RE: [Isms] #8: Do we need a mapping between the SSH key andSNMPengineID?

["Kaushik Narayan \(kaushik\)" <kaushik at cisco.com>]

I think this is a very fundamental issue with the usage model of the
underlying transport within Transport Mapped Security Model. The fact
that the underlying transport channel would be created prior to any SNMP
communication and will be between two hosts makes it difficult in case
we have multiple SSH instances with different credentials for each SNMP
engine, how does the client identify which SSH instance to authenticate
to. The ability to authorize the user access to the SNMP engines can
still be achieved via VACM
 

-----Original Message-----
From: isms-bounces at lists.ietf.org [mailto:isms-bounces at lists.ietf.org]
On Behalf Of Blumenthal, Uri
Sent: Monday, October 17, 2005 8:22 AM
To: David T. Perkins
Cc: isms at ietf.org
Subject: RE: [Isms] #8: Do we need a mapping between the SSH key
andSNMPengineID?

SSH purpose (besides establishing a secure pipe) is to authenticate the
user to the host (various mechanisms available) and to prove host's
identity to the user (by host's PK).

Since there may be more than one SNMP engine on one host, and they
(conceivably) may have different "access rights" etc, ability to
differentiate between them makes sense.

This implies that different engines should have different public keys.
Otherwise from security point of view only one SNMP engine will be
allowed on one SSH host.

An alternative: all the security will depend on "SSH layer" - something
responsible for all the SSH communications of this host, and
multiplexing traffic between various services that use SSH for
protection.


-----Original Message-----
From: David T. Perkins [mailto:dperkins at dsperkins.com]
Sent: Monday, October 17, 2005 2:22 AM
To: Blumenthal, Uri
Cc: isms at ietf.org
Subject: RE: [Isms] #8: Do we need a mapping between the SSH key and
SNMPengineID?

HI,

I don't follow. Would you fill in the details. Part of the reason that I
don't follow is that I see no relationship between the SSH identifies
and their keys and SNMP engineIDs.
In USM, an identity is the pair (engineID (which is called the security
engineID) and user name). SSH has no notion of SNMP engineIDs.

On Sun, 16 Oct 2005, Blumenthal, Uri wrote:

>     David> #8: Do we need a mapping between the SSH key (or other SSH
>     David> engine identifier) and SNMP engineID? What happens if an
>     David> agent "spoofs" another engineID, and an NMS perfoms a SET
>     David> of sensitive parameters to the agent?
> 
> > I cannot answer this question because I don't have enough 
> > understanding of SNMP.  I can answer a related question.
> >
> > You must authenticate each party  back to some name the user
provided.
> 
> IMHO there must be a mapping between ISMS-usable SSH keys and related 
> SNMP engine IDs.
> 

Regards,
/david t. perkins


_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms