Daniel, All solutions will use a different SSH port as part of the standard just so that firewall administrators have the ability to block. Eliot Daniel Senie wrote:
At 02:00 PM 9/6/2005, Dave Crocker wrote:
Eliot,
I need your help to correct for an impending mistake by the ISMS working group in the IETF.
Your note is clear and logical, and seems quite compelling.
Is there any chance of getting a proponent of the working group's decision to post a defense?
(By the way, I am awestruck at the potential impact of changing SNMP from UDP-based to TCP-based, given the extensive debates that took place about this when SNMP was originally developed. Has THIS decision been subject to adequate external review, preferably including a pass by the IAB?)
I agree the argument is well laid out, and would be interested in hearing the thinking of ISMS in response.
I'm more than a bit concerned, however, when folks start talking about solutions that will permit things to pass through firewalls without configuration. Those in charge of firewalls are often purposely setting policy. If there is a perceived need for a policy that prevents SNMP traffic, then it should remain possible for the administrator of that network element to make that call. I must say I have some concern with overlaying SNMP on SSH, since that precludes the firewall knowing whether the traffic is general SSH keyboard traffic or network management.
Let's hear more about the thinking involved.