Re: [secdir] Secdir review of draft-ietf-isms-radius-vacm-09

"Dave Nelson" <d.b.nelson@comcast.net> Tue, 17 August 2010 11:52 UTC

Return-Path: <d.b.nelson@comcast.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 337E63A6955 for <secdir@core3.amsl.com>; Tue, 17 Aug 2010 04:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.81
X-Spam-Level:
X-Spam-Status: No, score=-100.81 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFtYG3ONXv1c for <secdir@core3.amsl.com>; Tue, 17 Aug 2010 04:52:37 -0700 (PDT)
Received: from qmta06.westchester.pa.mail.comcast.net (qmta06.westchester.pa.mail.comcast.net [76.96.62.56]) by core3.amsl.com (Postfix) with ESMTP id 4813E3A6951 for <secdir@ietf.org>; Tue, 17 Aug 2010 04:52:37 -0700 (PDT)
Received: from omta18.westchester.pa.mail.comcast.net ([76.96.62.90]) by qmta06.westchester.pa.mail.comcast.net with comcast id vPNn1e0091wpRvQ56PtD9K; Tue, 17 Aug 2010 11:53:13 +0000
Received: from NEWTON603 ([24.218.90.45]) by omta18.westchester.pa.mail.comcast.net with comcast id vPtD1e00A0yip6Y3ePtDCu; Tue, 17 Aug 2010 11:53:13 +0000
From: "Dave Nelson" <d.b.nelson@comcast.net>
To: =?iso-8859-1?Q?'Magnus_Nystr=F6m'?= <magnusn@gmail.com>, <secdir@ietf.org>, <iesg@ietf.org>, <draft-ietf-isms-radius-vacm@tools.ietf.org>
References: <AANLkTikOLU6mAXVMY-kJAHO4_9qiY+UFQZTAw2UWLM1d@mail.gmail.com>
Date: Tue, 17 Aug 2010 07:53:22 -0400
Message-ID: <7105B213EC2849C18053B4A2A2D79E24@NEWTON603>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <AANLkTikOLU6mAXVMY-kJAHO4_9qiY+UFQZTAw2UWLM1d@mail.gmail.com>
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
Thread-Index: Acs9ztU4KJSZdzpxR+KgJaBq41QpigAMrMEg
Subject: Re: [secdir] Secdir review of draft-ietf-isms-radius-vacm-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 11:52:38 -0000

Magnus Nyström writes...

> 3. Current sub-subsection 7.2.1 seems to indicate that neither
> the User-Name nor the Management-Policy-ID are required (says
> "or equivalent"). Please clarify if this is inconsistent with
> the text in 7.2 or not (maybe I'm missing something here).

Use of the term "or equivalent" is intended to cover the use of other AAA
protocols besides RADIUS.  For use with RADIUS, the User-Name and
Management-Policy-Id are required to use mechanism described in this
document.  For some other, hypothetical, AAA service the equivalent
attributes may have other names.  This is just a bit of editorial
future-proofing.  The other IETF standard AAA protocol, Diameter, inherits
the RADIUS attribute space, so these attributes are also available via
Diamter.

> 4. In Section 7.2.3, how many groups can a user be a member of
> for a given securityModel in this design? Only one?

RFC 5607 allows zero or one instance of the Management-Policy-Id to occur in
any RADIUS Access-Accept message, so for RADIUS usage it would be only one.