[Deleted 'email@example.com' from this thread - only for announcements]
Well - since free packet sniffers (including SNMP header decoding)
are widely available on the Web, I keep telling people that using
community strings as ANY form of security is broken - I think Mike
Fenelon's point was that the external network adaptor (direct
connect printers to Ethernet) vendors just use separate community
strings for "poor man's MIB views" in SNMPv1.
To date, I personally know of only one printer vendor that ever
implemented SNMPv2 and one other more recently implemented SNMPv3.
Every default SNMPv1 agent I've ever seen used 'public' (in
NVT-ASCII) as their default read community string.
But since OCTET STRING has no charset the encoding of 'public'
itself is utterly ambiguous (since the majority of the legacy
charsets in existence do NOT have NVT-ASCII as a proper subset).
We'll fix this object to OCTET STRING and note that display is
inherently ambiguous (and security is non-existent).
Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221 Grand Marais, MI 49839
From: Wijnen, Bert (Bert) [mailto:firstname.lastname@example.org]
Sent: Monday, March 14, 2005 5:10 AM
To: 'McDonald, Ira'; Wijnen, Bert (Bert); 'email@example.com'; 'firstname.lastname@example.org'
Subject: RE: PMP> Posted Last Call draft of Port Mon MIB (10 March 2005)
The CommunityString (in SNMPv1 and v2c) is intended as a (albeit)
weak secret, and not to be a human-consumable string. Such
has been the case since the origins of SNMP, and it has ALWAYS been
an OCTET STRING. So any agent (and manager) is supposed to be
able to handle any octet value (also those that are NOT in the
NVT ASCII set). ANd by using a DisplayString in your MIB module,
you seem to be telling compliant implementations that they
would not be compliant with your MIB module.
Does this help?
In general, I do not think that using community strings is wise at
all in this world. But ymmv.
> -----Original Message-----
> From: McDonald, Ira [mailto:email@example.com]
> Sent: Monday, March 14, 2005 04:49
> To: 'Wijnen, Bert (Bert)'; McDonald, Ira; 'firstname.lastname@example.org'; 'email@example.com'
> Subject: RE: PMP> Posted Last Call draft of Port Mon MIB (10
> March 2005)
> Hi Bert,
> I think we need some technical advice here about the syntax of
> SNMP community strings. You said recently (in this thread):
> "Well, there maybe broken SNMP implementation that only
> accept ASCII for
> community string. But I think you are now swinging the other way to
> not accept compliant SNMP implementations that DO accept non-ascii
> charatcers in community string."
> In the Printer Port Monitor MIB, I made our community string object
> have a syntax of 'DisplayString' (NVT-ASCII).
> Strangely, in the SNMP-COMMUNITY-MIB (RFC 3854), they use a syntax
> of 'OCTET STRING'. Which seems the worst of all possible worlds.
> Since the charset is completely ambiguous, it's impossible to
> display to users. Several years ago on the SNMPv3 list I argued
> (unsuccessfully) that the syntax should be 'SnmpAdminString',
> so that meaningful user display was possible. I remain unpersuaded
> that mixing charsets across an enterprise network for community
> strings can possibly ever be beneficial.
> Care to offer us some advice?
> - Ira
> Ira McDonald (Musician / Software Architect)
> Blue Roof Music / High North Inc
> PO Box 221 Grand Marais, MI 49839
> phone: +1-906-494-2434
> email: firstname.lastname@example.org
This archive was generated by hypermail 2b29 : Mon Mar 14 2005 - 15:27:24 EST