RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt) submitted
"David Harrington" <ietfdbh@comcast.net> Thu, 15 March 2007 20:44 UTC
Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRwoX-0000JQ-Lx; Thu, 15 Mar 2007 16:44:45 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRwoW-0000JJ-6v for isms@ietf.org; Thu, 15 Mar 2007 16:44:44 -0400
Received: from alnrmhc16.comcast.net ([206.18.177.56]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRwoT-0001tH-U3 for isms@ietf.org; Thu, 15 Mar 2007 16:44:44 -0400
Received: from harrington73653 (c-24-128-104-207.hsd1.nh.comcast.net[24.128.104.207]) by comcast.net (alnrmhc16) with SMTP id <20070315204441b160078cque>; Thu, 15 Mar 2007 20:44:41 +0000
From: David Harrington <ietfdbh@comcast.net>
To: 'Eliot Lear' <lear@cisco.com>
References: <618694EF0B657246A4D55A97E38274C30325ECA6@xmb-sjc-22d.amer.cisco.com><019701c76673$54139470$0600a8c0@china.huawei.com> <001101c766fc$409fe180$6401a8c0@NEWTON603> <01df01c7670b$4eb38ec0$0600a8c0@china.huawei.com> <45F96315.7090709@cisco.com>
Subject: RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt) submitted
Date: Thu, 15 Mar 2007 16:44:33 -0400
Message-ID: <024901c76742$be1db970$0600a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <45F96315.7090709@cisco.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: AcdnFMoJq1la8kY5Rj+Sh7pdV5191gAAYP5w
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10d3e4e3c32e363f129e380e644649be
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org
Party #1: an snmp engine (e.g., a manager) Party #2: another snmp engine (e.g., an agent) Party #3: anybody else not co-locaetd with #1 or #2 that needs to be involved. With USM, only #1 and #2 need to be able to reach each other. dbh > -----Original Message----- > From: Eliot Lear [mailto:lear@cisco.com] > Sent: Thursday, March 15, 2007 11:16 AM > To: David Harrington > Cc: 'David B. Nelson'; isms@ietf.org > Subject: Re: [Isms] SSHSM > RADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt) > submitted > > David Harrington wrote: > > > > > > > >> The modularity of the current SNMP architecture seems to be > >> predicated upon > >> the notion that passing around securityName is all that is > >> ever needed. > >> > > > > Roughly, that's true. > > The other model-dependent details should be hidden within > the specific > > models. > > > > > >> That seems to be predicated on the notion that there is a local > >> configuration store that contains useful information addressed by > >> securityName. > >> > > > > That's not quite true. > > > > In fact, the goal of the modularity is to NOT share model-specific > > information in the background through a LCD; that type of sharing is > > one of the problems that was so hard to fix in SNMPv2. We > had problems > > because different operators/implementers want different capabilities > > for different reasons, and different SNMPv2 designs kept overwriting > > each other in the "global memory" that is the LCD. The modular > > approach allowed us to specify model-specific LCDs (MIB modules), > > modifiable only by the defining model, to prevent volatile > changes to > > the data. > > > > > >> That seems to imply USM or something very much > >> like it. If > >> we really want to break the ties to USM, we're going to need > >> to address this > >> issue. > >> > > > > So far, I have not seen any proposals, either written or > just proposed > > verbally, that provides a secure transport with all the security > > characteristics of USM. A critical feature of USM, not > provided by SSH > > or TLS or RADIUS proposals so far, is local authentication with NO > > ties to a third party authenticator. > > > > Well define 3rd party. BEEP with TLS+SASL does the job quite nicely, > but when one uses TLS one must of course take some care > regarding trust > anchors. If you're doing CRL checks then you are probably going off > box, unless YOU signed the cert. But most people don't do > CRL checks at > all. > > Eliot > _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] SSHSM RADIUS Integration draft (draft-nara… Kaushik Narayan (kaushik)
- RE: [Isms] SSHSM RADIUS Integration draft(draft-n… David Harrington
- RE: [Isms] SSHSM RADIUS Integrationdraft(draft-na… David B. Nelson
- RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… David Harrington
- Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… Eliot Lear
- RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… David Harrington
- RE: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Kaushik Narayan (kaushik)
- Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… Eliot Lear
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Juergen Schoenwaelder
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Eliot Lear
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Juergen Schoenwaelder
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… David Harrington
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Kaushik Narayan (kaushik)
- Re: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Juergen Schoenwaelder
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Fleischman, Eric
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Kaushik Narayan (kaushik)
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Fleischman, Eric