[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Key Managment Query/Comments...




Frank Kastenholz says:
> Assuming that the non-SNMP mechanism used to pre-fetch the keys is
> working. And, of course, what happens if a key "times out" during the
> problem period?

I remember once being in a meeting with A Big Network Hardware Vendor
explaining to them that their network management tool was crap. They
said "but its so user friendly", and I tried to explain to them that
you can't enter in 4000 hosts in a GUI and you don't even want to, and
that displaying networks of a hundred machines on a display in cute
little icons is impractical. They didn't grok that we'd have
administrative management databases and want to have them supply data
to their tool directly -- never actually saw anyone manage a few
thousand hosts, in other words.

The fact is that most "experts" on these topics have never had to
actually worry about real wide area networks.

I speak as someone who's firm has to worry about a network on three
continents in twenty cities with thousands of hosts and no
administrators within a thousand miles of most of them. In the Real
World, things are different from academia.

In answer to your specific query, the non-SNMP method to prefetch the
keys better be working at some point, because if it doesn't ever work
something is so fucked up with your network that it has no useful
function at all.  When I say "prefetch", I mean load them and use them
for the next six months if you feel like it.

You could, of course, simply allow the use of old keys with a grace
period if you felt like it, which would handle most timeouts -- which
aren't a real problem anyway.

If your network is so hosed for more than a few days that your keys
start timing out, you don't need network management any more -- you
need a hearse. Network management tools are for telling you that the
wire to Tokyo has been cut -- but once its been cut the network
management tool isn't going to go to the central office to repair the
line. If you really have a prolonged outage, you no longer care about
the network management tool -- its not going to help with that sort of
problem.

> Plus there is the cost issue -- if I run some key-distribution system
> then I need to set up and control another software package, perhaps on a
> machine that is different than the SNMP manager...

You have to set up your key distribution system anyway because
everything else is going to use it too.

> I've discovered that commercial sites tend to prefer having as few
> vendors as possible --

We are a commercial site. We write our own software and are perfectly
capable of compiling sources from the network. We have to deal with
hundreds of packages, and dealing with one more won't break us.

> And of course, what if I am not running in a TCP/IP environment?
> SNMP works over non-TCP/IP protocols 

And what if your grandmother is a schoolbus?

Yeah, sure, SNMP runs over everything, but we still had to give our
mainframe SNA folks IP addresses for all their network devices because
their SNMP based monitoring systems run over TCP anyway.

> If I were to use something like Kerberos for key
> management/distribution,

A bad idea...

> then I'd need to get Kerberos over the same thing as SNMP is
> running....

But not for that reason.

Perry


References: