[Isms] SSH tunneling and SNMPv3
"David B Harrington" <ietfdbh@comcast.net> Fri, 18 February 2005 16:56 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA06511; Fri, 18 Feb 2005 11:56:31 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D2BmK-0001Ui-PH; Fri, 18 Feb 2005 12:18:59 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D2B2l-0002Fl-Rh; Fri, 18 Feb 2005 11:31:51 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D2ANm-0000ZJ-CR for isms@megatron.ietf.org; Fri, 18 Feb 2005 10:49:30 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA20183 for <isms@ietf.org>; Fri, 18 Feb 2005 10:49:28 -0500 (EST)
Message-Id: <200502181549.KAA20183@ietf.org>
Received: from rwcrmhc11.comcast.net ([204.127.198.35]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D2AjQ-0004rI-DP for isms@ietf.org; Fri, 18 Feb 2005 11:11:55 -0500
Received: from djyxpy41 (h00104b8ce2a3.ne.client2.attbi.com[24.128.104.220]) by comcast.net (rwcrmhc11) with SMTP id <2005021815485501300qnckhe>; Fri, 18 Feb 2005 15:48:55 +0000
From: David B Harrington <ietfdbh@comcast.net>
To: 'Martin Soukup' <msoukup@nortel.com>, 'Wes Hardaker' <hardaker@tislabs.com>, isms@ietf.org
Date: Fri, 18 Feb 2005 10:48:51 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
In-Reply-To: <0BDFFF51DC89434FA33F8B37FCE363D501F2B989@zcarhxm2.corp.nortel.com>
thread-index: AcUVmqXBRpoodBWtSOSUROrO3QhTyQALlXTg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Score: 0.1 (/)
X-Scan-Signature: bc6181926481d86059e678c9f7cb8b34
Content-Transfer-Encoding: 7bit
Subject: [Isms] SSH tunneling and SNMPv3
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ietfdbh@comcast.net
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Sender: isms-bounces@ietf.org
Errors-To: isms-bounces@ietf.org
X-Spam-Score: 0.9 (/)
X-Scan-Signature: 4b66a1e94d7d92973ece9e5da449ff80
Content-Transfer-Encoding: 7bit
Hi Martin, It is important to identify, preferably using SecSH terms and references, just what "SSH tunneling" means. SecSh Transport Layer Protocol provides authentication, integrity checking, and encryption. from draft-ietf-secsh-transport-22.txt: "Authentication in this protocol level is host-based; this protocol does not perform user authentication. A higher level protocol for user authentication can be designed on top of this protocol." SNMPv3 is designed to provide per-user controlled access to data, so host authentication is inadequate to meet the design goals for SNMPv3 (that were established by IETF consensus). The SecSH Authentication Protocol (draft-ietf-secsh-userauth-25.txt) provides user authentication, and that comes closer to meeting SNMPv3 per-user requirements. However, it is necessary to have a binding between the user authentication of SecSH and the user identity used for per-user access control. I could use SecSH authentication to establish a session for user "dbh", and then pass an SNMPv1 message claiming rights to the "super-user" community (or an SNMPv3 message claiming a USM identity of "super-user" rather than dbh). There needs to be a binding between the authentication of the user and the application of access permissions for that user. So either SecSH needs to be pass the authenticated user identity to the SNMP engine so SNMP can apply appropriate access control, or SNMP has to perform its own user authentication independent of SecSH. Also, SNMPv3 provides a wealth of features beyond authentication and privacy that are important to some, but not all, environments. I won't go into them here, because that is not within the scope of this WG. I leave it to you to understand the benefits of engineID, contextEngineID, a standardized proxy, a standardized notification addressing mechanism, a standardized notification filtering mechanism, etc. David Harrington dbharrington@comcast.net ________________________________ From: isms-bounces@lists.ietf.org [mailto:isms-bounces@lists.ietf.org] On Behalf Of Martin Soukup Sent: Friday, February 18, 2005 4:07 AM To: 'Wes Hardaker'; isms@ietf.org Subject: RE: [Isms] achieving market saturation with ISMS Wes, My understanding of the evaluation report was that there were two mandatory-to-implement mechanisms, one implicit and the other explicit. The explicit mechanism was in fact RADIUS but I believe the support of local accounts was implicitly required as well (where the device acts as a RADIUS key distributor) for clients connecting to it. Perhaps the evaluation team can confirm? I don't feel that those using SSH tunnelling require SNMPv3 (since SSH provides authentication and privacy), so I'm not sure where that combination comes from. Could you explain that? I agree with Wes' point that the result of this effort should be careful to address the requirement to make SNMPv3 deployment easy in existing deployments but I would note that from this survey it would appear that RADIUS is the market leader for centralized AAA, we just need to be sure to support non-centralized AAA as well. I think most of the people on the list have been saying this all along. Martin. > -----Original Message----- > From: isms-bounces@lists.ietf.org [mailto:isms-bounces@lists.ietf.org] On > Behalf Of Wes Hardaker > Sent: February 18, 2005 12:22 AM > To: isms@ietf.org > Subject: [Isms] achieving market saturation with ISMS > > > One of the whole reasons behind David and my efforts to get this work > under way within the IETF was to try and help the operators with > deployed authentication infrastructures (of any type) to be able to > access their devices securely over SNMPv3 using identical > authentication mechanisms. The most critical problem with deploying > SNMPv3 wasn't that it wasn't better than v1/v2c but that it was hard > to deploy due the maintenance it required. This is, of course, > already known. > > When we approached the IESG about starting a working group, we were > asked to prove that people needed such a change and this was the > reason many people weren't using SNMPv3 in the first place. To do > this, we offered a survey and advertised it to NANOG and a few other > places. We got 149 responses. Some of the questions that were asked > had surprising results, some were expected. > > To recap some of the important things to consider as this work goes > forward: > > 26% of the people that responded used SNMPv3 at that time. > > Of the various authentication systems in use at that time by the > people that responded: > > 66% local accounts > 49% SSH-keys > 40% Radius > 29% TACACS+ > 14% X.509 Certificates > 10% Kerberos > > [numbers don't add to 100 because more than one option could be > selected] > > This result set actually surprised me. I knew that SSH was popular as > was local accounts, but I actually expected Radius to be in greater > use than it was. 40% is certainly heavy usage, but it is hardly > market dominance. > > One of the reasons that I've told many people that I'd be happy with a > transport based solution, such as the TLSM solution had offered, even > though it wasn't my number one choice, was that it would at least meet > the criteria of getting the largest percentage of deployment > possible. Specifically, it would be easy to make it work with both > local accounts over a TLS tunnel as well as SSH based identities over > a SSH tunnel. Thus, it would likely have a huge impact on the > usability of SNMPv3. > > Where I'm going with all of this is that I disagree with section > 3.2 that states: > > The evaluation team also recommends, in the interest of > interoperability, that the working group select a single > mandatory-to-implement mechanism. The evaluation team recommends > RADIUS [RFC2865] for this purpose, due to its widespread use. > > If you offered operators a solution which was couched around Radius > and they didn't use it, you wouldn't be offering them anything. It's > somewhat akin to saying "Ok, we learned that you didn't like SNMPv3 > because you didn't want to maintain another infrastructure. We've now > fixed that, here install this different infrastructure (Radius) instead." > > We've already seen the ramifications of selecting an authentication > system which people didn't want to use. I don't think that if you > selected Radius as a mandatory to implement protocol that you would > much greater than 40% saturation with it, which in my opinion is way > too low. As much as the security side of me hates to say it, I think > we should strongly consider making local accounts the mandatory to > implement form because that is simply what is in use the most. > > Even worse, if EUSM-like is the path chosen it requires that Radius or > any other protocol be modified before it could be used by this > architecture. That's a rather important point, so I'll restate it. > The other protocols must be modified before they'll work. It's > important because it means the current deployed base of the modified > protocol is 0%. It means that even if you shipped the solution today, > everyone would have to upgrade their infrastructure or install new > infrastructures in order to make the solution work. That, to me, is > not giving the operators what they've been asking for: to make SNMPv3 > work with what they have today. > > -- > Wes Hardaker > Sparta > > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] SSH tunneling and SNMPv3 David B Harrington
- Re: [Isms] achieving market saturation with ISMS Randy Presuhn
- Re: [Isms] achieving market saturation with ISMS Juergen Schoenwaelder
- RE: [Isms] achieving market saturation with ISMS David B Harrington