[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: auditing



Ran Atkinson says:
> One could argue that it would be useful to have a standards-track SNMP 
> IPsec MIB for diagnostic and auditing information.  If anyone wants to
> volunteer to write up such a MIB for this WG to consider, please send 
> an email to me and Paul Lambert.

OK, I volunteer. We'll talk about it in Memphis.

> I would suggest that things like
> the crypto keys be kept outside such an SNMP MIB because it would be
> unfortunate if a SNMP security breach caused an IPsec security breach.

I'm sorry but I have to disagree. 

1. Without secure SNMP deployed, I find the wisdom of being
   manageable via non-secure SNMP questionble.

2. You either want IPSEC to be managed by SNMP or you don't.
   In the first case, several crypto-related variables will 
   have to be not only "visible" but "modifiable"...
   That's life.
-- 
Regards,
Uri		uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>


Follow-Ups: References: