RE: [Isms] SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
"Kaushik Narayan \(kaushik\)" <kaushik@cisco.com> Thu, 15 March 2007 23:04 UTC
Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRyzr-0001wg-84; Thu, 15 Mar 2007 19:04:35 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRyzq-0001wb-Go for isms@ietf.org; Thu, 15 Mar 2007 19:04:34 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRyzp-0004LD-0e for isms@ietf.org; Thu, 15 Mar 2007 19:04:34 -0400
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-2.cisco.com with ESMTP; 15 Mar 2007 16:04:32 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l2FN4W5p005320; Thu, 15 Mar 2007 16:04:32 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l2FN4HFA006790; Thu, 15 Mar 2007 23:04:32 GMT
Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 Mar 2007 16:04:25 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Isms] SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
Date: Thu, 15 Mar 2007 16:04:23 -0700
Message-ID: <618694EF0B657246A4D55A97E38274C3032CC615@xmb-sjc-22d.amer.cisco.com>
In-Reply-To: <01df01c7670b$4eb38ec0$0600a8c0@china.huawei.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Isms] SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
Thread-Index: Acdmbc1EfazkBdlySeOyq4YZUbSbAwAAnfyAACLLchAAAtQuYAARPXPA
From: "Kaushik Narayan (kaushik)" <kaushik@cisco.com>
To: David Harrington <ietfdbh@comcast.net>, "David B. Nelson" <d.b.nelson@comcast.net>, isms@ietf.org
X-OriginalArrivalTime: 15 Mar 2007 23:04:25.0691 (UTC) FILETIME=[46DA52B0:01C76756]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4241; t=1173999872; x=1174863872; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kaushik@cisco.com; z=From:=20=22Kaushik=20Narayan=20\(kaushik\)=22=20<kaushik@cisco.com> |Subject:=20RE=3A=20[Isms]=20SSHSMRADIUSIntegrationdraft(draft-narayan-is ms-sshsm-radius-01.txt)submitted=20 |Sender:=20; bh=amQ/+DHOPPyrVXdiun6xmj9edaD/Uf0gmq0JpXtkSjc=; b=1hCk/7S2vufC8ajrhryRIzVoCxQOIWjs+wvgalQOa2FjFV7+nZ/at5DePEwoW8Z2C2SECZ4i C6CWNK9R3jeLmDlx5WJxy38EFI0dkPewsQz1uafGqECLzjLCicA6mgE3;
Authentication-Results: sj-dkim-2; header.From=kaushik@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 057ebe9b96adec30a7efb2aeda4c26a4
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org
Hi David, Please find my reply inline. <snipped> > That seems to be predicated on the notion that there is a local > configuration store that contains useful information addressed by > securityName. That's not quite true. In fact, the goal of the modularity is to NOT share model-specific information in the background through a LCD; that type of sharing is one of the problems that was so hard to fix in SNMPv2. We had problems because different operators/implementers want different capabilities for different reasons, and different SNMPv2 designs kept overwriting each other in the "global memory" that is the LCD. The modular approach allowed us to specify model-specific LCDs (MIB modules), modifiable only by the defining model, to prevent volatile changes to the data. <Kaushik> I think one of the issues being out here is that we still require the securityName(s) to be defined on every SNMP engine (similar to USM) and that creates a manageability issue. The reason administrators deploy external authentication mechanisms such as RADIUS is to avoid having to manage securityName(s) on every SNMP engine. > That seems to imply USM or something very much like it. If we really > want to break the ties to USM, we're going to need to address this > issue. So far, I have not seen any proposals, either written or just proposed verbally, that provides a secure transport with all the security characteristics of USM. A critical feature of USM, not provided by SSH or TLS or RADIUS proposals so far, is local authentication with NO ties to a third party authenticator. SNMP is deliberately built to work even when network connectivity is impaired. There are a number of design decisions based on this requirements, including having UDP as a mandatory-to-implement transport, messages sizes that do not require fragmentation, and local authentication. SNMP is designed to use a local authentication model (two-party - the manager and agent) rather than a three-party authentication model, because it might be impossible to reach the third party due to network impairment. Any solution that requires a third party authentication server, or a CA, or any other third-party security functionality does not meet all the requirements of SNMP. The USM model combined with the UDP/IPv4 transport model meets the SNMP "reachability" requirements and the SNMP message security requirements. We can **supplement** USM with secure transport models, and centralized authentication and authorization, that are easier to use but do not meet the "reachability" requirement, as long as USM and UDP transport are still mandatory to implement. I don't think we can break the ties to USM until we either 1) design a new security model that provides this non-reliance on third-parties at runtime, or 2) decide that the ability for SNMP to work when network connectivity is impaired is no longer a requirement of SNMP design. <Kaushik> It is very common in authentication systems to chain a set of authentication methods, I can think a similar capability is what is required. This is supported by PAM configuration that is typically used by SSH implementations. Alternatively we can build this into the security model and allow fallback to a local user database in case reachability is not available. regards, kaushik Dbh > > > Another way to approach the problem would be to use a MIB to store > > the transport&security information in a local configuration database > > addressable by securityName/securityModel/securityLevel and > > transportDomain/Address. Another RADIUS-specific MIB could contain > > RADIUS information, and that MIB could AUGMENT the > > transport&security MIB. > > So, maybe that is one way to address the issue. I'll need a bit to > time to absorb all this... > > > > > _______________________________________________ > Isms mailing list > Isms@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms > _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] SSHSM RADIUS Integration draft (draft-nara… Kaushik Narayan (kaushik)
- RE: [Isms] SSHSM RADIUS Integration draft(draft-n… David Harrington
- RE: [Isms] SSHSM RADIUS Integrationdraft(draft-na… David B. Nelson
- RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… David Harrington
- Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… Eliot Lear
- RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… David Harrington
- RE: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Kaushik Narayan (kaushik)
- Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… Eliot Lear
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Juergen Schoenwaelder
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Eliot Lear
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Juergen Schoenwaelder
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… David Harrington
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Kaushik Narayan (kaushik)
- Re: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Juergen Schoenwaelder
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Fleischman, Eric
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Kaushik Narayan (kaushik)
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Fleischman, Eric