[Isms] FW: Review of draft-ietf-isms-radius-usage-05

["Dave Nelson" <d.b.nelson@comcast.net>]

> -----Original Message-----
> From: Eric Rescorla [mailto:ekr@networkresonance.com]
> Sent: Tuesday, May 05, 2009 1:13 PM
> To: secdir@ietf.org; iesg@ietf.org
> Cc: draft-ietf-isms-radius-usage@tools.ietf.org; isms-
> chairs@tools.ietf.org
> Subject: Review of draft-ietf-isms-radius-usage-05
> 
> $Id: draft-ietf-isms-radius-usage-05-rev.txt,v 1.1 2009/05/05 16:12:55 ekr
> Exp $
> 
> This document is about the use of RADIUS servers with SNMP "transport
> models" (security protocols such as SSH used with SNMP). As far as I
> can tell, the idea is to explain how to outsource some of the
> authorization decisions to RADIUS.
> 
> I found this document extremely difficult to read. I realize that
> the intended audience is for people with a lot of RADIUS and
> SNMP experience, but despite some familiarity with them, I had
> to work fairly hard to figure out what it was trying to say
> and I'm still not sure. This document would benefit very greatly
> from a diagram explaining how the authors think things are supposed
> to work.
> 
> My big question is how the user authentication decisions are
> expected to be split between (e.g., SSH), and RADIUS. For
> example:
> 
> - If the user has a password, who checks it the RADIUS server
>   or the NAS? RADIUS certainly can do this.
> - If the user is authenticating with SSH pubkey auth, who
>   checks that?
> 
> These seem like important architectural issues but I'm not getting
> them out of the document, and they should in particular
> be in the security considerations.
> 
> IMO, this document would benefit from a rewrite that makes it a
> lot clearer to someone not enmeshed in the WG.
> 
> S 2.
> I don't understand what the difference is between service authorization
> and access control in this context.
> 
> S 2.3.
> I don't get the SHOULDs here. If you're defining how code points are
> set, why are these optional?