RE: [Isms] Re: modularity

To: "Tom Petch" <nwnetworks at dial.pipex.com>, "Randy Presuhn" <randy_presuhn at mindspring.com>, <isms at ietf.org>
Subject: RE: [Isms] Re: modularity
From: "Fleischman, Eric" <eric.fleischman at boeing.com>
Date: Mon, 1 Aug 2005 13:59:28 -0700
Cc:
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Sender: isms-bounces at lists.ietf.org
Thread-index: AcWWyyeg4rkg/HpxRIK/mUTApyp1fQADtH3A
Thread-topic: [Isms] Re: modularity

Tom,

I agree with you about VacmGroup mappings. My primary hope for ISMS is
to leverage existing authentication systems for SNMP authentication and
authorization. If those systems support "roles" then roles (including
RBAC) is also supported. However, because these issues are determined by
the authentication system, which is external to SNMP, and the specific
authentication and authorization schema should be transparent to SNMP
itself. 

The issues that I am struggling with from these many recent postings are

(1) "what are the SNMP interfaces to that external authentication
system?" and 
(2) "How much does ISMS leverage SNMPv3 USM and VACM? I.e., does it do
'security level' in the traditional way or has all security been
'outsourced' to another element?"

Reading the various postings, it seems to me that the WG still doesn't
have a common model in mind for these fundamental -- and core -- design
issues. I am particularly alarmed that some still want to make minimal
changes to SNMPv3 USM and VACM and others want to make major
replacements to USM and VACM. Can we please reach consensus on that
fundamental point, which, to me, are much more fundamental than whether
we use SSH or TLS or DTLS?

--Eric

-----Original Message-----
From: Tom Petch [mailto:nwnetworks at dial.pipex.com] 
Sent: Monday, August 01, 2005 10:31 AM
To: Randy Presuhn; isms at ietf.org
Subject: Re: [Isms] Re: modularity


I find myself thinking that user to VacmGroup mapping does not belong in
either SM or ACM and that that is the crux of the problem.  Integration
with existing security structure means, for me, that the authoritative
engine for this mapping is elsewhere, in the organisation's security
server, eg in RADIUS, so that placing it in either SM or ACM is or will
be a problem for SM or ACM or both.  Rather, SNMP should only be caching
this information for as little time as it needs it, be that in
'manager', 'agent' or whereever, a bit like the state references in the
ASIs..

As I have commented before, SNMPv3 sets out to do everything for itself,
to be complete in itself, and that is no longer the market place we are
in.

The actual access rules within VACM are a different matter, because they
are so SNMP specific so I do see them as properly part of an ACM MIB in
the engine of the Command Responder..

Tom Petch


_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

Follow-Ups:
- RE: [Isms] Re: modularity
  - From: David B Harrington

Prev by Date: Re: [Isms] Re: modularity
Next by Date: RE: [Isms] securityName
Previous by thread: RE: [Isms] Re: modularity
Next by thread: RE: [Isms] Re: modularity
Index(es):
- Date
- Thread

RE: [Isms] Re: modularity

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.