Re: [secdir] Secdir review of draft-ietf-isms-radius-vacm-09

"Randy Presuhn" <randy_presuhn@mindspring.com> Tue, 17 August 2010 19:43 UTC

Return-Path: <randy_presuhn@mindspring.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 595D73A6889; Tue, 17 Aug 2010 12:43:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.699
X-Spam-Level:
X-Spam-Status: No, score=-99.699 tagged_above=-999 required=5 tests=[BAYES_50=0.001, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4WrGERaL6l63; Tue, 17 Aug 2010 12:43:12 -0700 (PDT)
Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by core3.amsl.com (Postfix) with ESMTP id 6B6D43A685C; Tue, 17 Aug 2010 12:43:12 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=jcO/GsT51yrq7fFWwNtOJiFepgkDV5wIsbm5W7PWqTzWlikmWbpvWq2BzN8BRyQV; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
Received: from [99.41.48.100] (helo=oemcomputer) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <randy_presuhn@mindspring.com>) id 1OlS4Y-0004Gw-O9; Tue, 17 Aug 2010 15:43:47 -0400
Message-ID: <005601cb3e44$82ffede0$6801a8c0@oemcomputer>
From: "Randy Presuhn" <randy_presuhn@mindspring.com>
To: "Dave Nelson" <d.b.nelson@comcast.net>, =?iso-8859-1?Q?'Magnus_Nystr=F6m'?= <magnusn@gmail.com>, <secdir@ietf.org>, <iesg@ietf.org>, <draft-ietf-isms-radius-vacm@tools.ietf.org>
References: <AANLkTikOLU6mAXVMY-kJAHO4_9qiY+UFQZTAw2UWLM1d@mail.gmail.com> <7105B213EC2849C18053B4A2A2D79E24@NEWTON603>
Date: Tue, 17 Aug 2010 12:43:46 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1478
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
X-ELNK-Trace: 4488c18417c9426da92b9037bc8bcf44d4c20f6b8d69d88829a3b650ee59d5fe235317df358a8a85429d7493dd29a37a350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 99.41.48.100
Subject: Re: [secdir] Secdir review of draft-ietf-isms-radius-vacm-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 19:43:13 -0000

Hi -

> From: "Dave Nelson" <d.b.nelson@comcast.net>
> To: "'Magnus Nyström'" <magnusn@gmail.com>om>; <secdir@ietf.org>rg>; <iesg@ietf.org>rg>; <draft-ietf-isms-radius-vacm@tools.ietf.org>
> Sent: Tuesday, August 17, 2010 4:53 AM
> Subject: RE: Secdir review of draft-ietf-isms-radius-vacm-09
>

> Magnus Nyström writes...
...
> > 4. In Section 7.2.3, how many groups can a user be a member of
> > for a given securityModel in this design? Only one?
>
> RFC 5607 allows zero or one instance of the Management-Policy-Id to occur in
> any RADIUS Access-Accept message, so for RADIUS usage it would be only one.

Likewise, the design of VACM (RFC 3415) maps a (securityModel, securityName)
tuple to a single group.  If multiple (different) pairings were received from RADIUS,
(or from the security administrator) only the most recent would be in effect.  I think
this makes both operational and security sense.

Randy