North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: ISMS working group and charter problems
- From: Eliot Lear
- Date: Tue Sep 06 14:38:09 2005
- Authentication-results: imail.cisco.com; header.From=lear@cisco.com; dkim=pass (message from cisco.com verified; );
- Dkim-signature: a=rsa-sha1; q=dns; l=1275; t=1126031537; x=1126463737;c=nowsp; s=nebraska; h=Subject:From:Date:Content-Type:Content-Transfer-Encoding;d=cisco.com; i=lear@cisco.com; z=Subject:Re=3A=20ISMS=20working=20group=20and=20charter=20problems|From:Eliot=20Lear=20<lear@cisco.com>|Date:Tue,=2006=20Sep=202005=2020=3A36=3A57=20+0200|Content-Type:text/plain=3B=20charset=3DISO-8859-1|Content-Transfer-Encoding:7bit;b=VEjzZE77ViJdy5V6PqFdygppwSXWci0UrKViEv0/rrGtTT9UeBLEOoUtBvX/8+WoDtYfCAhRNX1C0XkHS+7Hu3qX/5uYhML+ulHOBuR6thOsSKIef6gdxusVZHfRkwXmc/F5UkyVBdjyszfCP2igC78XnWzrwQd/i3nt8OUUffI=
Daniel,
All solutions will use a different SSH port as part of the standard just
so that firewall administrators have the ability to block.
Eliot
Daniel Senie wrote:
> At 02:00 PM 9/6/2005, Dave Crocker wrote:
>
>
>> Eliot,
>>
>>> I need your help to correct for an impending mistake by the ISMS
>>> working group in the IETF.
>>
>>
>>
>> Your note is clear and logical, and seems quite compelling.
>>
>> Is there any chance of getting a proponent of the working group's
>> decision to post a defense?
>>
>> (By the way, I am awestruck at the potential impact of changing SNMP
>> from UDP-based to TCP-based, given the extensive debates that took
>> place about this when SNMP was originally developed. Has THIS
>> decision been subject to adequate external review, preferably
>> including a pass by the IAB?)
>
>
> I agree the argument is well laid out, and would be interested in
> hearing the thinking of ISMS in response.
>
> I'm more than a bit concerned, however, when folks start talking about
> solutions that will permit things to pass through firewalls without
> configuration. Those in charge of firewalls are often purposely setting
> policy. If there is a perceived need for a policy that prevents SNMP
> traffic, then it should remain possible for the administrator of that
> network element to make that call. I must say I have some concern with
> overlaying SNMP on SSH, since that precludes the firewall knowing
> whether the traffic is general SSH keyboard traffic or network management.
>
> Let's hear more about the thinking involved.
>
|
