IETF Logo Mail Archive

RE: [Isms] SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted

"Kaushik Narayan \(kaushik\)" <kaushik@cisco.com> Thu, 15 March 2007 23:04 UTC

Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRyzr-0001wg-84; Thu, 15 Mar 2007 19:04:35 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRyzq-0001wb-Go for isms@ietf.org; Thu, 15 Mar 2007 19:04:34 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRyzp-0004LD-0e for isms@ietf.org; Thu, 15 Mar 2007 19:04:34 -0400
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-2.cisco.com with ESMTP; 15 Mar 2007 16:04:32 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l2FN4W5p005320; Thu, 15 Mar 2007 16:04:32 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l2FN4HFA006790; Thu, 15 Mar 2007 23:04:32 GMT
Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 Mar 2007 16:04:25 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Isms] SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
Date: Thu, 15 Mar 2007 16:04:23 -0700
Message-ID: <618694EF0B657246A4D55A97E38274C3032CC615@xmb-sjc-22d.amer.cisco.com>
In-Reply-To: <01df01c7670b$4eb38ec0$0600a8c0@china.huawei.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Isms] SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
Thread-Index: Acdmbc1EfazkBdlySeOyq4YZUbSbAwAAnfyAACLLchAAAtQuYAARPXPA
From: "Kaushik Narayan (kaushik)" <kaushik@cisco.com>
To: David Harrington <ietfdbh@comcast.net>, "David B. Nelson" <d.b.nelson@comcast.net>, isms@ietf.org
X-OriginalArrivalTime: 15 Mar 2007 23:04:25.0691 (UTC) FILETIME=[46DA52B0:01C76756]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4241; t=1173999872; x=1174863872; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kaushik@cisco.com; z=From:=20=22Kaushik=20Narayan=20\(kaushik\)=22=20<kaushik@cisco.com> |Subject:=20RE=3A=20[Isms]=20SSHSMRADIUSIntegrationdraft(draft-narayan-is ms-sshsm-radius-01.txt)submitted=20 |Sender:=20; bh=amQ/+DHOPPyrVXdiun6xmj9edaD/Uf0gmq0JpXtkSjc=; b=1hCk/7S2vufC8ajrhryRIzVoCxQOIWjs+wvgalQOa2FjFV7+nZ/at5DePEwoW8Z2C2SECZ4i C6CWNK9R3jeLmDlx5WJxy38EFI0dkPewsQz1uafGqECLzjLCicA6mgE3;
Authentication-Results: sj-dkim-2; header.From=kaushik@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 057ebe9b96adec30a7efb2aeda4c26a4
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org

Hi David,

Please find my reply inline. 

<snipped>

> That seems to be predicated on the notion that there is a local 
> configuration store that contains useful information addressed by 
> securityName.

That's not quite true. 

In fact, the goal of the modularity is to NOT share model-specific
information in the background through a LCD; that type of sharing is one
of the problems that was so hard to fix in SNMPv2. We had problems
because different operators/implementers want different capabilities for
different reasons, and different SNMPv2 designs kept overwriting each
other in the "global memory" that is the LCD. The modular approach
allowed us to specify model-specific LCDs (MIB modules), modifiable only
by the defining model, to prevent volatile changes to the data. 


<Kaushik> I think one of the issues being out here is that we still
require the securityName(s) to be defined on every SNMP engine (similar
to USM) and that creates a manageability issue. The reason
administrators deploy external authentication mechanisms such as RADIUS
is to avoid having to manage securityName(s) on every SNMP engine. 


> That seems to imply USM or something very much like it.  If we really 
> want to break the ties to USM, we're going to need to address this 
> issue.

So far, I have not seen any proposals, either written or just proposed
verbally, that provides a secure transport with all the security
characteristics of USM. A critical feature of USM, not provided by SSH
or TLS or RADIUS proposals so far, is local authentication with NO ties
to a third party authenticator.

SNMP is deliberately built to work even when network connectivity is
impaired. There are a number of design decisions based on this
requirements, including having UDP as a mandatory-to-implement
transport, messages sizes that do not require fragmentation, and local
authentication. SNMP is designed to use a local authentication model
(two-party - the manager and agent) rather than a three-party
authentication model, because it might be impossible to reach the third
party due to network impairment. Any solution that requires a third
party authentication server, or a CA, or any other third-party security
functionality does not meet all the requirements of SNMP.

The USM model combined with the UDP/IPv4 transport model meets the SNMP
"reachability" requirements and the SNMP message security requirements.
We can **supplement** USM with secure transport models, and centralized
authentication and authorization, that are easier to use but do not meet
the "reachability" requirement, as long as USM and UDP transport are
still mandatory to implement.

I don't think we can break the ties to USM until we either
1) design a new security model that provides this non-reliance on
third-parties at runtime, or
2) decide that the ability for SNMP to work when network connectivity is
impaired is no longer a requirement of SNMP design.


<Kaushik>  It is very common in authentication systems to chain a set of
authentication methods, I can think a similar capability is what is
required. This is supported by PAM configuration that is typically used
by SSH implementations. Alternatively we can build this into the
security model and allow fallback to a local user database in case
reachability is not available.

regards,
   kaushik



Dbh

> 
> > Another way to approach the problem would be to use a MIB to store 
> > the transport&security information in a local configuration database

> > addressable by securityName/securityModel/securityLevel and 
> > transportDomain/Address. Another RADIUS-specific MIB could contain 
> > RADIUS information, and that MIB could AUGMENT the 
> > transport&security MIB.
> 
> So, maybe that is one way to address the issue.  I'll need a bit to 
> time to absorb all this...
> 
> 
> 
> 
> _______________________________________________
> Isms mailing list
> Isms@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
> 



_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email