PMP Mail Archive: RE: PMP> Posted Last Call draft of Port Mo

PMP Mail Archive: RE: PMP> Posted Last Call draft of Port Mo

RE: PMP> Posted Last Call draft of Port Mon MIB (10 March 2005)

From: McDonald, Ira (imcdonald@sharplabs.com)
Date: Mon Mar 14 2005 - 15:24:44 EST

  • Next message: ooiay@yahoo.com: "Can 10 of us still sign up with you?"

    Hi,

    [Deleted 'pwg@pwg.org' from this thread - only for announcements]

    Well - since free packet sniffers (including SNMP header decoding)
    are widely available on the Web, I keep telling people that using
    community strings as ANY form of security is broken - I think Mike
    Fenelon's point was that the external network adaptor (direct
    connect printers to Ethernet) vendors just use separate community
    strings for "poor man's MIB views" in SNMPv1.

    To date, I personally know of only one printer vendor that ever
    implemented SNMPv2 and one other more recently implemented SNMPv3.

    Every default SNMPv1 agent I've ever seen used 'public' (in
    NVT-ASCII) as their default read community string.

    But since OCTET STRING has no charset the encoding of 'public'
    itself is utterly ambiguous (since the majority of the legacy
    charsets in existence do NOT have NVT-ASCII as a proper subset).

    We'll fix this object to OCTET STRING and note that display is
    inherently ambiguous (and security is non-existent).

    Cheers,
    - Ira

    Ira McDonald (Musician / Software Architect)
    Blue Roof Music / High North Inc
    PO Box 221 Grand Marais, MI 49839
    phone: +1-906-494-2434
    email: imcdonald@sharplabs.com

    -----Original Message-----
    From: Wijnen, Bert (Bert) [mailto:bwijnen@lucent.com]
    Sent: Monday, March 14, 2005 5:10 AM
    To: 'McDonald, Ira'; Wijnen, Bert (Bert); 'pmp@pwg.org'; 'pwg@pwg.org'
    Subject: RE: PMP> Posted Last Call draft of Port Mon MIB (10 March 2005)

    The CommunityString (in SNMPv1 and v2c) is intended as a (albeit)
    weak secret, and not to be a human-consumable string. Such
    has been the case since the origins of SNMP, and it has ALWAYS been
    an OCTET STRING. So any agent (and manager) is supposed to be
    able to handle any octet value (also those that are NOT in the
    NVT ASCII set). ANd by using a DisplayString in your MIB module,
    you seem to be telling compliant implementations that they
    would not be compliant with your MIB module.

    Does this help?

    In general, I do not think that using community strings is wise at
    all in this world. But ymmv.

    Bert

    > -----Original Message-----
    > From: McDonald, Ira [mailto:imcdonald@sharplabs.com]
    > Sent: Monday, March 14, 2005 04:49
    > To: 'Wijnen, Bert (Bert)'; McDonald, Ira; 'pmp@pwg.org'; 'pwg@pwg.org'
    > Subject: RE: PMP> Posted Last Call draft of Port Mon MIB (10
    > March 2005)
    >
    >
    > Hi Bert,
    >
    > I think we need some technical advice here about the syntax of
    > SNMP community strings. You said recently (in this thread):
    >
    > "Well, there maybe broken SNMP implementation that only
    > accept ASCII for
    > community string. But I think you are now swinging the other way to
    > not accept compliant SNMP implementations that DO accept non-ascii
    > charatcers in community string."
    >
    > In the Printer Port Monitor MIB, I made our community string object
    > have a syntax of 'DisplayString' (NVT-ASCII).
    >
    > Strangely, in the SNMP-COMMUNITY-MIB (RFC 3854), they use a syntax
    > of 'OCTET STRING'. Which seems the worst of all possible worlds.
    > Since the charset is completely ambiguous, it's impossible to
    > display to users. Several years ago on the SNMPv3 list I argued
    > (unsuccessfully) that the syntax should be 'SnmpAdminString',
    > so that meaningful user display was possible. I remain unpersuaded
    > that mixing charsets across an enterprise network for community
    > strings can possibly ever be beneficial.
    >
    > Care to offer us some advice?
    >
    > Cheers,
    > - Ira
    >
    > Ira McDonald (Musician / Software Architect)
    > Blue Roof Music / High North Inc
    > PO Box 221 Grand Marais, MI 49839
    > phone: +1-906-494-2434
    > email: imcdonald@sharplabs.com
    >



    This archive was generated by hypermail 2b29 : Mon Mar 14 2005 - 15:27:24 EST