Re: [secdir] Review of draft-ietf-isms-radius-usage-05
"Dave Nelson" <d.b.nelson@comcast.net> Thu, 07 May 2009 03:20 UTC
Return-Path: <d.b.nelson@comcast.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD0EE3A6BD8 for <secdir@core3.amsl.com>; Wed, 6 May 2009 20:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Level:
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[AWL=0.450, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6V4C60t5fAF for <secdir@core3.amsl.com>; Wed, 6 May 2009 20:20:00 -0700 (PDT)
Received: from QMTA06.emeryville.ca.mail.comcast.net (qmta06.emeryville.ca.mail.comcast.net [76.96.30.56]) by core3.amsl.com (Postfix) with ESMTP id E4FDC3A6834 for <secdir@ietf.org>; Wed, 6 May 2009 20:19:59 -0700 (PDT)
Received: from OMTA08.emeryville.ca.mail.comcast.net ([76.96.30.12]) by QMTA06.emeryville.ca.mail.comcast.net with comcast id oQEZ1b00C0FhH24A6TMU61; Thu, 07 May 2009 03:21:28 +0000
Received: from NEWTON603 ([71.232.143.198]) by OMTA08.emeryville.ca.mail.comcast.net with comcast id oTMR1b00M4H2mdz8UTMSiE; Thu, 07 May 2009 03:21:28 +0000
From: Dave Nelson <d.b.nelson@comcast.net>
To: 'Sam Hartman' <hartmans-ietf@mit.edu>
References: <20090505171306.8D40E50822@romeo.rtfm.com><28137ED4FBEF49BBB99BCFF561806165@NEWTON603> <tsliqketdut.fsf@mit.edu>
Date: Wed, 06 May 2009 23:21:42 -0400
Message-ID: <AC4CD2443DC24FC4A89453B4DFE10ED6@NEWTON603>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <tsliqketdut.fsf@mit.edu>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Thread-Index: AcnOZKzs1XbU7HBKQZe+rlYU3KOGKwAXEdFw
Cc: iesg@ietf.org, draft-ietf-isms-radius-usage@tools.ietf.org, isms-chairs@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-ietf-isms-radius-usage-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2009 03:20:00 -0000
Sam Hartman writes... > I'm sorry, but I didn't understand this answer at all. Yeah, I'm afraid I've muddled up what this document is about with what *might* happen outside the scope of the document, in an attempt to answer Eric's questions. > It seems like you're both saying "you can't do that with RADIUS > (what I thought the answer was)," and "the ssh server." I don't > understand how to reconcile those. Let me try again. What's being standardized is the use of RADIUS to outsource user authentication and service authorization for SNMP access. This works with SNMP Transport Models, e.g. with SSHTM. Only those authentication methods that are natively supported in RADIUS, e.g. password, are in scope for this document. In the case of SSH, there are other authentication methods, such as public key. Such methods cannot be use with RADIUS as described in this document. Full stop. I added some confusion when I attempted to indicate that SSH and SSHTM *might* be used with SSH public key authentication, but *not* with RADIUS. In that case the use authentication resides with the local SSH server implementation in the NAS. Presumably the public key(s) of the user(s) has/have been installed in the SSH server's local configuration data store. This has nothing to do with RADIUS. It has no central AAA component, and credentials are provisioned on a device-by-device basis. This is what many deployments of SSH with public key have today. It can be used with SNMP, after a fashion. However, it has nothing to do with the document under review. Sorry to have introduced that confusion.
- [secdir] Review of draft-ietf-isms-radius-usage-05 Eric Rescorla
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Dave Nelson
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Eric Rescorla
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Juergen Schoenwaelder
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Dave Nelson
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Sam Hartman
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Dave Nelson