Hedanping (Ana) wrote on 01.12.2014 04:51: > The security of SNMP is emerged to be enhanced . Besides customers won't > check RFC before using SNMP devices, thus they are not aware of this > vulnerability. Vendors have to implement extra modules to constrain user > behavior, but not all the vendors do so. The current key localization > algorithm is vulnerable, and the CVSS is rated as 7.6, > AV:N/AC:H/Au:N/C:C/I:C/A:C. The new key localization mechanism might be > bundled with SHA2 as important updates. >
I think it is wise to keep the key localization algorithm in draft-hmac-sha-2-usm-snmp as it is, i.e., as specified in RFC 3414. In order to implement the new authentication algorithms, implementers just need to change the hash algorithms and the lengths of input and output values, which increases the probability of adoption. Any changes to the general processing, even in supporting algorithms like key localization, will hinder adoption and may even result in interop problems in cases where the changes have been overlooked. -- Johannes _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
