IETF Logo Mail Archive

Re: [Isms] SNMP "access control" terminology

"Randy Presuhn" <randy_presuhn@mindspring.com> Mon, 03 July 2006 07:15 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxIel-0007vF-MY; Mon, 03 Jul 2006 03:15:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxIel-0007vA-2r for isms@ietf.org; Mon, 03 Jul 2006 03:15:43 -0400
Received: from pop-savannah.atl.sa.earthlink.net ([207.69.195.69]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FxIei-0006XR-Rb for isms@ietf.org; Mon, 03 Jul 2006 03:15:43 -0400
Received: from h-68-166-38-64.snvacaid.dynamic.covad.net ([68.166.38.64] helo=oemcomputer) by pop-savannah.atl.sa.earthlink.net with smtp (Exim 3.36 #10) id 1FxIei-0000GY-00 for isms@ietf.org; Mon, 03 Jul 2006 03:15:40 -0400
Message-ID: <000a01c69e70$96871a00$6501a8c0@oemcomputer>
From: Randy Presuhn <randy_presuhn@mindspring.com>
To: isms@ietf.org
References: <20060702201418.GA4772@boskop.local> <001601c69e63$24a23940$6501a8c0@oemcomputer> <20060703061838.GA5200@boskop.local>
Subject: Re: [Isms] SNMP "access control" terminology
Date: Mon, 03 Jul 2006 00:16:21 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1478
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org

Hi -

> From: "Juergen Schoenwaelder" <j.schoenwaelder@iu-bremen.de>
> To: "Randy Presuhn" <randy_presuhn@mindspring.com>
> Cc: <isms@ietf.org>
> Sent: Sunday, July 02, 2006 11:18 PM
> Subject: Re: [Isms] SNMP "access control" terminology
...
> a) authentication backend for password/keyboard-interactive
>    (transparent for ISMS as far as I can tell, easy)
> 
> b) authorization (once authenticated)
>    (easy when you use RADIUS for authentication, difficult when you
>    use public keys or kerberos since in this case authorization is
>    different from authentication and RADIUS does not seem to like
>    it (and I still have to understand what the difference between
>    RADIUS and DIAMETER is in this aspect since the later seems to
>    like it better))

Does the distinction between (a) and (b) matter?  It's a question
of what attacks would be possible by the set of users who could
be authenticated but not "authorized" who would somehow be able
to cause mischief despite being prevented from "doing" anything by
the access control model.  I think this boils down to DoS attacks,
and would perhaps be more interesting than in a USM world if
sessions consumed substantial resources.

> c) mapping of security names to group names (roles)
>    (requires to call radius within VACM or cached information must be
>    passed to VACM from somewhere, requires to work out how such
>    dynamic information coexists with provisioned VACM security to
>    group mappings)
> 
> I think this is what <draft-narayan-isms-sshsm-radius-00.txt>
> discusses.
...

Randy


_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email