[Isms] FW: Review of draft-ietf-isms-radius-usage-05
"Dave Nelson" <d.b.nelson@comcast.net> Wed, 06 May 2009 04:46 UTC
Return-Path: <d.b.nelson@comcast.net>
X-Original-To: isms@core3.amsl.com
Delivered-To: isms@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F0E13A6A5D for <isms@core3.amsl.com>; Tue, 5 May 2009 21:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.061
X-Spam-Level:
X-Spam-Status: No, score=-2.061 tagged_above=-999 required=5 tests=[AWL=0.538, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WEEmBTaM9Yan for <isms@core3.amsl.com>; Tue, 5 May 2009 21:46:38 -0700 (PDT)
Received: from QMTA04.emeryville.ca.mail.comcast.net (qmta04.emeryville.ca.mail.comcast.net [76.96.30.40]) by core3.amsl.com (Postfix) with ESMTP id E5A9C3A69CF for <isms@ietf.org>; Tue, 5 May 2009 21:45:39 -0700 (PDT)
Received: from OMTA06.emeryville.ca.mail.comcast.net ([76.96.30.51]) by QMTA04.emeryville.ca.mail.comcast.net with comcast id o0l31b00816AWCUA44n76R; Wed, 06 May 2009 04:47:07 +0000
Received: from NEWTON603 ([71.232.143.198]) by OMTA06.emeryville.ca.mail.comcast.net with comcast id o4n61b0034H2mdz8S4n6GU; Wed, 06 May 2009 04:47:07 +0000
From: Dave Nelson <d.b.nelson@comcast.net>
To: isms@ietf.org
Date: Wed, 06 May 2009 00:47:20 -0400
Message-ID: <9588C3EE3AA64B8BB42B3046253E198C@NEWTON603>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Thread-Index: AcnNpFiBbOOEmKygTYW03uT3GEz8wAAYUzVg
Subject: [Isms] FW: Review of draft-ietf-isms-radius-usage-05
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isms>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2009 04:46:40 -0000
> -----Original Message----- > From: Eric Rescorla [mailto:ekr@networkresonance.com] > Sent: Tuesday, May 05, 2009 1:13 PM > To: secdir@ietf.org; iesg@ietf.org > Cc: draft-ietf-isms-radius-usage@tools.ietf.org; isms- > chairs@tools.ietf.org > Subject: Review of draft-ietf-isms-radius-usage-05 > > $Id: draft-ietf-isms-radius-usage-05-rev.txt,v 1.1 2009/05/05 16:12:55 ekr > Exp $ > > This document is about the use of RADIUS servers with SNMP "transport > models" (security protocols such as SSH used with SNMP). As far as I > can tell, the idea is to explain how to outsource some of the > authorization decisions to RADIUS. > > I found this document extremely difficult to read. I realize that > the intended audience is for people with a lot of RADIUS and > SNMP experience, but despite some familiarity with them, I had > to work fairly hard to figure out what it was trying to say > and I'm still not sure. This document would benefit very greatly > from a diagram explaining how the authors think things are supposed > to work. > > My big question is how the user authentication decisions are > expected to be split between (e.g., SSH), and RADIUS. For > example: > > - If the user has a password, who checks it the RADIUS server > or the NAS? RADIUS certainly can do this. > - If the user is authenticating with SSH pubkey auth, who > checks that? > > These seem like important architectural issues but I'm not getting > them out of the document, and they should in particular > be in the security considerations. > > IMO, this document would benefit from a rewrite that makes it a > lot clearer to someone not enmeshed in the WG. > > S 2. > I don't understand what the difference is between service authorization > and access control in this context. > > S 2.3. > I don't get the SHOULDs here. If you're defining how code points are > set, why are these optional?
- [Isms] FW: Review of draft-ietf-isms-radius-usage… Dave Nelson
- [Isms] FW: Review of draft-ietf-isms-radius-usage… Dave Nelson
- Re: [Isms] FW: Review of draft-ietf-isms-radius-u… David Harrington