[VOIPSEC] SNMP support forEventCorrelation/NetworkManagementSystems

Brian Rosen br at brianrosen.net
Sat Feb 26 12:35:24 CST 2005 

Haha
"go scream at them for being ... non-compliant"?!
You can scream all you want, vendors only do things customers ask for.
RFC3261 requires all things claiming to be SIP to implement TLS.
Only about 25% do.  They all claim to be compliant.

If the CUSTOMER demanded security, eventually they get it.
So far, no demand.

It's not entirely clear to me that SNMP is really the right thing.
For one thing, having lots of new elements for the network management system
to manage is problematic. Consider for example, that every PC could have
SNMP management, but it's really rare to see it used.  The number of
elements would probably overwhelm the available management tools.

I also think that it's too easy to misconfigure SNMP such that it's an easy
attack.  And, as we are discovering, USM is hard to deploy.

There is a SIP MIB.  Deployment is not mandatory.

Brian


> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Simon Horne
> Sent: Friday, February 25, 2005 10:56 PM
> To: Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] SNMP support
> forEventCorrelation/NetworkManagementSystems
> 
> At 05:25 AM 26/02/2005, Mark Teicher wrote:
> >The end point may incorporate it, then the .mib file will have either
> >adhere to ASN.1 standards or not.  After that, the various NMS/Event
> >Management systems have to incorporate it into their basic package or
> have
> >a 3rd party SNMP compiler that allows for errors that vendors may insert
> >into their .mib.  I ran into this problem a few weeks ago with a vendor
> >adhering to the SNMP standard but the .mib still had errors during
> >compilation for a common NMS system.
> >
> >The last I pinged either, there has been finger pointing in the various
> >directions and the VOIP vendor has stated, "hey we don't have time to fix
> >it, we are to busy working on our next release "
> 
> For H323 (due to the language I assume so) there is a standard H.341 for
> SNMP support. In fact a range of standard .mib files for H.341 are
> available for free from the ITU website. If they're not using them (or
> can't read them) then they are technically non-compliant for H323. You can
> go scream at them for being H323 SNMP non-compliant and watch them jump :)
> 
> Simon
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list