At 12:26 AM +0200 9/7/05, Harald Tveit Alvestrand wrote: >>I believe that the ISMS WG's proposal is about ADDING the >>possibility of SNMP over TCP, not about CHANGING SNMP to use TCP. >>UDP will still work. >From: Margaret Wasserman [mailto:margaret@xxxxxxxxxxxxxx] >That is correct. UDP and the current SNMPv3 USM security mechanisms >will still work. They will also remain mandatory parts of SNMPv3. Whoa, now, Margaret. Your statement is technically accurate that traditional SNMPv3 USM will hopefully co-exist with ISMS indefinitely, and therefore SNMP-over-UDP will remain viable within the historic USM context. However, your statement is inaccurate within the context of this discussion, which is ISMS. I actively supported the formation of the ISMS WG through a series of BOFs because I concluded years ago that SNMPv3 USM is inadequately securable for large deployments (doesn't scale, no PFS, symmetric key distribution problems, etc.), requires us to deploy a unique SNMP-only authentication/authorization system that doesn't integrate with any enterprise wide alternative, and is therefore needlessly expensive and of dubious value within multi-vendor environments. By coupling ISMS with SSH, which currently only operates over TCP, the current ISMS solution being forwarded by the WG is TCP-dependent. TCP doesn't operate effectively in all parts of the deployments which which I am associated. That is why I have been trying to encourage the WG to enable ISMS to be flexibly designed to be deployable in a wide variety of environments on a locally-appropriate manner (i.e., use TCP where it works well and UDP where it works well). This has not happened. --Eric _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf