Re: Securing SNMPv3 via SSH tunnels
The problem that you have with TCP (and made worse by SSH tunneling on top of it) is that the number of round trips needed to successfully get a data packet through is unreasonably high in a situation where you are attempting to diagnose a network fault. The other choice is to leave a LOT of state open (ie. TCP connections) requiring a lot of extra memory, etc. on the device. That said there is no reason why you can not create a tunnel to a secure environment and run your SNMP traffic from there. Bill On Wed, Aug 06, 2003 at 08:42:49AM -0700, Fleischman, Eric wrote: I am seeking to secure SNMPv3 communications (e.g., RFC 3414), trying to protect against its well-known vulnerabilities such as spoofing. Had SNMPv3 run over TCP, instead of UDP as it does, then I perhaps may attempt to protect it via SSH port forwarding (i.e., SSH tunneling). Coincidentally, I've just read a description in Bob Toxen's book Real World Linux Security (page 141) about an approach he has apparently used of wrapping UDP in TCP and SSH in order to accomplish SSH port forwarding for UDP-based protocols as well. This makes me wonder whether SNMPv3 may be a viable candidate for SSH tunneling after all. I am wondering whether anybody in the list has any insights as to the viability and weaknesses of this suggested approach. I am especially interested in learning how people on this list secure SNMPv3. Thank you.
Announcing Availability of free Cook Report back Issues
Well over a year ago someone on Nanog asked me why I didn't give away back issues. I said I planned to give them away at the Creative Commons web site. I sent a bunch to them on a CD rom but as far as I know nothing happened. OK - The wait is over and more than 10 years of back issues are now available at no cost. Two from just over a year ago instantaneously. The rest by registration or on a CD from Cafe Press. At http://cookreport.com/ you will find pointers to the following changes. 1. COOK Report Back issues available three different ways. (a) You can down load past issues from April 1992 through June July 2002 by registering and having me assign a username and password. (b) The issues of April - May and June July 2002 are instantly down loadable without registration via 2 links at the top of the home page. (c) Back issues on a cd rom including the august october 2002 issue not available on the website are also available at http://www.cafeshops.com/cookreportinter.6936314 2. There are also some very nice endorsements. 3. There are two small forums one where you can make comments and a second one way mail list from me that you can sign up for. In the next 30 days I may install an actual blog - namely Greymatter http://noahgrey.com/greysoft/ I would welcome comments on what folk find. -- = The COOK Report on Internet, 431 Greenway Ave, Ewing, NJ 08618 USA 609 882-2572 (PSTN) 703 738-6031 (Vonage) 17318 (FWD) [EMAIL PROTECTED] Subscription info prices at http://cookreport.com/subscriptions.shtmlFiber Wireless as First Mile Technology - Fiber Business Models Architecture, July- September 2003, 130 pages available at http://cookreport.com/12.04-06.shtml =