ISMS working group and charter problems
Eliot Lear
lear at cisco.com
Tue Sep 6 18:36:57 UTC 2005
Daniel,
All solutions will use a different SSH port as part of the standard just
so that firewall administrators have the ability to block.
Eliot
Daniel Senie wrote:
> At 02:00 PM 9/6/2005, Dave Crocker wrote:
>
>
>> Eliot,
>>
>>> I need your help to correct for an impending mistake by the ISMS
>>> working group in the IETF.
>>
>>
>>
>> Your note is clear and logical, and seems quite compelling.
>>
>> Is there any chance of getting a proponent of the working group's
>> decision to post a defense?
>>
>> (By the way, I am awestruck at the potential impact of changing SNMP
>> from UDP-based to TCP-based, given the extensive debates that took
>> place about this when SNMP was originally developed. Has THIS
>> decision been subject to adequate external review, preferably
>> including a pass by the IAB?)
>
>
> I agree the argument is well laid out, and would be interested in
> hearing the thinking of ISMS in response.
>
> I'm more than a bit concerned, however, when folks start talking about
> solutions that will permit things to pass through firewalls without
> configuration. Those in charge of firewalls are often purposely setting
> policy. If there is a perceived need for a policy that prevents SNMP
> traffic, then it should remain possible for the administrator of that
> network element to make that call. I must say I have some concern with
> overlaying SNMP on SSH, since that precludes the firewall knowing
> whether the traffic is general SSH keyboard traffic or network management.
>
> Let's hear more about the thinking involved.
>
More information about the NANOG
mailing list