RE: [Isms] #19: should RADIUS be exposed outside of SSH?

To: isms at ietf.org
Subject: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
From: "McDonald, Ira" <imcdonald at sharplabs.com>
Date: Sun, 16 Oct 2005 10:07:14 -0700
Cc:
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Sender: isms-bounces at lists.ietf.org

Hi,

A separate port would be a very good idea for SNMP over SSH.

Using the same port for SSH supporting different management
application protocols just reduces the granularity of admin
policy (and therefore reduces the likelihood of widespread
deployment).

Frankly, I cannot imagine any utility for authentication of
either initiator or responder in an SNMP over SSH session
if ISMS doesn't address authorization (i.e., access control).

Cheers,
- Ira


Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221  Grand Marais, MI  49839
phone: +1-906-494-2434
email: imcdonald at sharplabs.com

> -----Original Message-----
> From: isms-bounces at lists.ietf.org 
> [mailto:isms-bounces at lists.ietf.org]On
> Behalf Of Eliot Lear
> Sent: Sunday, October 16, 2005 10:17 AM
> To: Nelson, David
> Cc: isms at ietf.org
> Subject: Re: [Isms] #19: should RADIUS be exposed outside of SSH?
> 
> 
> Nelson, David wrote:
> >> Subject: [Isms] #19: should RADIUS be exposed outside of SSH?
> > One point that hasn't had much [any] discussion is that AAA services
> > such as RADIUS and Diameter are designed to provision a specific
> > service, such as packet forwarding or telnet terminal services.  I
> > believe that AAA should provision SNMP management access as 
> a specific
> > service, and therefore a RADIUS authorization for SNMP 
> access should not
> > be capable of being used for packet forwarding services (or 
> visa versa).
> > This is another level of authorization that would need to be exposed
> > beyond SSH.
> 
> We should be very careful how we do this.  We do not want to 
> tie SSHSM 
> to radius or diameter.  In order to even determine this prior to 
> authentication (the specific SNMP subsystem request is made *after* 
> authentication) it seems to me that a separate port is required.
> 
> Eliot
> 
> _______________________________________________
> Isms mailing list
> Isms at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
> 

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

Prev by Date: Re: [Isms] #19: should RADIUS be exposed outside of SSH?
Next by Date: Re: [Isms] #2: is server authentication a requirement that SNMP will require
Previous by thread: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Next by thread: [Isms] #20 the source of the mapping of username to securityName
Index(es):
- Date
- Thread

RE: [Isms] #19: should RADIUS be exposed outside of SSH?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.