Hi Juergen, > 2) It is important to talk about ssh and to not reduce the problem to > just TCP. ... This is very true. Your SNMP-over-TCP (RFC 3430) is still based on each message carrying all of its own security. In contrast, the not yet complete proposal for SNMP-over-SSH is different because each SNMP message is going to inherent security properties from the SSH session. So, for example, if requests are allowed to be sent in both directions across the same session, then a request sent in one direction across a session are sent by the same user as a request sent in the other direction over the same session. > I agree with those who said that CH is an architectural change and I > have yet to see a concrete proposal how CH via ssh can be achieved. As I see it, to prevent SNMP-over-SSH from being the same architectural change, constraints need to be imposed on which SNMP messages can be sent in which direction on a SSH session. The decision on whether to have such constraints is within the proposed scope of the WG. Thus, that architectural change is within the scope of the WG, and therefore requiring the same architectural change is not a valid reason to rule Call Home out-of-scope. Keith. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf