[84141] in North American Network Operators' Group
Re: ISMS working group and charter problems
daemon@ATHENA.MIT.EDU (Eliot Lear)
Tue Sep 6 14:37:30 2005
Date: Tue, 06 Sep 2005 20:36:57 +0200
From: Eliot Lear <lear@cisco.com>
To: Daniel Senie <dts@senie.com>
Cc: dcrocker@bbiw.net, nanog@merit.edu,
IETF Discussion <ietf@ietf.org>, iesg@ietf.org
In-Reply-To: <6.2.3.4.2.20050906141658.07a04e08@mail.amaranth.net>
Errors-To: owner-nanog@merit.edu
Daniel,
All solutions will use a different SSH port as part of the standard just
so that firewall administrators have the ability to block.
Eliot
Daniel Senie wrote:
> At 02:00 PM 9/6/2005, Dave Crocker wrote:
>
>
>> Eliot,
>>
>>> I need your help to correct for an impending mistake by the ISMS
>>> working group in the IETF.
>>
>>
>>
>> Your note is clear and logical, and seems quite compelling.
>>
>> Is there any chance of getting a proponent of the working group's
>> decision to post a defense?
>>
>> (By the way, I am awestruck at the potential impact of changing SNMP
>> from UDP-based to TCP-based, given the extensive debates that took
>> place about this when SNMP was originally developed. Has THIS
>> decision been subject to adequate external review, preferably
>> including a pass by the IAB?)
>
>
> I agree the argument is well laid out, and would be interested in
> hearing the thinking of ISMS in response.
>
> I'm more than a bit concerned, however, when folks start talking about
> solutions that will permit things to pass through firewalls without
> configuration. Those in charge of firewalls are often purposely setting
> policy. If there is a perceived need for a policy that prevents SNMP
> traffic, then it should remain possible for the administrator of that
> network element to make that call. I must say I have some concern with
> overlaying SNMP on SSH, since that precludes the firewall knowing
> whether the traffic is general SSH keyboard traffic or network management.
>
> Let's hear more about the thinking involved.
>
