Re: >Key Managment Query/Com

[Paul_Lambert@poncho.phx.sectel.mot.com (Paul Lambert)]

        Reply to:   RE>>Key Managment Query/Comm
Frank,

You bring up some interesting issues with the interaction of SNMP with
network layer security.

 > Frank Kastenholz says:
 > > The reason is simple. The purpose of the SNMP is to detect, diagnose,
 > > and fix network failures. If the key-distribution-protocol fails, how
 > > can SNMP be used to detect, diagnose, and fix the key-distribution
 > > protocol? Similarly, if the SNMP manager/agent can not reach a
 > > key-distribution server to, e.g., validate keys or tickets or whatever,
 > > then SNMP can not be used to fix other things as well.

The insertion of IPSEC into a system will split management into two domains.
 There will be two profiles SNMP-over-IPSP and SNMP-no-IPSP.  Most often an
agent will be of one flavor or the other, but there will be scenarios where
a host could contain both profiles.

The diagnosis of a key distribution and IPSP system could be accomplished
with SNMP-no-IPSP.  Significant changes to the configuration of either key
management or IPSP would warrant the use of SNMP-over-IPSP.

Without drawing a few figures the scenarios above can be a little confusing.
 Network layer security can be installed in either a host or router
configuration.  SNMP operating through a router with IPSP may not be able to
see any agents on the encrypted (Black) side of the security widget.  The
SNMP manager in this scenario will look locally like a vanilla SNMP-no-IPSP,
but the profile through the secured router will be SNMP-over-IPSP.

Is it worth adding an item on the Houston agenda for - IPSP interaction with
SNMP?







Paul A. Lambert
Motorola
(602)-441-3646

---

• Prev by Date: Re: key distribution
• Next by Date: Re: key distribution
• Prev by thread: Re: key distribution
• Next by thread: NLSP goes IS
• Index(es):
  • Main
  • Thread