[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec MIB

To: uri@watson.ibm.com
Subject: Re: IPSec MIB
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Thu, 10 Apr 1997 23:45:43 +0000
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

In message <9704100418.AA54137@hawpub.watson.ibm.com>, Uri Blumenthal writes:
>An access to these particular objects should be restricted in
>any case, or these objects may not exist at all. The question
>here is whether the usefulness of these objects justifies
>their existence (and so we should devise a way to remove
>or minimize the exposure), or the benefit is too small
>to bother.

Well, i think that:
a) this is useful mostly for debugging (-> development)
b) why open a potential hole there if it's not going to be used by
your every-day user/admin/whoever

>Of course KMP can be instrumented too...  Should it be...?

I believe that mandating KMPs to monitor SNMP variables is
unreasonable (i will admit i have little knowledge of the inner
workings of SNMP). If you make it optional, router vendors will probably
support it.

For all other implementations (ie. non-routers), i think it's not
realistic to use a network monitoring protocol to control a user
application (the KMP).
My 4.8 drachmas (about $0.02).
-Angelos

Prev by Date: Re: Inconsistent Specs.
Next by Date: Re: Effective policy enforcement
Prev by thread: Re: IPSec MIB
Next by thread: Re: IPSec MIB
Index(es):
- Main
- Thread