Re: [Isms] SNMP "access control" terminology
"Randy Presuhn" <randy_presuhn@mindspring.com> Mon, 03 July 2006 07:15 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxIel-0007vF-MY; Mon, 03 Jul 2006 03:15:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxIel-0007vA-2r for isms@ietf.org; Mon, 03 Jul 2006 03:15:43 -0400
Received: from pop-savannah.atl.sa.earthlink.net ([207.69.195.69]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FxIei-0006XR-Rb for isms@ietf.org; Mon, 03 Jul 2006 03:15:43 -0400
Received: from h-68-166-38-64.snvacaid.dynamic.covad.net ([68.166.38.64] helo=oemcomputer) by pop-savannah.atl.sa.earthlink.net with smtp (Exim 3.36 #10) id 1FxIei-0000GY-00 for isms@ietf.org; Mon, 03 Jul 2006 03:15:40 -0400
Message-ID: <000a01c69e70$96871a00$6501a8c0@oemcomputer>
From: Randy Presuhn <randy_presuhn@mindspring.com>
To: isms@ietf.org
References: <20060702201418.GA4772@boskop.local> <001601c69e63$24a23940$6501a8c0@oemcomputer> <20060703061838.GA5200@boskop.local>
Subject: Re: [Isms] SNMP "access control" terminology
Date: Mon, 03 Jul 2006 00:16:21 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1478
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org
Hi - > From: "Juergen Schoenwaelder" <j.schoenwaelder@iu-bremen.de> > To: "Randy Presuhn" <randy_presuhn@mindspring.com> > Cc: <isms@ietf.org> > Sent: Sunday, July 02, 2006 11:18 PM > Subject: Re: [Isms] SNMP "access control" terminology ... > a) authentication backend for password/keyboard-interactive > (transparent for ISMS as far as I can tell, easy) > > b) authorization (once authenticated) > (easy when you use RADIUS for authentication, difficult when you > use public keys or kerberos since in this case authorization is > different from authentication and RADIUS does not seem to like > it (and I still have to understand what the difference between > RADIUS and DIAMETER is in this aspect since the later seems to > like it better)) Does the distinction between (a) and (b) matter? It's a question of what attacks would be possible by the set of users who could be authenticated but not "authorized" who would somehow be able to cause mischief despite being prevented from "doing" anything by the access control model. I think this boils down to DoS attacks, and would perhaps be more interesting than in a USM world if sessions consumed substantial resources. > c) mapping of security names to group names (roles) > (requires to call radius within VACM or cached information must be > passed to VACM from somewhere, requires to work out how such > dynamic information coexists with provisioned VACM security to > group mappings) > > I think this is what <draft-narayan-isms-sshsm-radius-00.txt> > discusses. ... Randy _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] FW: RADIUS integration David B Harrington
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Blumenthal, Uri
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration David Harrington
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- Re: [Isms] FW: RADIUS integration Eliot Lear
- RE: [Isms] FW: RADIUS integration Nelson, David
- Re: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman
- [Isms] SNMP "access control" terminology David Harrington
- [Isms] An ACM/RADIUS integration David Harrington
- [Isms] Should ACM close a subsystem? David Harrington
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Randy Presuhn
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Randy Presuhn
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Randy Presuhn
- Re: [Isms] SNMP "access control" terminology Juergen Schoenwaelder
- Re: [Isms] SNMP "access control" terminology Eliot Lear
- RE: [Isms] SNMP "access control" terminology David Harrington
- RE: [Isms] FW: RADIUS integration Nelson, David
- RE: [Isms] FW: RADIUS integration Jeffrey Hutzelman