[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: IPSec Monitoring MIB works for IPv4 only?
>>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:
Scott> both. After rereading your examples and other portions of the doc,
Scott> I see what you mean. This taps into another issue which I think
Scott> Markku has touched on, that being that the SAs in the kernel are
Scott> really independent of ISAKMP, IKE, SKIP, or whatever you used to
Scott> negotiate them. Hence, for an ipsec monitoring mib, maybe the
Scott> definitions should also be independent of the SA/Key mgmt
Scott> subsystems.
While I think that a MIB that provides just the IPsec SAs in a raw mode
would be useful, I don't think that it is this MIB. There is a desire to
get something minimally useful, rather than complete.
While "good design" should not be compromised for speed, the speed issue
is still important. Jack Shriver's comments about how long it takes to
walk the structures were probably relevant, but were not as revolutionary
as what you suggest.
I'd like to see something designed, implemented, and used for six months
before we revise it. That doesn't stop other people from starting work
on something more complicated right now.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
Corporate: http://www.sandelman.ottawa.on.ca/SSW/
ON HUMILITY: To err is human, to moo bovine.
References: