Operational Feedback Requested on Pending Standard
All, Below is an email sent to the IETF OPS Area mailing list soliciting feedback from operators regarding firewalls. We would also appreciate feedback from the Operators Mailing Lists. Please respond to the OPS Area mailing list if you have a position on the item below. You can subscribe to the Operations and Management Area mailing list at the URL below if you are not already subscribed. https://www.ietf.org/mailman/listinfo/ops-area On behalf of the OPS Area Directors and myself, thank you. Ted - With OPS Area WG Hat On -------------------------------------------------------------- During the final review phases of the review of http://www.ietf.org/internet-drafts/draft-ietf-midcom-mib-09.txt the issue described below surfaced. It is actually not completely new, it was discussed in the past in a form or another, and it is not necessarily specific to this document and MIB module only, but also to other MIB modules. We believe that input from network operators can help, and we solicit this input. The MIDCOM-MIB defines tables containing firewall rules, indexed by ifIndex. ifIndex values can change when interfaces are swapped or devices reboot, and this could lead to rules being applied to the wrong interface. How do you, network operators, prefer interfaces be identified? - Is ifIndex the preferred choice even though the indices can change on reboot? - Is ifName a better choice for identifying interfaces in rules, since it is set by the device and remains fairly stable across reboots and is guaranteed to be unique? - is ifAlias a better choice, since it can be set by operators, although it is not guaranteed to be unique? We would appreciate inputs and thank you for your cooperation.
Hi Ted, develloping IASON I did run into that problem. Among other things IASON was meant to read the configuration of a device and the things connected to it. When e.g. a switch port was bad, a device was unplugged and plugged into another port, then IASON was meant to reconfigure the switch, vpn and parameters, so that the device could run as if nothing had changed. Most dramatically IASON would allow you to replace a CISCO by an HP ProCurve switch and automatically configure everything as soon as the device was switched on (DHCP and bootp). IASON would discover any device that was asking for DHCP and bootp to query an initial configuration then it would look through its ports and MAC lists to see where it was connected and what devices where connected Of course IASON would work with ifIndex not with ifName as these are different from manufacturer to manufacturer - and definitely not ifAlias because IASON would configure the device before an operator could see it. I might teach IASON to use ifName and keep tables for the different hardware but definitely not ifAlias. Well, neither Global Crossing nor Exodus cared for IASON so the snmp part was never finished and IASON only used snmpwalk to scan devices. I remember the faces of two operators at a new installation when they plugged in three new switches and IASON immediately moved them to a vpn where the operators could not find them. As soon as they plugged in a service laptop it would connect that laptop to the NOC vpn but they would never see the management port. Of course IASON had already issued new passwords, so rs232 would not help them either :) Cheers Peter and Karin Ted Seely wrote:
All,
Below is an email sent to the IETF OPS Area mailing list soliciting feedback from operators regarding firewalls. We would also appreciate feedback from the Operators Mailing Lists. Please respond to the OPS Area mailing list if you have a position on the item below. You can subscribe to the Operations and Management Area mailing list at the URL below if you are not already subscribed.
https://www.ietf.org/mailman/listinfo/ops-area
On behalf of the OPS Area Directors and myself, thank you.
Ted - With OPS Area WG Hat On
--------------------------------------------------------------
During the final review phases of the review of http://www.ietf.org/internet-drafts/draft-ietf-midcom-mib-09.txt the issue described below surfaced. It is actually not completely new, it was discussed in the past in a form or another, and it is not necessarily specific to this document and MIB module only, but also to other MIB modules. We believe that input from network operators can help, and we solicit this input.
The MIDCOM-MIB defines tables containing firewall rules, indexed by ifIndex. ifIndex values can change when interfaces are swapped or devices reboot, and this could lead to rules being applied to the wrong interface.
How do you, network operators, prefer interfaces be identified? - Is ifIndex the preferred choice even though the indices can change on reboot? - Is ifName a better choice for identifying interfaces in rules, since it is set by the device and remains fairly stable across reboots and is guaranteed to be unique? - is ifAlias a better choice, since it can be set by operators, although it is not guaranteed to be unique?
We would appreciate inputs and thank you for your cooperation.
-- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.arl.pirates http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
participants (2)
-
Peter Dambier
-
Ted Seely