nobody is home. Myself, I had
to lock my door against my own housemates when the v1 spec was being written,
and I was a member of a high school hacker's club about a decade before, so,
once again, I have interpretation (spoiler alert: the words "denial" and
"avoidance" may be involved... :D ).
> > yet that [contexts] seems to be the only thing they
> don't get used for.
>
> I would draw the honourable gentleman's attention to the full syntax
> of the snmpd.conf directive "com2sec" :-)
I meant no criticism of net-snmp, rather I have never seen that
paradigm *put to use* (I imagine it does, but not terribly often, I impute, or
I'd have encountered the usage).
HTH,
Mike
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
