IETF Logo Mail Archive

Re: [Isms] SNMP "access control" terminology

Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de> Mon, 03 July 2006 06:18 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxHlf-0002ak-P9; Mon, 03 Jul 2006 02:18:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxHle-0002af-SD for isms@ietf.org; Mon, 03 Jul 2006 02:18:46 -0400
Received: from hermes.iu-bremen.de ([212.201.44.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FxHlc-0001mN-Cs for isms@ietf.org; Mon, 03 Jul 2006 02:18:46 -0400
Received: from localhost (demetrius.iu-bremen.de [212.201.44.32]) by hermes.iu-bremen.de (Postfix) with ESMTP id 796E655F00; Mon, 3 Jul 2006 08:18:43 +0200 (CEST)
Received: from hermes.iu-bremen.de ([212.201.44.23]) by localhost (demetrius.iu-bremen.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 30300-07; Mon, 3 Jul 2006 08:18:41 +0200 (CEST)
Received: from boskop.local (unknown [10.222.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.iu-bremen.de (Postfix) with ESMTP id 8A1B155EF8; Mon, 3 Jul 2006 08:18:40 +0200 (CEST)
Received: by boskop.local (Postfix, from userid 501) id 921B677F9E0; Mon, 3 Jul 2006 08:18:38 +0200 (CEST)
Date: Mon, 03 Jul 2006 08:18:38 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
To: Randy Presuhn <randy_presuhn@mindspring.com>
Subject: Re: [Isms] SNMP "access control" terminology
Message-ID: <20060703061838.GA5200@boskop.local>
Mail-Followup-To: Randy Presuhn <randy_presuhn@mindspring.com>, isms@ietf.org
References: <20060702201418.GA4772@boskop.local> <001601c69e63$24a23940$6501a8c0@oemcomputer>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <001601c69e63$24a23940$6501a8c0@oemcomputer>
User-Agent: Mutt/1.5.10i
X-Virus-Scanned: amavisd-new 2.3.3 (20050822) at iu-bremen.de
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: j.schoenwaelder@iu-bremen.de
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org

On Sun, Jul 02, 2006 at 10:40:02PM -0700, Randy Presuhn wrote:
 
> > From: "Juergen Schoenwaelder" <j.schoenwaelder@iu-bremen.de>
> > To: <isms@ietf.org>
> > Sent: Sunday, July 02, 2006 1:14 PM
> > Subject: Re: [Isms] SNMP "access control" terminology
> ...
> > > So how do you think snmpCommunityTransportTag as defined in RFC 3587
> > > fits into the picture? I believe this object does authorization by
> > > matching IP addresses. And the way it is described, this happens in
> > > the message processing model (processIncomingMsg ASI, see RFC 3587
> > > section 5.2.1). Perhaps this RFC is wrong according to the
> > > architecture (or is the architecture wrong? ;-)
> > > 
> > > You like to see authorization in the ACM. I think authorization does
> > > not really exist as a concept - except perhaps in RFC 3587.
> > 
> > I got the RFC number wrong - I was referring to RFC 3584 and not RFC
> > 3587. Sorry for the confusion.
> ...
> 
> The function of snmpCommunityTransportTag is to to provide a bridge
> of sorts between the SNMPv1/SNMPv2c world and the SNMPv3 world.
> That it might exhibit some discrepancies from the SNMPv3 architecture
> is not surprising, given that it processes incompatible message wrappers.

Sure. But the point is that (a) a clean architecture and the real
world must align reasonably well to be useful and (b) that I consider
this IP address filtering in the community-based security model as a
kind of authorization step. You simply don't get into the SNMP engine
if this authorization step fails, regardless what VACM later on would
allow or disallow.

While having no authorization and having no access right might
practically mean the same thing, they are still different in terms of
how far you get into the system and so far I always considered
authorization as something that happens at the entrance. Once you have
passed authorization and you are inside, access control controls what
you can do.

While I might be wrong with my world model, I see the following
potential three usages of RADIUS in an ISMS environment:

a) authentication backend for password/keyboard-interactive
   (transparent for ISMS as far as I can tell, easy)

b) authorization (once authenticated)
   (easy when you use RADIUS for authentication, difficult when you
   use public keys or kerberos since in this case authorization is
   different from authentication and RADIUS does not seem to like
   it (and I still have to understand what the difference between
   RADIUS and DIAMETER is in this aspect since the later seems to
   like it better))

c) mapping of security names to group names (roles)
   (requires to call radius within VACM or cached information must be
   passed to VACM from somewhere, requires to work out how such
   dynamic information coexists with provisioned VACM security to
   group mappings)

I think this is what <draft-narayan-isms-sshsm-radius-00.txt>
discusses.

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email