Re: [Isms] SNMP "access control" terminology
Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de> Mon, 03 July 2006 06:18 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxHlf-0002ak-P9; Mon, 03 Jul 2006 02:18:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxHle-0002af-SD for isms@ietf.org; Mon, 03 Jul 2006 02:18:46 -0400
Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FxHlc-0001mN-Cs for isms@ietf.org; Mon, 03 Jul 2006 02:18:46 -0400
Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 796E655F00; Mon, 3 Jul 2006 08:18:43 +0200 (CEST)
Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 30300-07; Mon, 3 Jul 2006 08:18:41 +0200 (CEST)
Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 8A1B155EF8; Mon, 3 Jul 2006 08:18:40 +0200 (CEST)
Received: by boskop.local (Postfix, from userid 501) id 921B677F9E0; Mon, 3 Jul 2006 08:18:38 +0200 (CEST)
Date: Mon, 03 Jul 2006 08:18:38 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
To: Randy Presuhn <randy_presuhn@mindspring.com>
Subject: Re: [Isms] SNMP "access control" terminology
Message-ID: <20060703061838.GA5200@boskop.local>
Mail-Followup-To: Randy Presuhn <randy_presuhn@mindspring.com>, isms@ietf.org
References: <20060702201418.GA4772@boskop.local> <001601c69e63$24a23940$6501a8c0@oemcomputer>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <001601c69e63$24a23940$6501a8c0@oemcomputer>
User-Agent: Mutt/1.5.10i
X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: j.schoenwaelder@iu-bremen.de
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org
On Sun, Jul 02, 2006 at 10:40:02PM -0700, Randy Presuhn wrote: > > From: "Juergen Schoenwaelder" <j.schoenwaelder@iu-bremen.de> > > To: <isms@ietf.org> > > Sent: Sunday, July 02, 2006 1:14 PM > > Subject: Re: [Isms] SNMP "access control" terminology > ... > > > So how do you think snmpCommunityTransportTag as defined in RFC 3587 > > > fits into the picture? I believe this object does authorization by > > > matching IP addresses. And the way it is described, this happens in > > > the message processing model (processIncomingMsg ASI, see RFC 3587 > > > section 5.2.1). Perhaps this RFC is wrong according to the > > > architecture (or is the architecture wrong? ;-) > > > > > > You like to see authorization in the ACM. I think authorization does > > > not really exist as a concept - except perhaps in RFC 3587. > > > > I got the RFC number wrong - I was referring to RFC 3584 and not RFC > > 3587. Sorry for the confusion. > ... > > The function of snmpCommunityTransportTag is to to provide a bridge > of sorts between the SNMPv1/SNMPv2c world and the SNMPv3 world. > That it might exhibit some discrepancies from the SNMPv3 architecture > is not surprising, given that it processes incompatible message wrappers. Sure. But the point is that (a) a clean architecture and the real world must align reasonably well to be useful and (b) that I consider this IP address filtering in the community-based security model as a kind of authorization step. You simply don't get into the SNMP engine if this authorization step fails, regardless what VACM later on would allow or disallow. While having no authorization and having no access right might practically mean the same thing, they are still different in terms of how far you get into the system and so far I always considered authorization as something that happens at the entrance. Once you have passed authorization and you are inside, access control controls what you can do. While I might be wrong with my world model, I see the following potential three usages of RADIUS in an ISMS environment: a) authentication backend for password/keyboard-interactive (transparent for ISMS as far as I can tell, easy) b) authorization (once authenticated) (easy when you use RADIUS for authentication, difficult when you use public keys or kerberos since in this case authorization is different from authentication and RADIUS does not seem to like it (and I still have to understand what the difference between RADIUS and DIAMETER is in this aspect since the later seems to like it better)) c) mapping of security names to group names (roles) (requires to call radius within VACM or cached information must be passed to VACM from somewhere, requires to work out how such dynamic information coexists with provisioned VACM security to group mappings) I think this is what <draft-narayan-isms-sshsm-radius-00.txt> discusses. /js -- Juergen Schoenwaelder International University Bremen <http://www.eecs.iu-bremen.de/> P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] FW: RADIUS integration David B Harrington
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Blumenthal, Uri
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration David Harrington
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- Re: [Isms] FW: RADIUS integration Eliot Lear
- RE: [Isms] FW: RADIUS integration Nelson, David
- Re: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- [Isms] SNMP "access control" terminology David Harrington
- [Isms] An ACM/RADIUS integration David Harrington
- [Isms] Should ACM close a subsystem? David Harrington
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Randy Presuhn
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Randy Presuhn
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Randy Presuhn
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Eliot Lear
- RE: [Isms] SNMP "access control" terminology David Harrington
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman