IETF Logo Mail Archive

RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt) submitted

"David Harrington" <ietfdbh@comcast.net> Thu, 15 March 2007 20:44 UTC

Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRwoX-0000JQ-Lx; Thu, 15 Mar 2007 16:44:45 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRwoW-0000JJ-6v for isms@ietf.org; Thu, 15 Mar 2007 16:44:44 -0400
Received: from alnrmhc16.comcast.net ([206.18.177.56]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRwoT-0001tH-U3 for isms@ietf.org; Thu, 15 Mar 2007 16:44:44 -0400
Received: from harrington73653 (c-24-128-104-207.hsd1.nh.comcast.net[24.128.104.207]) by comcast.net (alnrmhc16) with SMTP id <20070315204441b160078cque>; Thu, 15 Mar 2007 20:44:41 +0000
From: David Harrington <ietfdbh@comcast.net>
To: 'Eliot Lear' <lear@cisco.com>
References: <618694EF0B657246A4D55A97E38274C30325ECA6@xmb-sjc-22d.amer.cisco.com><019701c76673$54139470$0600a8c0@china.huawei.com> <001101c766fc$409fe180$6401a8c0@NEWTON603> <01df01c7670b$4eb38ec0$0600a8c0@china.huawei.com> <45F96315.7090709@cisco.com>
Subject: RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt) submitted
Date: Thu, 15 Mar 2007 16:44:33 -0400
Message-ID: <024901c76742$be1db970$0600a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <45F96315.7090709@cisco.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: AcdnFMoJq1la8kY5Rj+Sh7pdV5191gAAYP5w
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10d3e4e3c32e363f129e380e644649be
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org

Party #1: an snmp engine (e.g., a manager) 
Party #2: another snmp engine (e.g., an agent)
Party #3: anybody else not co-locaetd with #1 or #2 that needs to be
involved.

With USM, only #1 and #2 need to be able to reach each other.

dbh
 

> -----Original Message-----
> From: Eliot Lear [mailto:lear@cisco.com] 
> Sent: Thursday, March 15, 2007 11:16 AM
> To: David Harrington
> Cc: 'David B. Nelson'; isms@ietf.org
> Subject: Re: [Isms] SSHSM 
> RADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)
>  submitted
> 
> David Harrington wrote:
> >  
> >
> >   
> >> The modularity of the current SNMP architecture seems to be 
> >> predicated upon
> >> the notion that passing around securityName is all that is 
> >> ever needed.
> >>     
> >
> > Roughly, that's true. 
> > The other model-dependent details should be hidden within 
> the specific
> > models.
> >
> >   
> >> That seems to be predicated on the notion that there is a local
> >> configuration store that contains useful information addressed by
> >> securityName. 
> >>     
> >
> > That's not quite true. 
> >
> > In fact, the goal of the modularity is to NOT share model-specific
> > information in the background through a LCD; that type of sharing
is
> > one of the problems that was so hard to fix in SNMPv2. We 
> had problems
> > because different operators/implementers want different
capabilities
> > for different reasons, and different SNMPv2 designs kept
overwriting
> > each other in the "global memory" that is the LCD. The modular
> > approach allowed us to specify model-specific LCDs (MIB modules),
> > modifiable only by the defining model, to prevent volatile 
> changes to
> > the data. 
> >
> >   
> >> That seems to imply USM or something very much 
> >> like it.  If
> >> we really want to break the ties to USM, we're going to need 
> >> to address this
> >> issue.
> >>     
> >
> > So far, I have not seen any proposals, either written or 
> just proposed
> > verbally, that provides a secure transport with all the security
> > characteristics of USM. A critical feature of USM, not 
> provided by SSH
> > or TLS or RADIUS proposals so far, is local authentication with NO
> > ties to a third party authenticator.
> >   
> 
> Well define 3rd party.  BEEP with TLS+SASL does the job quite
nicely, 
> but when one uses TLS one must of course take some care 
> regarding trust 
> anchors.  If you're doing CRL checks then you are probably going off

> box, unless YOU signed the cert.  But most people don't do 
> CRL checks at 
> all.
> 
> Eliot
> 



_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email