RE: [Isms] charter proposal
Kaushik Narayan <kaushik@cisco.com> Tue, 02 August 2005 17:52 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E00w5-00063Q-Nt; Tue, 02 Aug 2005 13:52:17 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E00w4-00063F-46 for isms@megatron.ietf.org; Tue, 02 Aug 2005 13:52:16 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA08226 for <isms@ietf.org>; Tue, 2 Aug 2005 13:52:14 -0400 (EDT)
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E01Sa-0003lj-RQ for isms@ietf.org; Tue, 02 Aug 2005 14:25:53 -0400
Received: from sj-core-5.cisco.com (171.71.177.238) by sj-iport-2.cisco.com with ESMTP; 02 Aug 2005 10:52:06 -0700
Received: from kaushik-w2k03.cisco.com ([171.69.75.224]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id j72Hq5JM003241; Tue, 2 Aug 2005 10:52:05 -0700 (PDT)
Message-Id: <6.2.0.14.0.20050802102835.0360c218@email.cisco.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Tue, 02 Aug 2005 10:52:03 -0700
To: ietfdbh@comcast.net
From: Kaushik Narayan <kaushik@cisco.com>
Subject: RE: [Isms] charter proposal
In-Reply-To: <200508021721.NAA06692@ietf.org>
References: <20050802170625.GA7466@open-31-253.ietf63.ietf.org> <200508021721.NAA06692@ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6e922792024732fb1bb6f346e63517e4
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Sender: isms-bounces@lists.ietf.org
Errors-To: isms-bounces@lists.ietf.org
Hi David, I am not sure we need elaborate AAA work in order to allow for linkages between ISMS authentication and SNMPv3 VACM. Ideally the RADIUS work for this should happen in RADEXT and I believe Dave Nelson and Greg Weber already have an ID that would be relevant. http://www.ietf.org/internet-drafts/draft-nelson-radius-management-authorization-01.txt regards, kaushik! At 10:21 AM 8/2/2005, David B Harrington wrote: >Hi Juergen, > > >From my limited experince looking at the problem, > >If we start to discuss HOW the SSH will support AAA, then we will need >to discuss >1) which AAA protocol? >2) which AAA attributes contain the authorization information >2a) should we use filterID, which is supposed to be for packet >filtering, not policy management >2b) should we define a new standard attribute for this purpose, since >the only attributes available don't provide the granularity we need? >2c) should vendors develop their own VSAs to provide this granularity? >3) will we standardize the naming mechanisms for ACM policies? >4) will we support user-to-group mappings or user-to-policy mappings >(i.e. non-group policies)? > >And so on.... > >I'd like to avoid the whole discussion of how to connect SNMP >authorization to AAA authorization for now, and simply focus on how to >connect SSH user-auth to SNMP user-auth. > >However, if the WG REALLY wants to trigger/capture AAA-authorization >via the security model, we'll need to open that whole can of worms, >because it will require changes to the architecture or an agreement of >how to do it outside the architecture (wink, wink). > >David Harrington >dbharrington@comcast.net > > > -----Original Message----- > > From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de] > > Sent: Tuesday, August 02, 2005 1:06 PM > > To: David B Harrington > > Cc: isms@ietf.org > > Subject: Re: [Isms] charter proposal > > > > On Tue, Aug 02, 2005 at 12:54:06PM -0400, David B Harrington wrote: > > > > > Hmmmm. I am of the impression that, as a source for >authentication, > > > the use of AAA is an implementation-dependent detail of the SSH > > > authentication; whether SSH authentication relies on RADIUS > > or AAA or > > > local users to authenticate the transport connection and the user > > > should be transparent to the SNMP engine, shouldn't it? If > > so, then it > > > doesn't belong in the charter at all. > > > > I agree that this is fully transparent to the SNMP engine. On the > > motivational side of the charter, I thought it might be worth to > > mention this since not everybody might be aware that SSH > > authentication decisions can easily be outsourced to AAA servers, > > something that was requested in the past by operators. > > > > > Where we run into the problem is if a TMSM also needs to somehow > > > capture the authorization information returned by AAA so the AC > > > subsystem can use it later. If we want that feature, and we seem >to > > > have a lot of people suggesting it is an important feature > > to support, > > > then we need to address how to standardize that feature so > > future TMSM > > > security models handle it in a compatible way. > > > > I simply did not put this in the charter since I do not yet >understand > > the dimension of this problem. I need to learn more how AAA servers > > provide this authorization information and how it looks like. >Perhaps > > someone here can educate me or point to the relevant specs to read. > > > > /js > > > > -- > > Juergen Schoenwaelder International University Bremen > > <http://www.eecs.iu-bremen.de/> P.O. Box 750 561, > > 28725 Bremen, Germany > > > > > >_______________________________________________ >Isms mailing list >Isms@lists.ietf.org >https://www1.ietf.org/mailman/listinfo/isms _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] charter proposal Juergen Schoenwaelder
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Randy Presuhn
- RE: [Isms] charter proposal David T. Perkins
- Re: [Isms] charter proposal Juergen Schoenwaelder
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Randy Presuhn
- Re: [Isms] charter proposal Juergen Schoenwaelder
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Kaushik Narayan
- Re: [Isms] charter proposal Juergen Schoenwaelder
- Re: [Isms] charter proposal Juergen Schoenwaelder
- RE: [Isms] charter proposal David B Harrington
- Re: [Isms] charter proposal Eliot Lear
- Re: [Isms] charter proposal Juergen Schoenwaelder
- Re: [Isms] charter proposal Tom Petch
- RE: [Isms] charter proposal David B Harrington
- Re: [Isms] charter proposal user-group mapping Tom Petch
- Re: [Isms] charter proposal user-group mapping Juergen Schoenwaelder
- Re: [Isms] charter proposal Eliot Lear
- RE: [Isms] charter proposal user-group mapping David B Harrington
- RE: [Isms] charter proposal Wijnen, Bert (Bert)
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal McDonald, Ira
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Kaushik Narayan
- RE: [Isms] charter proposal McDonald, Ira
- Re: [Isms] charter proposal Tom Petch
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Nelson, David
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Nelson, David
- Re: [Isms] charter proposal Tom Petch
- RE: [Isms] charter proposal Blumenthal, Uri
- Re: [Isms] charter proposal Randy Presuhn
- Re: [Isms] charter proposal Eliot Lear
- RE: [Isms] charter proposal Golovinsky, Eugene
- Re: [Isms] charter proposal Randy Presuhn
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Golovinsky, Eugene
- RE: [Isms] charter proposal Kaushik Narayan
- Re: [Isms] charter proposal Randy Presuhn
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Blumenthal, Uri
- RE: [Isms] charter proposal David B Harrington
- RE: [Isms] charter proposal Kaushik Narayan
- RE: [Isms] charter proposal Blumenthal, Uri
- Re: [Isms] charter proposal Randy Presuhn
- Re: Fwd: Re: [Isms] charter proposal Kaushik Narayan
- Re: [Isms] charter proposal Tom Petch
- RE: [Isms] charter proposal Fleischman, Eric