> -----Original Message-----
> From: Wijnen, Bert (Bert) [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 06, 2003 3:36 PM
> To: Fleischman, Eric; Uri Blumenthal; Bill Strahm
> Cc: [EMAIL PROTECTED]; Harrington, David; Russ Mundy (E-mail)
> Subject: RE: Securing SNMPv3 via SSH tunnels
>
>
> Eric, it would be good if you could describe the "spoofing" and
> possible other vulnerabilities that you see.
>
> Not sure that the generic IETF mailing list is the proper
> mailing list for that. I propose we move the discussion
> to the SNMPv3 mailing list. I copied the WG chairs to see
> if they would permit us to have that discussion over there.
> If so, they can send the ptr to the list.
>
>
> Thanks,
> Bert
>
> > -----Original Message-----
> > From: Fleischman, Eric [mailto:[EMAIL PROTECTED]
> > Sent: woensdag 6 augustus 2003 20:08
> > To: Uri Blumenthal; Bill Strahm
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Securing SNMPv3 via SSH tunnels
> >
> >
> > Uri,
> >
> > I don't think that this list would be well served by a debate
> > on whether SNMPv3's security provisions are adequately secure
> > or not, though I personally would greatly value having a
> > private discussion with interested individuals on that topic.
> >
> > Suffice it to say here that I am familiar with RFC 3414 and
> > RFC 3415 and I am skeptical that existing SNMPv3 security
> > provisions provide adequate protections for the application I
> > am building. I am therefore seeking to supplement SNMPv3's
> > security provisions via mechanisms which are less subject to
> > abuse, which is why I made my original posting to this list.
> >
> > I have no ax to grind in this matter -- I am only seeking
> > after the welfare of our product. It is, of course, possible
> > that I have overlooked something important which would
> > justify your skepticism of my current conclusions. If so, I
> > would value privately benefiting from the wisdom of your
> > insights. I similarly would value learning the insights of
> > any other reader with experience securing SNMPv3 for
> > mission-critical devices which do not sit behind firewalls.
> >
> > --Eric
> >
> > -----Original Message-----
> > From: Uri Blumenthal [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, August 06, 2003 10:32 AM
> > To: Bill Strahm
> > Cc: Fleischman, Eric; [EMAIL PROTECTED]
> > Subject: Re: Securing SNMPv3 via SSH tunnels
> >
> >
> > Bill, what is this about? Eric obviously wasn't aware
> > that the problems he listed applied to the older versions
> > of SNMP protocol, namely SNMPv1 and SNMPv2c. The current
> > standard SNMPv3 (which obsoletes those) is designed
> > specifically to address the listed vulnerabilities.
> >
> > So this whole notion of securing SNMPv3 with SSH is
> > ridiculous.
> >
> >
> > On 8/6/2003 12:34 PM, Bill Strahm wrote:
> > > The problem that you have with TCP (and made worse by SSH
> > tunneling on top of
> > > it) is that the number of round trips needed to
> > successfully get a data packet
> > > through is unreasonably high in a situation where you are
> > attempting to
> > > diagnose a network fault.
> > >
> > > The other choice is to leave a LOT of state open (ie. TCP
> > connections)
> > > requiring a lot of extra memory, etc. on the device. That
> > said there is no
> > > reason why you can not create a tunnel to a secure
> > environment and run your
> > > SNMP traffic from there.
> > >
> > > Bill
> > >
> > > On Wed, Aug 06, 2003 at 08:42:49AM -0700, Fleischman, Eric wrote:
> > >
> > >>I am seeking to secure SNMPv3 communications (e.g., RFC
> > 3414), trying to protect against its well-known
> > vulnerabilities such as spoofing. Had SNMPv3 run over TCP,
> > instead of UDP as it does, then I perhaps may attempt to
> > protect it via SSH port forwarding (i.e., SSH tunneling).
> > Coincidentally, I've just read a description in Bob Toxen's
> > book "Real World Linux Security" (page 141) about an approach
> > he has apparently used of wrapping UDP in TCP and SSH in
> > order to accomplish SSH port forwarding for UDP-based
> > protocols as well. This makes me wonder whether SNMPv3 may be
> > a viable candidate for SSH tunneling after all. I am
> > wondering whether anybody in the list has any insights as to
> > the viability and weaknesses of this suggested approach. I am
> > especially interested in learning how people on this list
> > secure SNMPv3. Thank you.
> > >
> > >
> >
> >
> >
> >
> > _______________________________________________
> > This message was passed through
> > [EMAIL PROTECTED], which is a sublist of
> > [EMAIL PROTECTED] Not all messages are passed. Decisions on what
> > to pass are made solely by Raffaele D'Albenzio.
> >
>