Operational Feedback Requested on Pending Standard

Mon Aug 27 20:04:56 UTC 2007

Hi Ted,

develloping IASON I did run into that problem.

Among other things IASON was meant to read the configuration of
a device and the things connected to it. When e.g. a switch port
was bad, a device was unplugged and plugged into another port,
then IASON was meant to reconfigure the switch, vpn and parameters,
so that the device could run as if nothing had changed.

Most dramatically IASON would allow you to replace a CISCO by an
HP ProCurve switch and automatically configure everything as soon
as the device was switched on (DHCP and bootp).

IASON would discover any device that was asking for DHCP and bootp
to query an initial configuration then it would look through its
ports and MAC lists to see where it was connected and what devices
where connected

Of course IASON would work with ifIndex not with ifName as these
are different from manufacturer to manufacturer - and definitely not
ifAlias because IASON would configure the device before an operator
could see it.

I might teach IASON to use ifName and keep tables for the different
hardware but definitely not ifAlias.

Well, neither Global Crossing nor Exodus cared for IASON so the
snmp part was never finished and IASON only used snmpwalk to scan
devices.

I remember the faces of two operators at a new installation when
they plugged in three new switches and IASON immediately moved
them to a vpn where the operators could not find them. As soon
as they plugged in a service laptop it would connect that laptop
to the NOC vpn but they would never see the management port.

Of course IASON had already issued new passwords, so rs232 would
not help them either :)

Cheers
Peter and Karin

Ted Seely wrote:
> 
> 
> All,
> 
> Below is an email sent to the IETF OPS Area mailing list soliciting
> feedback from operators regarding firewalls.  We would also appreciate
> feedback from the Operators Mailing Lists.  Please respond to the OPS Area
> mailing list if you have a position on the item below.  You can subscribe
> to the Operations and Management Area mailing list at the URL below if you
> are not already subscribed.
> 
> https://www.ietf.org/mailman/listinfo/ops-area
> 
> On behalf of the OPS Area Directors and myself, thank you.
> 
> Ted - With OPS Area WG Hat On
> 
> 
> --------------------------------------------------------------
> 
> 
> During the final review phases of the review of
> http://www.ietf.org/internet-drafts/draft-ietf-midcom-mib-09.txt the
> issue described below surfaced. It is actually not completely new, it
> was discussed in the past in a form or another, and it is not
> necessarily specific to this document and MIB module only, but also to
> other MIB modules. We believe that input from network operators can
> help, and we solicit this input.
> 
> The MIDCOM-MIB defines tables containing firewall rules, indexed by
> ifIndex. ifIndex values can change when interfaces are swapped or
> devices reboot, and this could lead to rules being applied to the wrong
> interface.
> 
> How do you, network operators, prefer interfaces be identified?
>  - Is ifIndex the preferred choice even though the indices can change on
> reboot?
>  - Is ifName a better choice for identifying interfaces in rules, since
> it is set by the device and remains fairly stable across reboots and is
> guaranteed to be unique?
>  - is ifAlias a better choice, since it can be set by operators,
> although it is not guaranteed to be unique?
> 
> We would appreciate inputs and thank you for your cooperation.
> 
> 
> 

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.arl.pirates
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/