<inline> Tom Petch ----- Original Message ----- From: "Keith McCloghrie" <kzm@xxxxxxxxx> To: "Michael Thomas" <mat@xxxxxxxxx> Cc: "Margaret Wasserman" <margaret@xxxxxxxxxxxxxx>; "Harald Tveit Alvestrand" <harald@xxxxxxxxxxxxx>; <dcrocker@xxxxxxxx>; "Eliot Lear" <lear@xxxxxxxxx>; "IETF Discussion" <ietf@xxxxxxxx> Sent: Thursday, September 08, 2005 5:20 PM Subject: Re: ISMS working group and charter problems > > > > BTW, nothing about your note explains to me why you think that this > > > mechanism should be defined in a Security area WG that is working on a > > > completely separable problem. > > The intent of ISMS is for SNMP to share common security infrastructure, > and in particular, common security infrastructures which are > session-based. So, ISMS has decided that "session-based security" is > needed, which is an architectural departure from the "datagram-based > security" previously specified by the Net Mgmt Area (to see why, see ** > below.) > > Therefore, I suggest the problem is only *partially* separable. > Call-Home involves two issues: 1) the passing through > Firewalls/whatever issue which is completely separable, and 2) the > session v. datagram issue which is not separable. Specifically, the > non-separable part is about who sets up the session, and what types of > messages can be sent on a session which was setup by a device > calling-home. > > > > If you really think that defining call > > > home for SNMP is something that the IETF should do, I would encourage > > > you to get together with Eliot and request a BOF in the OPS area. > > > > That's because I haven't formed an opinion on it. My main point > > is that this doesn't seem to me to be any sort of wildly divergent > > architectural proposition, at least on the front of who "initiates" > > a connection. As Harald pointed out, I really can't see how you'd > > prevent some industrious developers from using SNMP in this way > > regardless of how the working group is chartered, and from that > > standpoint it might be better to get ahead of the ball on it if > > it were inevitable, and it does seem to have a fair number of > > security considerations. > > Exactly. > > My concerns with the charter are: > > 1. that if the charter declares Call-Home as out-of-scope, then there > will be technical/architectural issues which are relevant but cannot > be discussed because they are out-of-scope, and > > 2. consequently, the decisions made might well end up such that they > cannot even be extended later to support Call-Home. > > 3. and if so, nobody will want to define (at a later date) yet another > SNMP Security Model even if that is the only way to support Call-Home. > > Keith. > I think that there is subtext that is missing here. Call Home was declared out of scope, more or less, for isms before the decision to use SSH was taken (the suggestion was made on the isms list to set up a BOF in the Operations Area to explore Call Home). The significance is that SSH is not perceived as a good fit for Call Home, whereas a different protocol, seen as less suitable in other regards, might be. So if the community at large comes to regard Call Home as a mandatory requirement, then that would be construed as saying that SSH is the wrong protocol (which may be what this discussion is really about:-). <snip> _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf