IETF Logo Mail Archive

RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-radius-00.txt

"David Harrington" <ietfdbh@comcast.net> Fri, 23 June 2006 21:54 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FttbG-0003ZC-Jp; Fri, 23 Jun 2006 17:54:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FttbF-0003Ys-Cp for isms@ietf.org; Fri, 23 Jun 2006 17:54:01 -0400
Received: from sccrmhc14.comcast.net ([204.127.200.84]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FttbE-0007HM-3b for isms@ietf.org; Fri, 23 Jun 2006 17:54:01 -0400
Received: from harrington73653 (c-24-128-147-200.hsd1.nh.comcast.net[24.128.147.200]) by comcast.net (sccrmhc14) with SMTP id <2006062321535901400aquk8e>; Fri, 23 Jun 2006 21:53:59 +0000
From: David Harrington <ietfdbh@comcast.net>
To: isms@ietf.org
Subject: RE: [Isms] I-D ACTION:draft-narayan-isms-sshsm-radius-00.txt
Date: Fri, 23 Jun 2006 17:52:44 -0400
Message-ID: <000d01c6970f$5cec4710$0400a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-index: AcaVboUuVWLn1cZKQp2HBpC0Tl4oOgBmcmUw
In-reply-to: <E1Ft8iA-0003mq-4o@stiedprstage1.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org

 Hi,

I started to read this draft. Unfortunately, this is not what was
supposed to be written.

The consensus was that we wanted an "authorize-only" RADIUS extension,
to make RADIUS authorization independent of the authentication phase.
The authorize-only should be accessible from the access control
subsystem; the rest of the SNMP engine knows nothing about this RADIUS
support for data access control (e.g. VACM). We explicitly did not
want a RADIUS integration with SSHSM because that would violate the
RFC3411 modularity and its separation of authentication and
authorization. 

1) If an operator wants RADIUS integration with SSH, that happens
outside the SNMP engine. SSHSM and other security models should not
need to know that SSH used RADIUS to authorize a session of SNMP
management.

2) If an operator wants to use RADIUS to determine which VACM group to
use for this user, that is handled strictly within the access control
subsystem, using an authorize-only RADIUS extension, independently of
the authentication provided via a security model, such as USM or SSHSM
or USM/Kerberos. Some operators want to authenticate their users with
Kerberos, but then as a separate step ask RADIUS what data access
control policies to apply to that user.

The interim meeting requirements for an authorize-only RADIUS
extension was recapped in a mail message dated 3/16/06.

dbh

> -----Original Message-----
> From: isms-bounces@lists.ietf.org 
> [mailto:isms-bounces@lists.ietf.org] On Behalf Of 
> Internet-Drafts@ietf.org
> Sent: Wednesday, June 21, 2006 3:50 PM
> To: i-d-announce@ietf.org
> Subject: [Isms] I-D ACTION:draft-narayan-isms-sshsm-radius-00.txt 
> 
> A New Internet-Draft is available from the on-line 
> Internet-Drafts directories.
> 
> 
> 	Title		: RADIUS Usage for SNMP SSH Security Model
> 	Author(s)	: K. Narayan, D. Nelson
> 	Filename	: draft-narayan-isms-sshsm-radius-00.txt
> 	Pages		: 12
> 	Date		: 2006-6-21
> 	
>    The Secure Shell Security Model (SSHSM) describes a Security
Model
>    for the Simple Network Management Protocol, using the Secure
Shell
>    protocol within a Transport Mapping.  This memo describes the
usage
>    of the Secure Shell Security Model with a RADIUS authentication
and
>    authorization system.
> 
> 
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-narayan-isms-sshsm-r
> adius-00.txt
> 
> To remove yourself from the I-D Announcement list, send a message to

> i-d-announce-request@ietf.org with the word unsubscribe in 
> the body of the message.  
> You can also visit 
> https://www1.ietf.org/mailman/listinfo/I-D-announce 
> to change your subscription settings.
> 
> 
> Internet-Drafts are also available by anonymous FTP. Login 
> with the username
> "anonymous" and a password of your e-mail address. After logging in,
> type "cd internet-drafts" and then
> 	"get draft-narayan-isms-sshsm-radius-00.txt".
> 
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/shadow.html 
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> 
> 
> Internet-Drafts can also be obtained by e-mail.
> 
> Send a message to:
> 	mailserv@ietf.org.
> In the body type:
> 	"FILE
/internet-drafts/draft-narayan-isms-sshsm-radius-00.txt".
> 	
> NOTE:	The mail server at ietf.org can return the document in
> 	MIME-encoded form by using the "mpack" utility.  To use this
> 	feature, insert the command "ENCODING mime" before the "FILE"
> 	command.  To decode the response(s), you will need "munpack"
or
> 	a MIME-compliant mail reader.  Different MIME-compliant 
> mail readers
> 	exhibit different behavior, especially when dealing with
> 	"multipart" MIME messages (i.e. documents which have been
split
> 	up into multiple messages), so check your local documentation
on
> 	how to manipulate these messages.
> 		
> 		
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
> 


_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email