[NGO] access control
"David B Harrington" <dbharrington@comcast.net> Tue, 18 March 2008 17:01 UTC
Return-Path: <ngo-bounces@ietf.org>
X-Original-To: ietfarch-ngo-archive@core3.amsl.com
Delivered-To: ietfarch-ngo-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1384528C6D6; Tue, 18 Mar 2008 10:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.797
X-Spam-Level:
X-Spam-Status: No, score=-100.797 tagged_above=-999 required=5 tests=[AWL=-0.360, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZxYV07lDMOm; Tue, 18 Mar 2008 10:01:52 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7F6128C654; Tue, 18 Mar 2008 10:01:52 -0700 (PDT)
X-Original-To: ngo@core3.amsl.com
Delivered-To: ngo@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AB1728C320 for <ngo@core3.amsl.com>; Tue, 18 Mar 2008 10:01:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bELQxX8JDYQK for <ngo@core3.amsl.com>; Tue, 18 Mar 2008 10:01:09 -0700 (PDT)
Received: from QMTA02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [76.96.30.24]) by core3.amsl.com (Postfix) with ESMTP id E98B828C654 for <ngo@ietf.org>; Tue, 18 Mar 2008 10:01:07 -0700 (PDT)
Received: from OMTA04.emeryville.ca.mail.comcast.net ([76.96.30.35]) by QMTA02.emeryville.ca.mail.comcast.net with comcast id 2cfa1Z0040lTkoCA20Kl00; Tue, 18 Mar 2008 16:57:55 +0000
Received: from Harrington73653 ([24.128.66.199]) by OMTA04.emeryville.ca.mail.comcast.net with comcast id 2gyk1Z0024HwxpC8Q00000; Tue, 18 Mar 2008 16:58:48 +0000
X-Authority-Analysis: v=1.0 c=1 a=9yZmsIiSVyS-4Tx5Zi0A:9 a=qX5ItqfyK6ZFIFTZ9hJTsmb3FV8A:4 a=si9q_4b84H0A:10 a=hPjdaMEvmhQA:10 a=50e4U0PicR4A:10
From: David B Harrington <dbharrington@comcast.net>
To: 'NETCONF Goes On' <ngo@ietf.org>
Date: Tue, 18 Mar 2008 12:58:43 -0400
Message-ID: <012e01c88919$53aa3330$6c02a8c0@china.huawei.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AciJEZ3Sfg6lVQPzSHmI+1vodrJaPwAB30pQ
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-Mailman-Approved-At: Tue, 18 Mar 2008 10:01:51 -0700
Subject: [NGO] access control
X-BeenThere: ngo@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NETCONF Goes On - discussions on future work and extensions to NETCONF <ngo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ngo>, <mailto:ngo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ngo>
List-Post: <mailto:ngo@ietf.org>
List-Help: <mailto:ngo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ngo>, <mailto:ngo-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ngo-bounces@ietf.org
Errors-To: ngo-bounces@ietf.org
Hi, Mehmet, Andy, and I think access control needs to be discussed somewhat. Many people in this WG do not have much experience with access control issues, so let me try to provide a touch of background why this is important to discuss. I am going to change terminology a bit. In ISMS we have found that the SNMP term "access control" conflicts with other definitions of access control, especially the access to network services provided by AAA protocols. Really what we need to talk about is authorization, and it is authorization to have access to something. RADEXT and ISMS are developing an authorization solution based on named policies, and the solution will work for SNMP, CLI, Netconf, and other management protocols. This work will work with RADIUS and Diameter and can be extended to other AAA protocols. Effectively, it will provide a way to dynamically determine which authorization policy should be applied to a user. This should solve part of the problem for you. What the RADEXT/ISMS solution won't do is discuss how to apply the policy to your protocol and data models. This WG needs to think about what types of authorization need to be applied. we need to consider whether authorization to read/write/create configuration information will be applied at the level of the data elements, or the document, or the operation, or the class, or something else. It might be possible to do it multiple ways, but having one standard approach will improve security and interoperability. We need to understand how authorization approaches might impact the way our protocol works, and **especially** the way operators have to "think about" authorization policies. In SNMP, using the View-based access control approach, operators need to think about authorizing read and write access to trees of data elements. When operators perform a task such as provisioning a service, all the knobs they need to manipulate are not necesarily in the same subtree. In addition, an administrator manager might want to authorize an operator to be able to perform a particular task, but not other tasks that might happen to touch the same data elements. There is a mismatch between a task-based "model" and the tree-based data model in SNMP. This mismatch can make defining authorization policies NOT very operator-friendly. If authorization is based on operations, and all operations are defined as part of the base protocol, this is fairly easy. If new operations can be added as part of data models, this becomes more complex. It becomes especially complex if vendors add new data models in each release, or data models can be added incrementally in a master-subagent implementation, or if users somehow can add new data models the administrators don't even know about such as by adding a new blade to a chassis. And if we don't standardize how operation-based authorization is going to be done before we start publishing models with new operations, then the onus will be on the operators to figure it out. That is NOT operator-friendly. If authorization is based on XML documents, and those XML documents represent full configuration datastores, then we don't have much granularity. If we can authorize access to parts of an XML document, then we have to work out how one defines the parts including those that might be developed as vendor-specific models. Do operators think about configuration in terms of parts of XML documents? Some probably do, depending on how they do configuration management. Does anybody think that defining authorization rules defining a long list of XPath expressions and evaluating how those rules will intersect and overlap will be human-friendly? As we design a human-friendly modeling language, we need to think about what will make defining authorization rules for Netconf human-friendly. David Harrington dbharrington@comcast.net ietfdbh@comcast.net dharrington@huawei.com _______________________________________________ NGO mailing list NGO@ietf.org https://www.ietf.org/mailman/listinfo/ngo
- [NGO] access control David B Harrington
- Re: [NGO] access control Andy Bierman
- Re: [NGO] access control Juergen Schoenwaelder
- Re: [NGO] access control Andy Bierman
- Re: [NGO] access control Bert Wijnen - IETF
- Re: [NGO] access control Juergen Schoenwaelder
- Re: [NGO] access control Andy Bierman
- Re: [NGO] access control Juergen Schoenwaelder