On Tuesday, September 13, 2005 05:23:26 PM -0700 Ned Freed
<[EMAIL PROTECTED]> wrote:
> I suspect that the ssh community would decline to extend ssh in this
> direction; I certainly know I would not support it.
I'm not entirely sure _how_ I'd extend SSH in this direction, or how much
utility it would have. I don't think I would object to it, especially
since I suspect it might make some of the ISMS cases easier even if you
don't care about the firewall problem.
Well, the ssh client I use has the ability to do port forwarding in both
directions already. The only thing that has stopped me from using this
feature
to do SNMP monitoring of various mobile agents is that it doesn't work
with
UDP, and the SNMP stuff I use is UDP only.
Aha! Another use case for UDP tunnelling in SSH, which is a topic that was
recently brought up in that WG.
In any event, the problem isn't carrying the SNMP traffic over an ssh
connedction -- we're fairly confident we know how to do that, though the
document isn't done yet. The problems are in determining when to establish
an SSH connection for the purpose of _receiving_ traffic, and in making
authentication work in cases where a managed device wants to authenticate
to something that is essentially a user. With some authentication
infrastructures the latter is easy; with others it is not. The former I
think is always hard, but has nothing to do with SSH per se.
I think that we can easily avoid making call-home harder than it needs to
be, and that we should. I would not object to a change in ISMS's charter
requiring that it consider the potential effects of any security solution
it adopts on the ability to add a call-home mechanism, but I also don't
think such a provision is necessary to achieve the desired result.
I don't think extending the SNMP architecture to add call-home is within
the scope of ISMS's charter, and I don't think it would be appropriate to
add it at this time. I'm not quite as concerned as Margaret is about the
"wrong area" problem, provided the right people are active in the WG and
reviewing its output, which I believe is necessary in any event.
However, I do believe the problems are separable, nearly orthogonal, and
require somewhat different expertise. Provided that the ISMS work does not
preclude call-home or some other solution to the problem, I think a
narrowly-scoped working group is appropriate here.
-- Jeff
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
