ISMS working group and charter problems

Eliot Lear lear at cisco.com
Tue Sep 6 18:36:57 UTC 2005


Daniel,

All solutions will use a different SSH port as part of the standard just
so that firewall administrators have the ability to block.

Eliot


Daniel Senie wrote:
> At 02:00 PM 9/6/2005, Dave Crocker wrote:
> 
> 
>> Eliot,
>>
>>> I need your help to correct for an impending mistake by the ISMS
>>> working group in the IETF.
>>
>>
>>
>> Your note is clear and logical, and seems quite compelling.
>>
>> Is there any chance of getting a proponent of the working group's
>> decision to post a defense?
>>
>> (By the way, I am awestruck at the potential impact of changing SNMP
>> from UDP-based to TCP-based, given the extensive debates that took
>> place about this when SNMP was originally developed.  Has THIS
>> decision been subject to adequate external review, preferably
>> including a pass by the IAB?)
> 
> 
> I agree the argument is well laid out, and would be interested in
> hearing the thinking of ISMS in response.
> 
> I'm more than a bit concerned, however, when folks start talking about
> solutions that will permit things to pass through firewalls without
> configuration. Those in charge of firewalls are often purposely setting
> policy. If there is a perceived need for a policy that prevents SNMP
> traffic, then it should remain possible for the administrator of that
> network element to make that call. I must say I have some concern with
> overlaying SNMP on SSH, since that precludes the firewall knowing
> whether the traffic is general SSH keyboard traffic or network management.
> 
> Let's hear more about the thinking involved.
> 



More information about the NANOG mailing list