[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC MIBs?

To: <ipsec@tis.com>
Subject: RE: IPSEC MIBs?
From: Cliff Wang <cxwang@us.ibm.com>
Date: Thu, 28 May 1998 09:56:07 -0400
Cc: <rja@inet.org>
Sender: owner-ipsec@ex.tis.com

If the MIB is just used to monitor the
IPsec SA status only but not used to
config the policy, would that still
weakens IPsec? In other words, the MIB
is designed for GET function only, no
SET allowed.

Of course, some of the running status/statistics
of a SA may be expose by SNMP, but
without exposing the keys (keying materials),
how big a threat will MIB pose?

Thanks for any insight into this!
cliff


-----Original Message-----
From: Ran Atkinson [SMTP:rja@inet.org]
Sent: Thursday, May 28, 1998 3:11 AM
To: Stephen Waters
Subject: Re: IPSEC MIBs?


Doing a useful MIB for IPsec would tend to reduce the
security of an IPsec implementation to the min(IPsec security,
SNMP security).  The latter (SNMP Security) is generally
accepted to be weaker (especially pre-SNMPv3, but even
with SNMPv3 in place).

I'd suggest that weakening the security of an implementation
of a security protocol is probably not a good global optimisation.

Ran

Prev by Date: RE: IPSEC MIBs?
Next by Date: Re: mutiple phase 1 tunnel and proxy ID issues
Prev by thread: RE: IPSEC MIBs?
Next by thread: keying material
Index(es):
- Main
- Thread