RE: [Isms] Re: modularity

To: "'Fleischman, Eric'" <eric.fleischman at boeing.com>, "'Tom Petch'" <nwnetworks at dial.pipex.com>, "'Randy Presuhn'" <randy_presuhn at mindspring.com>, <isms at ietf.org>
Subject: RE: [Isms] Re: modularity
From: "David B Harrington" <ietfdbh at comcast.net>
Date: Mon, 1 Aug 2005 17:45:30 -0400
Cc:
In-reply-to: <474EEBD229DF754FB83D256004D021080EC432@XCH-NW-6V1.nw.nos.boeing.com>
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Reply-to: ietfdbh at comcast.net
Sender: isms-bounces at lists.ietf.org
Thread-index: AcWWyyeg4rkg/HpxRIK/mUTApyp1fQADtH3AAAF+LlA=

Hi Eric,

> Reading the various postings, it seems to me that the WG still
doesn't
> have a common model in mind for these fundamental -- and core 
> -- design
> issues. I am particularly alarmed that some still want to make
minimal
> changes to SNMPv3 USM and VACM and others want to make major
> replacements to USM and VACM. Can we please reach consensus on that
> fundamental point

The SNMPv3 WG did have consensus on a common model, and documented
that consensus. To be consistent with the RFC3411 architecture, both
USM and VACM should remain unchanged, and be able to coexist with
supplementary security and access control models, such as those that
outsource the security to other elements. The MIB module for USM
should be used only by USM, and the MIB module for VACM should be used
only by VACM, and any new secuirty model or new AC model should define
its own MIB module, and only it should access that model-specific MIB
module.

Regarding scalability, the SNMPv3 WG reached consensus on the
following design decision:
"      - Controlled Complexity
         It is recognized that producers of simple managed devices
want
         to keep the resources used by SNMP to a minimum.  At the same
         time, there is a need for more complex configurations which
can
         spend more resources for SNMP and thus provide more
         functionality.  The design tries to keep the competing
         requirements of these two environments in balance and allows
         the more complex environments to logically extend the simple
         environment."

USM's local accounts represents the simple model, which is suitable
for simple environments; interfacing to external security
infrastructure for scalability is a requirement of a more complex
environment, and can be achieved by designing a separate,
supplementary security model, and a separate supplementary access
control model.

David Harrington
dbharrington at comcast.net
co-chair IETF SNMPv3 WG, concluded



_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

References:
- RE: [Isms] Re: modularity
  - From: Fleischman, Eric

Prev by Date: RE: [Isms] securityName
Next by Date: RE: [Isms] securityName
Previous by thread: RE: [Isms] Re: modularity
Next by thread: RE: [Isms] Re: modularity
Index(es):
- Date
- Thread

RE: [Isms] Re: modularity

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.