Hi -
On 2022-01-05 7:04 AM, Jürgen Schönwälder wrote:
USM is a part of STD62 and I do not think it is the job of an update
of RFC 6353 to make any changes concerning STD62 and the status of
USM. SNMP RFCs usually talk about what is mandatory to implement (to
guarantee some level of interoperability), they usually are silent
about enablement (whatever that means) and about usage policies.
I believe the focus of an update should be on the technical aspects
necessary to clarify to use SNMP over (D)TLS 1.3 - focus on the
mechanisms, staying away from any policies.
Total agreement, particularly since existing mechanisms (e.g.
VACM configuration) can effectively de-fang (if not totally
"disable") USM. SecurityModel is part of the tuple that defines
a group within VACM. If a particular SecurityModel is not present
within the VACM vacmSecurityToGroupTable, no protocol operations
(incoming or outgoing) will be allowed for that model.
Not as air-tight as, say, not even listening on a particular port,
but such deployment decisions are, I think, outside our scope.
Randy
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg
