[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: >Key Managment Query/Com
Reply to: RE>>Key Managment Query/Comm
Frank,
You bring up some interesting issues with the interaction of SNMP with
network layer security.
> Frank Kastenholz says:
> > The reason is simple. The purpose of the SNMP is to detect, diagnose,
> > and fix network failures. If the key-distribution-protocol fails, how
> > can SNMP be used to detect, diagnose, and fix the key-distribution
> > protocol? Similarly, if the SNMP manager/agent can not reach a
> > key-distribution server to, e.g., validate keys or tickets or whatever,
> > then SNMP can not be used to fix other things as well.
The insertion of IPSEC into a system will split management into two domains.
There will be two profiles SNMP-over-IPSP and SNMP-no-IPSP. Most often an
agent will be of one flavor or the other, but there will be scenarios where
a host could contain both profiles.
The diagnosis of a key distribution and IPSP system could be accomplished
with SNMP-no-IPSP. Significant changes to the configuration of either key
management or IPSP would warrant the use of SNMP-over-IPSP.
Without drawing a few figures the scenarios above can be a little confusing.
Network layer security can be installed in either a host or router
configuration. SNMP operating through a router with IPSP may not be able to
see any agents on the encrypted (Black) side of the security widget. The
SNMP manager in this scenario will look locally like a vanilla SNMP-no-IPSP,
but the profile through the secured router will be SNMP-over-IPSP.
Is it worth adding an item on the Houston agenda for - IPSP interaction with
SNMP?
Paul A. Lambert
Motorola
(602)-441-3646