IETF Logo Mail Archive

Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt) submitted

Eliot Lear <lear@cisco.com> Thu, 15 March 2007 15:15 UTC

Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRrg5-0004Rw-60; Thu, 15 Mar 2007 11:15:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRrg4-0004Ro-Gh for isms@ietf.org; Thu, 15 Mar 2007 11:15:40 -0400
Received: from ams-iport-1.cisco.com ([144.254.224.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRrg3-0007Gg-6b for isms@ietf.org; Thu, 15 Mar 2007 11:15:40 -0400
Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by ams-iport-1.cisco.com with ESMTP; 15 Mar 2007 16:15:39 +0100
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l2FFFciP016330; Thu, 15 Mar 2007 16:15:38 +0100
Received: from elear-mac.cisco.com (ams3-vpn-dhcp4443.cisco.com [10.61.81.90]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l2FFFXlZ017330; Thu, 15 Mar 2007 15:15:34 GMT
Message-ID: <45F96315.7090709@cisco.com>
Date: Thu, 15 Mar 2007 16:15:33 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Thunderbird 2.0b2 (Macintosh/20070116)
MIME-Version: 1.0
To: David Harrington <ietfdbh@comcast.net>
Subject: Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt) submitted
References: <618694EF0B657246A4D55A97E38274C30325ECA6@xmb-sjc-22d.amer.cisco.com><019701c76673$54139470$0600a8c0@china.huawei.com> <001101c766fc$409fe180$6401a8c0@NEWTON603> <01df01c7670b$4eb38ec0$0600a8c0@china.huawei.com>
In-Reply-To: <01df01c7670b$4eb38ec0$0600a8c0@china.huawei.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1946; t=1173971738; x=1174835738; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=lear@cisco.com; z=From:=20Eliot=20Lear=20<lear@cisco.com> |Subject:=20Re=3A=20[Isms]=20SSHSM=09RADIUSIntegrationdraft(draft-narayan -isms-sshsm-radius-01.txt)=0A=20submitted |Sender:=20; bh=p66il/IK2ZtjIQyCcRbQ2wOdxKF8Vrq6rz8SPGGoCzk=; b=ZY6Z5AAXVqTRhGfMlomd8TAghPE+CfXWxkQCaWtt9aIud//7TacaVEAH9CKyYbseqhucog4h VSb09PEKQ1gyWkaOuygEF2BN29N6vUZimruEYIxOIdFaCuHFyQ6D/bUs;
Authentication-Results: ams-dkim-2; header.From=lear@cisco.com; dkim=pass (s ig from cisco.com/amsdkim2001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org

David Harrington wrote:
>  
>
>   
>> The modularity of the current SNMP architecture seems to be 
>> predicated upon
>> the notion that passing around securityName is all that is 
>> ever needed.
>>     
>
> Roughly, that's true. 
> The other model-dependent details should be hidden within the specific
> models.
>
>   
>> That seems to be predicated on the notion that there is a local
>> configuration store that contains useful information addressed by
>> securityName. 
>>     
>
> That's not quite true. 
>
> In fact, the goal of the modularity is to NOT share model-specific
> information in the background through a LCD; that type of sharing is
> one of the problems that was so hard to fix in SNMPv2. We had problems
> because different operators/implementers want different capabilities
> for different reasons, and different SNMPv2 designs kept overwriting
> each other in the "global memory" that is the LCD. The modular
> approach allowed us to specify model-specific LCDs (MIB modules),
> modifiable only by the defining model, to prevent volatile changes to
> the data. 
>
>   
>> That seems to imply USM or something very much 
>> like it.  If
>> we really want to break the ties to USM, we're going to need 
>> to address this
>> issue.
>>     
>
> So far, I have not seen any proposals, either written or just proposed
> verbally, that provides a secure transport with all the security
> characteristics of USM. A critical feature of USM, not provided by SSH
> or TLS or RADIUS proposals so far, is local authentication with NO
> ties to a third party authenticator.
>   

Well define 3rd party.  BEEP with TLS+SASL does the job quite nicely, 
but when one uses TLS one must of course take some care regarding trust 
anchors.  If you're doing CRL checks then you are probably going off 
box, unless YOU signed the cert.  But most people don't do CRL checks at 
all.

Eliot

_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email