[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Key Managment Query/Comments...
SNMP has an overriding requirement that it rely on as few working
elements of the network as possible. Basically, the only things
that SNMP relies on is that packets can (probably) get from here to
there. SNMP is to be as independent from other protocols -- especially
the "infrastructure" protocols such as name services, key distribution,
time services, and so on -- as possible.
Therefore, SNMP does not now, and probably will not in the future, rely
upon any "external" key-distribution protocol.
The reason is simple. The purpose of the SNMP is to detect, diagnose,
and fix network failures. If the key-distribution-protocol fails, how
can SNMP be used to detect, diagnose, and fix the key-distribution
protocol? Similarly, if the SNMP manager/agent can not reach a
key-distribution server to, e.g., validate keys or tickets or whatever,
then SNMP can not be used to fix other things as well.
> I agree that SNMPv2 lacks a good key distribution mechanism.
> Something better will hopefully come along (out of this group
> or the managment group).
>
> As for algorithm independence, SNMPv2 (in RFC 1446) does adhere
> to algorithm independence. For the sake of interoperability it
> "suggests" the use of DES, but DES is not required (just as MD5 is
> suggested but not required for integrity).
>
> I also agree that the security protocol(s) should have a completely
> independent key management protocol/mechanism. This would be
> greatly benefited by a standardized interface between the
> manament and security protocols.
>
> I'm curious... Is there, at this time, a compiled listing of requirements
> for the work being done by this group? If so, could someone post it?
> If not, can we get one generated?
--
Frank Kastenholz
FTP Software
2 High Street
North Andover, Mass. USA 01845
(508)685-4000
Follow-Ups: