RE: [Isms] Draft-narayan-isms-sshsm-radius-01 review
"Kaushik Narayan \(kaushik\)" <kaushik@cisco.com> Mon, 19 March 2007 19:39 UTC
Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTNh7-0000vH-Pz; Mon, 19 Mar 2007 15:39:01 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTNh6-0000ut-0n for isms@ietf.org; Mon, 19 Mar 2007 15:39:00 -0400
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HTNh3-0002mu-An for isms@ietf.org; Mon, 19 Mar 2007 15:38:59 -0400
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-3.cisco.com with ESMTP; 19 Mar 2007 12:38:58 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id l2JJcuTq008156; Mon, 19 Mar 2007 12:38:56 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l2JJcfF4018867; Mon, 19 Mar 2007 19:38:56 GMT
Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Mar 2007 12:38:49 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Isms] Draft-narayan-isms-sshsm-radius-01 review
Date: Mon, 19 Mar 2007 12:38:47 -0700
Message-ID: <618694EF0B657246A4D55A97E38274C3032CCE82@xmb-sjc-22d.amer.cisco.com>
In-Reply-To: <007901c768d3$27df4400$f471743f@china.huawei.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Isms] Draft-narayan-isms-sshsm-radius-01 review
Thread-Index: Acdo0ppNPYSTeNf7SsChA7uBxm1sOABf/5AQ
From: "Kaushik Narayan (kaushik)" <kaushik@cisco.com>
To: David Harrington <ietfdbh@comcast.net>, isms@ietf.org
X-OriginalArrivalTime: 19 Mar 2007 19:38:49.0482 (UTC) FILETIME=[378D36A0:01C76A5E]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=6901; t=1174333136; x=1175197136; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kaushik@cisco.com; z=From:=20=22Kaushik=20Narayan=20\(kaushik\)=22=20<kaushik@cisco.com> |Subject:=20RE=3A=20[Isms]=20Draft-narayan-isms-sshsm-radius-01=20review |Sender:=20; bh=IXoX7aymX1oNYsidfKKTUhSvYM1sRDgks2F3OqUM/4Y=; b=VPcY6Yf64Q0Tn8UaTDSlMnWyR9TZyV76yN/2BGf8oHTS1PbTDO+lsNwPOXxBeWCaT6hco1Ax b826xPw/Vbs1NGcj6mU9azfcA+HyboiyQr0fwlyKF3jSEB6eFDqbHxI8;
Authentication-Results: sj-dkim-3; header.From=kaushik@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ff0adf256e4dd459cc25215cfa732ac1
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org
Hi David, Thanks for your comments. Please find my reply inline. -----Original Message----- From: David Harrington [mailto:ietfdbh@comcast.net] Sent: Saturday, March 17, 2007 1:31 PM To: isms@ietf.org Subject: [Isms] Draft-narayan-isms-sshsm-radius-01 review Hi, I have reviewed this document and have some general and some specific suggestions. Overall, I think the document is progressing, but needs to be more consistent with other isms documents, and could use a restructuring. General: I recommend restructuring the document based on what is to be supported, in an incremental manner: 1) "integration with legacy RADIUS" which would only deal with authenticating the user and authorizing an SSH subsystem, and not deal with integration with an ACM (or make it implementation-dependent to hang onto authz attributes received during a legacy authn). 2) "integration with Dynamic RADIUS" which would support authorization for a SSH subsystem PLUS authorize-only support in a RADIUS-specific ACM. I suggest that the RADIUS state attribute established during authn be passed as the securityName, since that is what the authorize-only authz is tied to. To maintain modularity, an SSH-RADIUS transport model should pass the RADIUS state attribute in the tmStateReference as the proposed securityName, and the Transport Security Model would translate that into the securityName. A RADIUS-specific ACM would then use the securityName (RADIUS state attr) to attempt an authorize-only access-request, and use the returned attributes to determine what access should be allowed. If the securityname != a known RADIUS-state-attr, then RADIUS would return an access-reject. 3) "integration with the proposed management policy attributes". Used with authorize-only, RADIUS could return the new mgmt-policy-id attribute to be used to create a mapping from securityname (Radius-state-attr) to a "named" mgmt policy. <Kaushik> The current draft suggests two models of integration for access control A. augment VACM to use securityName or other attributes contained with the RADIUS state attribute. B. build new ACM for RADIUS integration that can use securityName and use RADIUS to acquire additional authorization information. Are you suggesting that we donot pursue the first model. </Kaushik> ---------Specific comments--------- Introduction as noted previously, there is no SSH SM, only an SSH TM. This should be fixed throughout the document. section2 s/(SSHSM) [sshsm]/[sshsm]/ s/Security Model/Transport Model/ "SSHSM requires ..." should be rewritten to better reflect current isms documents. I am willign to help rewrite this if you want. s/explicitly// <Kaushik> Sure, that would help. </Kaushik> Section 3.1 I recommend moving the sentence starting "SSH integration" before the sentence starting "RADIUS will indicate" Section 3.2 s/support multiple/supports multiple/ s/used SSH/used by SSH/ s/clients,/clients;/ The sentence starting "the 'password' method" is not needed in this document; it is irrelevant to SNMP integration. The sentence starting "SSH server implementations tyically" is not needed. s/rely of implementation/rely on implementation/ 3.3 My mailer won't let me tell you that you have "the" mispelled as "teh" ;-) The paragraph starting "RADIUS Servers will usually" could be condensed. The sentence starting [radman] should start a new paragragh. 3.3.1 s/vlaue/value/ <Kaushik> Will fix these. </Kaushik> 3.3.2 What happens if RADIUS has authorization attributes from the access-accept saved and passed in tmStateRef provided by the transport model, but the security model (USM/community/etc.) does not use the authorized user (securityName) from the tmStateRef? <Kaushik> I am not sure about this question. The assumption here is that a specific security model (such as sshsm) MUST use the tmStateRef. Are you asking what if a security model uses a different securityName than the one saved in the tmStateRef. As per RFC2865, the RADIUS client will send the RADIUS state attribute received in the Access Accept unmodified in the subsequent RADIUS request. The security model won't be able to change the state attribute which would be used by the RADIUS server to provide authorization information. </Kaushik> The sentence starting "The User-based security mdoel integrates with VACM" is incorrect; USM integrates with the RFC3411 architecture, which integrates with VACM. The descritpotrion of the use of a local database is not consistent with the RFC3411 descriotio of this usage. This section talks about the proposed new mgmt-policy attributes, but we should try ot make th epoprosal not dependent on that proposal. See my general comments above. s/comprises a policy or group name/comprises a policy, e.g., a group name,/ s/mapping of the group name to/mapping of th epolicy name to/ "unlikely to change" and "likely to be based" are based on what experience? s/This mapping mechanisms is implementation specific/This mapping mechanisms is model- and implementation-specific/ 3.3.3 s/, at the most simple level,// s/RADIUS clients, with the NAS, initiates/A RADIUS client within the NAS initiates/ The sentence starting "In some cases" is not needed. The sentence starting "In many deployements" should start a new paragraph 3.3.4 TACACS needs a citation/reference s/separate out/separate/ 3.4 See general comments about securityname = RADIUS state attr 3.5 Sentence about accounting packets seems out of place; this should be dropped or expalined further. <Kaushik> Will fix these </Kaushik> 3.6 discussion of PAM is not needed. That is purely implementation-specific and we do not discuss implementation issues. <Kaushik> I think it is useful to mention PAM since that's prevelant model of integrating authentication mechanisms into SSH although it might be implementation specific. </Kaushik> "there is no equivalent shell" - is an SSH subsystem comparable to a shell? "The ability of the SSH server to use ..." is this sentence needed? s/such as PAM, provide/such as pAM, may provide/ "Transport Mapping Security Model" is no longer valid. "It is possible therefore," is inconsistent with the architecure, since the ACM does not get passed the tmStateRef. "make calls to the RADIUS client" - would this be clearer as "make calls to the RADIUS server"? 5. s/amy/may/ 7. [sshsm] is incorrect. <Kaushik> Will fix these. Thanks, kaushik </Kaushik> David Harrington dharrington@huawei.com dbharrington@comcast.net ietfdbh@comcast.net _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] Draft-narayan-isms-sshsm-radius-01 review David Harrington
- RE: [Isms] Draft-narayan-isms-sshsm-radius-01 rev… Kaushik Narayan (kaushik)