RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-radius-00.txt
"David Harrington" <ietfdbh@comcast.net> Fri, 23 June 2006 21:54 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FttbG-0003ZC-Jp; Fri, 23 Jun 2006 17:54:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FttbF-0003Ys-Cp for isms@ietf.org; Fri, 23 Jun 2006 17:54:01 -0400
Received: from sccrmhc14.comcast.net ([204.127.200.84]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FttbE-0007HM-3b for isms@ietf.org; Fri, 23 Jun 2006 17:54:01 -0400
Received: from harrington73653 (c-24-128-147-200.hsd1.nh.comcast.net[24.128.147.200]) by comcast.net (sccrmhc14) with SMTP id <2006062321535901400aquk8e>; Fri, 23 Jun 2006 21:53:59 +0000
From: David Harrington <ietfdbh@comcast.net>
To: isms@ietf.org
Subject: RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-radius-00.txt
Date: Fri, 23 Jun 2006 17:52:44 -0400
Message-ID: <000d01c6970f$5cec4710$0400a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-index: AcaVboUuVWLn1cZKQp2HBpC0Tl4oOgBmcmUw
In-reply-to: <E1Ft8iA-0003mq-4o@stiedprstage1.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org
Hi, I started to read this draft. Unfortunately, this is not what was supposed to be written. The consensus was that we wanted an "authorize-only" RADIUS extension, to make RADIUS authorization independent of the authentication phase. The authorize-only should be accessible from the access control subsystem; the rest of the SNMP engine knows nothing about this RADIUS support for data access control (e.g. VACM). We explicitly did not want a RADIUS integration with SSHSM because that would violate the RFC3411 modularity and its separation of authentication and authorization. 1) If an operator wants RADIUS integration with SSH, that happens outside the SNMP engine. SSHSM and other security models should not need to know that SSH used RADIUS to authorize a session of SNMP management. 2) If an operator wants to use RADIUS to determine which VACM group to use for this user, that is handled strictly within the access control subsystem, using an authorize-only RADIUS extension, independently of the authentication provided via a security model, such as USM or SSHSM or USM/Kerberos. Some operators want to authenticate their users with Kerberos, but then as a separate step ask RADIUS what data access control policies to apply to that user. The interim meeting requirements for an authorize-only RADIUS extension was recapped in a mail message dated 3/16/06. dbh > -----Original Message----- > From: isms-bounces@lists.ietf.org > [mailto:isms-bounces@lists.ietf.org] On Behalf Of > Internet-Drafts@ietf.org > Sent: Wednesday, June 21, 2006 3:50 PM > To: i-d-announce@ietf.org > Subject: [Isms] I-D ACTION:draft-narayan-isms-sshsm-radius-00.txt > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. > > > Title : RADIUS Usage for SNMP SSH Security Model > Author(s) : K. Narayan, D. Nelson > Filename : draft-narayan-isms-sshsm-radius-00.txt > Pages : 12 > Date : 2006-6-21 > > The Secure Shell Security Model (SSHSM) describes a Security Model > for the Simple Network Management Protocol, using the Secure Shell > protocol within a Transport Mapping. This memo describes the usage > of the Secure Shell Security Model with a RADIUS authentication and > authorization system. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-narayan-isms-sshsm-r > adius-00.txt > > To remove yourself from the I-D Announcement list, send a message to > i-d-announce-request@ietf.org with the word unsubscribe in > the body of the message. > You can also visit > https://www1.ietf.org/mailman/listinfo/I-D-announce > to change your subscription settings. > > > Internet-Drafts are also available by anonymous FTP. Login > with the username > "anonymous" and a password of your e-mail address. After logging in, > type "cd internet-drafts" and then > "get draft-narayan-isms-sshsm-radius-00.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-narayan-isms-sshsm-radius-00.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant > mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] I-D ACTION:draft-narayan-isms-sshsm-radius… Internet-Drafts
- RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-ra… David Harrington
- RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-ra… Nelson, David
- RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-ra… Nelson, David
- RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-ra… David Harrington
- RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-ra… Nelson, David