RE: [Isms] securityName

To: "Tom Petch" <nwnetworks at dial.pipex.com>, "Kaushik Narayan" <kaushik at cisco.com>
Subject: RE: [Isms] securityName
From: "Fleischman, Eric" <eric.fleischman at boeing.com>
Date: Mon, 1 Aug 2005 14:09:55 -0700
Cc: isms at ietf.org
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Sender: isms-bounces at lists.ietf.org
Thread-index: AcWTnuZaf94TTiXvQfayXjKcs8iQRwDPRAvQ
Thread-topic: [Isms] securityName

Tom,

I agree with your point if our goal is to continue to leverage SNMPv3
USM and VACM. However, if we are "outsourcing" elements (or all of) the
ISMS security to alternative technologies, such as many have proposed,
then I disagree with you. I disagree with you because the order of Wes'
list reflects ISP response to current SNMPv3 authentication realities. 

As I've said many times, SNMPv3 authentication is totally unlike all
other authentication systems in our deployment, and my personal goal for
ISMS is for SNMP to directly leverage an existing authentication system
within our deployment. To the extent that my employer represents the
large end user, then I suggest that the preferable candidates are
Kerberos, PKI, Radius, or some other server-based authentication system
(including TACACS+). Local accounts just don't cut it because they don't
scale. 

--Eric

-----Original Message-----
From: Tom Petch [mailto:nwnetworks at dial.pipex.com] 
Sent: Thursday, July 28, 2005 9:32 AM
To: Kaushik Narayan
Cc: isms at ietf.org
Subject: Re: [Isms] securityName


----- Original Message -----
From: "Kaushik Narayan" <kaushik at cisco.com>
To: <ietfdbh at comcast.net>
Cc: <isms at ietf.org>
Sent: Sunday, July 17, 2005 5:05 PM
Subject: RE: [Isms] securityName

> Hi David,
>
> Here is a list of external authentication mechanisms that are required

> to be supported from the ISMS charter
>
> - Radius
> - TACACS+
> - Kerberos
> - LDAP
> - Diameter
>

Well, no, that is not what I see or would ever want to see in the
charter because I would regard it as impossible if it weren't that
already.  What I see the charter say is

"The following security infrastructures will be considered by the
working group as potential existing authentication infrastructures to
make use of within the new security model. The solution will hopefully
be able to be integrated with multiple of these user databases although
it is expected that one will be mandatory.

- Local accounts
- SSH identities
- Radius
- TACACS+
- X.509 Certificates
- Kerberos
- LDAP
- Diameter"

So we have to support one, hopefully more than one, never all.  And
notice that the order of the list is that of the percentage currently
using it as revealed in Wes' survey, so support for SSH counts for more
than support for LDAP, by an order of magnitude.


_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

Follow-Ups:
- RE: [Isms] securityName
  - From: David B Harrington

Prev by Date: RE: [Isms] Re: modularity
Next by Date: RE: [Isms] securityName
Previous by thread: [Isms] modularity
Next by thread: RE: [Isms] securityName
Index(es):
- Date
- Thread

RE: [Isms] securityName

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.