IETF Logo Mail Archive

Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted

Eliot Lear <lear@cisco.com> Fri, 16 March 2007 11:26 UTC

Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HSAZd-00071w-SH; Fri, 16 Mar 2007 07:26:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HSAZc-00071h-EB for isms@ietf.org; Fri, 16 Mar 2007 07:26:16 -0400
Received: from ams-iport-1.cisco.com ([144.254.224.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HSAZX-0003nU-In for isms@ietf.org; Fri, 16 Mar 2007 07:26:16 -0400
Received: from ams-dkim-1.cisco.com ([144.254.224.138]) by ams-iport-1.cisco.com with ESMTP; 16 Mar 2007 12:26:10 +0100
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l2GBQ8ES001295; Fri, 16 Mar 2007 12:26:08 +0100
Received: from elear-mac.cisco.com (ams3-vpn-dhcp4443.cisco.com [10.61.81.90]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l2GBQ8lZ013547; Fri, 16 Mar 2007 11:26:08 GMT
Message-ID: <45FA7ED0.3060600@cisco.com>
Date: Fri, 16 Mar 2007 12:26:08 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Thunderbird 2.0b2 (Macintosh/20070116)
MIME-Version: 1.0
To: "Kaushik Narayan (kaushik)" <kaushik@cisco.com>, David Harrington <ietfdbh@comcast.net>, "David B. Nelson" <d.b.nelson@comcast.net>, isms@ietf.org
Subject: Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
References: <01df01c7670b$4eb38ec0$0600a8c0@china.huawei.com> <618694EF0B657246A4D55A97E38274C3032CC615@xmb-sjc-22d.amer.cisco.com> <20070316084724.GE759@elstar.iuhb02.iu-bremen.de>
In-Reply-To: <20070316084724.GE759@elstar.iuhb02.iu-bremen.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1797; t=1174044368; x=1174908368; c=relaxed/simple; s=amsdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=lear@cisco.com; z=From:=20Eliot=20Lear=20<lear@cisco.com> |Subject:=20Re=3A=20[Isms]=09SSHSMRADIUSIntegrationdraft(draft-narayan-is ms-sshsm-radius-01.txt)submitted |Sender:=20; bh=w3ddwkt30Olubfw8pqJyoMAlAaSjJqknz/pwfEqfmlc=; b=rxLKQQdkNbiwE/5Jt/IPxhctB55YsNKms3pmlFk4Zv+2xwdIdYNUW1z+nOM4jAuOEQBKH04q wOdVF3HcDXd+tM0UEl0Saed7p3HzIAjhYJl7OGJ3OC4zTrWOyMZwUkdk;
Authentication-Results: ams-dkim-1; header.From=lear@cisco.com; dkim=pass (s ig from cisco.com/amsdkim1002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org

Juergen Schoenwaelder wrote:
> Anyway, I am in general quite confused by this thread as it seems that
> people talk about different things without really trying to understand
> the other's background / terminology / view of the world.
>
> Perhaps it helps to go through the RADIUS document and to bring up
> paragraphs that are considered problematic and to propose alternative
> text fragments so that we avoid getting trapped in some general and
> abstract discussions that we had in the past and which might not be
> effective to improve our documents.
>   

TMSM should work both with a local store AND radius.  If there are 
problems with either that's what needs to be found.  This thread came up 
because David Nelson wrote:
> The modularity of the current SNMP architecture seems to be predicated upon
> the notion that passing around securityName is all that is ever needed.
> That seems to be predicated on the notion that there is a local
> configuration store that contains useful information addressed by
> securityName.  That seems to imply USM or something very much like it.  If
> we really want to break the ties to USM, we're going to need to address this
> issue.
>   


And then Dave Harrington responded:


> So far, I have not seen any proposals, either written or just proposed
> verbally, that provides a secure transport with all the security
> characteristics of USM. A critical feature of USM, not provided by SSH
> or TLS or RADIUS proposals so far, is local authentication with NO
> ties to a third party authenticator.
>   


Kaushik, Keith and I proposed a method last summer that would have 
precisely addressed the 2nd sentence in that paragraph.  I believe this 
leaves David Nelson's question somewhat unanswered.

Eliot

_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email