[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: auditing
Ran Atkinson says:
> One could argue that it would be useful to have a standards-track SNMP
> IPsec MIB for diagnostic and auditing information. If anyone wants to
> volunteer to write up such a MIB for this WG to consider, please send
> an email to me and Paul Lambert.
OK, I volunteer. We'll talk about it in Memphis.
> I would suggest that things like
> the crypto keys be kept outside such an SNMP MIB because it would be
> unfortunate if a SNMP security breach caused an IPsec security breach.
I'm sorry but I have to disagree.
1. Without secure SNMP deployed, I find the wisdom of being
manageable via non-secure SNMP questionble.
2. You either want IPSEC to be managed by SNMP or you don't.
In the first case, several crypto-related variables will
have to be not only "visible" but "modifiable"...
That's life.
--
Regards,
Uri uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>
Follow-Ups:
References: