Reported by James Galvin/TIS and Keith McCloghrie/Hughes
SNMPSEC Minutes
The SNMP Security Working Group met on Wednesday evening, November 20.
The Agenda was as follows.
o Document Finalization
o Interoperability Reports
o Other Comments
o Steps to Publication
In particular, the Working Group wanted to see revised documents and
implementation experience before it would consider recommending the
documents for publication.
Two of the three documents had been revised and distributed prior to the
meeting: SNMP Security Protocols and Definitions of Managed Objects for
Administration of SNMP Parties. There were no non-editorial changes to
be made to the SNMP Administrative Model document so it was not revised
for this meeting.
Document Finalization
Two editorial changes had been suggested on the mailing list for the
revised SNMP Security Protocols document. These changes were noted for
the Working Group.
The editorial changes required of the SNMP Administrative Model document
were noted for the Working group.
Interoperability Reports
There are four known implementations of the suite of documents; the only
feature not implemented in any of them was support for proxy. Three of
them have interoperated with each other, using noAuth/noPriv, using MD4,
and using DES. The Working Group requested that the implementations be
upgraded to include support for proxy. [Editors' note: two of the
implementations were so upgraded within a few days of the meeting.]
A number of minor changes were suggested as feedback from the
implementation experience, the most significant being: changing the
units of the party clock to be in seconds, and adding a new MIB object
to the party table to specify the largest SNMP message size that a party
would accept. These changes were presented to the Working Group and all
were approved. A suggestion that additional MIB objects were required
to support proxy to non-SNMP-party based proxied agents was also agreed,
but that these additional objects were considered to be the subject of
separate follow-on document(s).
1
In addition, some performance data was presented comparing the use of
MD4 and MD5 as authentication digest algorithms. The data indicated
that using MD5 took 15MD4 took 5the MD4 implementation was an
``optimized'' implementation, while the MD5 implementation was the one
directly out of the internet draft. This suggests that the reported
difference should be a worst case scenario.
Next, it was reported to the meeting that the authors of MD4 have
decided that the MD4 algorithm is suitable for use in all applications
except those which are long-lived. In particular, a protocol standard
is considered long-lived. Consequently, the Working Group decided to
adopt MD5 instead of MD4.
Other Comments
A number of other wording changes to the documents were suggested by
meeting attendees. All suggestions were noted and adopted.
Steps to Publication
The Working Group agreed that its work was ready for publication. The
following steps were specified.
1. The documents would be revised according to the comments discussed
at the meeting by Friday, November 22.
2. The documents will be submitted as internet drafts by Monday,
November 25.
3. The three weeks immediately following their availability as
internet drafts will be set aside for final review of the documents
by the Working Group.
4. At the end of three weeks, the documents will be revised (if
necessary) according to any discussions on the mailing list, and
submitted to the IESG with a recommendation they be published as a
Proposed Standard.
