RE: [Isms] SSHSM RADIUS Integration draft(draft-narayan-isms-sshsm-radius-01.txt) submitted
"David Harrington" <ietfdbh@comcast.net> Wed, 14 March 2007 19:59 UTC
Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRZde-0000d4-Re; Wed, 14 Mar 2007 15:59:58 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRZdd-0000cw-J2 for isms@ietf.org; Wed, 14 Mar 2007 15:59:57 -0400
Received: from alnrmhc12.comcast.net ([204.127.225.92]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRZdc-0008Kv-2H for isms@ietf.org; Wed, 14 Mar 2007 15:59:57 -0400
Received: from harrington73653 (c-24-128-104-207.hsd1.nh.comcast.net[24.128.104.207]) by comcast.net (alnrmhc12) with SMTP id <20070314195955b1200nni6oe>; Wed, 14 Mar 2007 19:59:55 +0000
From: David Harrington <ietfdbh@comcast.net>
To: "'Kaushik Narayan (kaushik)'" <kaushik@cisco.com>, isms@ietf.org
References: <618694EF0B657246A4D55A97E38274C30325ECA6@xmb-sjc-22d.amer.cisco.com>
Subject: RE: [Isms] SSHSM RADIUS Integration draft(draft-narayan-isms-sshsm-radius-01.txt) submitted
Date: Wed, 14 Mar 2007 15:59:51 -0400
Message-ID: <019701c76673$54139470$0600a8c0@china.huawei.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <618694EF0B657246A4D55A97E38274C30325ECA6@xmb-sjc-22d.amer.cisco.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: Acdmbc1EfazkBdlySeOyq4YZUbSbAwAAnfyA
X-Spam-Score: 0.1 (/)
X-Scan-Signature: c2e58d9873012c90703822e287241385
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1172734834=="
Errors-To: isms-bounces@lists.ietf.org
Hi, Following ietf66, we changed direction somewhat in ISMS. There is no SSHSM anymore; there is a Transport subsystem, an SSH-TM (transport model), and a TSM (Transport Security Model). Currently, we do not pass the tmStateReference into the IsAccessAllowed ASI. I don't think we even pass it tothe applications, and the applications call IsAccessAllowed, so you may be talking about changing a few ASIs. Another way to approach the problem would be to use a MIB to store the transport&security information in a local configuration database addressable by securityName/securityModel/securityLevel and transportDomain/Address. Another RADIUS-specific MIB could contain RADIUS information, and that MIB could AUGMENT the transport&security MIB. Actually I can envision 3 MIB modules: 1) known to a specific transport model, indexed by securityN/L,transportD/A, independent of securityModel 2) known to the Transport Security Model, contains TSM-specific info indexed by securityN/L and trasnportD/A, indepednent of specific transport models but it can get a pointer to a specific transport row using securityNL,transportDA 3) a RADIUS-specific MIB indexed by securityM/N/L,transportDA. This MIB could store authoriaztion info and the RADIUS state. A RADIUS-spepxcifc ACM could check for a RADIUS state attribute in the transport model MIB. I'm not sure this maintains the modulairty as much as we want, but at least we' can try to lay the MIBs out in a way that they can remain independnent of each other, and define some common MOs to be used by potentially multiple models within a subsystem, and make the MOs accessible in a model-independent manner from other subsystems. dbh _____ From: Kaushik Narayan (kaushik) [mailto:kaushik@cisco.com] Sent: Wednesday, March 14, 2007 3:20 PM To: isms@ietf.org Subject: [Isms] SSHSM RADIUS Integration draft(draft-narayan-isms-sshsm-radius-01.txt) submitted Hi All, The RADIUS integration draft for SSHSM has been submitted to the drafts directory. The draft specifies details how RADIUS could be used as an authentication and authorization mechanism for SSHSM. This draft currently describes two approaches for integration of authorization information returned from the RADIUS server. a. Receive authorization information along with authentication request (traditional RADIUS model) & cache authorization information within TMSM. Augment VACM in an implementation-dependent fashion to fetch authorization parameters from TMSM (using tmStateReference). b. Define a new access control model that can issue direct RADIUS authorize-only requests to fetch authorization information on demand. This approach will also require the use of the TMSM cache to store the RADIUS state attribute. The draft does not elaborate on the details of such an access control model. We need further discussion within the WG on the two approaches and whether we need to elaborate on both. regards, David Nelson & Kaushik Narayan
_______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] SSHSM RADIUS Integration draft (draft-nara… Kaushik Narayan (kaushik)
- RE: [Isms] SSHSM RADIUS Integration draft(draft-n… David Harrington
- RE: [Isms] SSHSM RADIUS Integrationdraft(draft-na… David B. Nelson
- RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… David Harrington
- Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… Eliot Lear
- RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… David Harrington
- RE: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Kaushik Narayan (kaushik)
- Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… Eliot Lear
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Juergen Schoenwaelder
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Eliot Lear
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Juergen Schoenwaelder
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… David Harrington
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Kaushik Narayan (kaushik)
- Re: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Juergen Schoenwaelder
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Fleischman, Eric
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Kaushik Narayan (kaushik)
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Fleischman, Eric