WG Action: Integrated Security Model for SNMP (isms)

The IESG <iesg-secretary@ietf.org> Thu, 23 September 2004 14:38 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA17875; Thu, 23 Sep 2004 10:38:23 -0400 (EDT)
Received: from megatron.ietf.org ([]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CAUqd-0000dc-Tx; Thu, 23 Sep 2004 10:45:28 -0400
Received: from localhost.localdomain ([] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CAUdK-0005cB-Jw; Thu, 23 Sep 2004 10:31:42 -0400
Received: from odin.ietf.org ([] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CAUXr-0004R2-LL; Thu, 23 Sep 2004 10:26:03 -0400
Received: from CNRI.Reston.VA.US (localhost []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA16840; Thu, 23 Sep 2004 10:26:00 -0400 (EDT)
Message-Id: <200409231426.KAA16840@ietf.org>
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce@ietf.org
Date: Thu, 23 Sep 2004 10:26:00 -0400
Cc: isms@ietf.org, Ken Hornstein <kenh@cmf.nrl.navy.mil>
Subject: WG Action: Integrated Security Model for SNMP (isms)
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-announce.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
Sender: ietf-announce-bounces@ietf.org
Errors-To: ietf-announce-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 944ecb6e61f753561f559a497458fb4f

A new IETF working group has been formed in the Security Area. 
For additional information, please contact the Area Directors or 
the WG Chairs.

Integrated Security Model for SNMP (isms)

Current Status: Active Working Group

Ken Hornstein <kenh@cmf.nrl.navy.mil>
Juergen Quittek <quittek@netlab.nec.de>

Security Area Director(s)
Steven Bellovin <smb@research.att.com>
Russell Housley <housley@vigilsec.com>

Security Area Advisor:
Steven Bellovin <smb@research.att.com

Mailing Lists:
General discussion: isms@ietf.org
To (un)subscribe: isms-request@ietf.org
in body: (un)subscribe
Archive: http://www.ietf.org/mail-archive/working-groups/isms/current/maillist.html

Description of Working Group:

Version 3 of the Simple Network Management Protocol (SNMPv3) was
elevated to Internet Standard in late 2002 and added security to the
previous versions of the protocol. Although the enhanced protocol
is secure, operators and administrators find that deploying it can
be problematic in large distributions. This is due primarily to two
synchronization problems. The first is the addition of yet another
authentication system specific to SNMPv3 that needs to be maintained
across all networking devices. Most of these devices already
contain local accounts and/or the ability to negotiate with
authentication servers (e.g. RADIUS servers). However, SNMPv3 does
not make use of these authentication mechanisms, and this causes
additional synchronization burdens. The second issue found with
deploying SNMPv3 is that distributing and maintaining View-based
Access Control Model (VACM) rules is also difficult in large-scale

The ISMS working group will focus on finding and identifying a solution
for the first of the two above mentioned problems: creating a security
model for SNMPv3 that will meet the security and operational needs of
network administrators. The solution should maximize useability in
operational environments to achieve high deployment success and at
the same time minimize implementation and deployment costs to
minimize the time until deployment is possible. The work will
include the ability to make use of existing and commonly deployed
security infrastructure. The following security infrastructures
will be considered by the working group as potential existing
authentication infrastructures to make use of within the new
security model. The solution will hopefully be able to be integrated
with multiple of these user databases although it is expected that
one will be mandatory.

- Local accounts
- SSH identities
- Radius
- X.509 Certificates
- Kerberos
- Diameter

A solution must not modify the other aspects of SNMPv3 protocol as
defined in STD 62 (EG, it must not create new PDU types). It should
also be compliant with the security model architectural block of
SNMPv3, as outlined in RFC 3411. And if at all possible, it should
also not change any other protocols either.

The working group will begin focusing on initial proposals, which
must be submitted for consideration by the Internet-Draft cut-off
date for the 61st IETF (Oct 19th, 2004). Documents submitted for
consideration need not be well-polished but are expected to
adequately describe the proposed model enough that working group
participants can adequately understand them to make an informed
decision when considering it along with the other candidates. The
working group will select one forward path from all the proposals
submitted by the cut-off date. If no such selection is made by the
end of March, 2004 then the working group will be closed down.

Work Items

- Choose a technical direction for the working group to focus on.

Goals and Milestones:

Oct 18 2004 Cut-off date for internet-drafts to be submitted to the
working group for consideration as a proposed solution.
Nov 19 2004 Decision about which solution approach the WG will
focus its efforts on.
Mar 31 2005 Working group will recharter to include publication
goals or shutdown if no consensus on a technical
direction is reached by this time.

IETF-Announce mailing list