IETF Logo Mail Archive

RE: [Isms] SSHSM RADIUS Integration draft(draft-narayan-isms-sshsm-radius-01.txt) submitted

"David Harrington" <ietfdbh@comcast.net> Wed, 14 March 2007 19:59 UTC

Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRZde-0000d4-Re; Wed, 14 Mar 2007 15:59:58 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRZdd-0000cw-J2 for isms@ietf.org; Wed, 14 Mar 2007 15:59:57 -0400
Received: from alnrmhc12.comcast.net ([204.127.225.92]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRZdc-0008Kv-2H for isms@ietf.org; Wed, 14 Mar 2007 15:59:57 -0400
Received: from harrington73653 (c-24-128-104-207.hsd1.nh.comcast.net[24.128.104.207]) by comcast.net (alnrmhc12) with SMTP id <20070314195955b1200nni6oe>; Wed, 14 Mar 2007 19:59:55 +0000
From: David Harrington <ietfdbh@comcast.net>
To: "'Kaushik Narayan (kaushik)'" <kaushik@cisco.com>, isms@ietf.org
References: <618694EF0B657246A4D55A97E38274C30325ECA6@xmb-sjc-22d.amer.cisco.com>
Subject: RE: [Isms] SSHSM RADIUS Integration draft(draft-narayan-isms-sshsm-radius-01.txt) submitted
Date: Wed, 14 Mar 2007 15:59:51 -0400
Message-ID: <019701c76673$54139470$0600a8c0@china.huawei.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <618694EF0B657246A4D55A97E38274C30325ECA6@xmb-sjc-22d.amer.cisco.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: Acdmbc1EfazkBdlySeOyq4YZUbSbAwAAnfyA
X-Spam-Score: 0.1 (/)
X-Scan-Signature: c2e58d9873012c90703822e287241385
Cc:
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1172734834=="
Errors-To: isms-bounces@lists.ietf.org

Hi,
 
Following ietf66, we changed direction somewhat in ISMS. There is no
SSHSM anymore; there is a Transport subsystem, an SSH-TM (transport
model), and a TSM (Transport Security Model).
 
Currently, we do not pass the tmStateReference into the
IsAccessAllowed ASI. I don't think we even pass it tothe applications,
and the applications call IsAccessAllowed, so you may be talking about
changing a few ASIs.
 
Another way to approach the problem would be to use a MIB to store the
transport&security information in a local configuration database
addressable by securityName/securityModel/securityLevel and
transportDomain/Address. Another RADIUS-specific MIB could contain
RADIUS information, and that MIB could AUGMENT the transport&security
MIB.
 
Actually I can envision 3 MIB modules:
1) known to a specific transport model, indexed by
securityN/L,transportD/A, independent of securityModel
2) known to the Transport Security Model, contains TSM-specific info
indexed by securityN/L and trasnportD/A, indepednent of specific
transport models but it can get a pointer to a specific transport row
using securityNL,transportDA
3) a RADIUS-specific MIB indexed by securityM/N/L,transportDA. This
MIB could store authoriaztion info and the RADIUS state. A
RADIUS-spepxcifc ACM could check for a RADIUS state attribute in the
transport model MIB.
 
I'm not sure this maintains the modulairty as much as we want, but at
least we' can try to lay the MIBs out in a way that they can remain
independnent of each other, and define some common MOs to be used by
potentially multiple models within a subsystem, and make the MOs
accessible in a model-independent manner from other subsystems.
 
dbh
 


  _____  

From: Kaushik Narayan (kaushik) [mailto:kaushik@cisco.com] 
Sent: Wednesday, March 14, 2007 3:20 PM
To: isms@ietf.org
Subject: [Isms] SSHSM RADIUS Integration
draft(draft-narayan-isms-sshsm-radius-01.txt) submitted 


Hi All,
 
The RADIUS integration draft for SSHSM has been submitted to the
drafts directory. The draft specifies details how RADIUS could be used
as an authentication and authorization mechanism for SSHSM. 
 
This draft currently describes two approaches for integration of
authorization information returned from the RADIUS server.
 
a. Receive authorization information along with authentication request
(traditional RADIUS model) & cache authorization information within
TMSM. Augment VACM in an implementation-dependent fashion to fetch
authorization parameters from TMSM (using tmStateReference).
b. Define a new access control model that can issue direct RADIUS
authorize-only requests to fetch authorization information on demand.
This approach will also require the use of the TMSM cache to store the
RADIUS state attribute. The draft does not elaborate on the details of
such an access control model.
 
We need further discussion within the WG on the two approaches and
whether we need to elaborate on both. 
 
regards,
 David Nelson & Kaushik Narayan


_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email