RE: [Isms] #8: Do we need a mapping between the SSH keyandSNMPengineID?

To: <ietfdbh at comcast.net>, "Blumenthal, Uri" <uri.blumenthal at intel.com>, "David T. Perkins" <dperkins at dsperkins.com>
Subject: RE: [Isms] #8: Do we need a mapping between the SSH keyandSNMPengineID?
From: "Kaushik Narayan \(kaushik\)" <kaushik at cisco.com>
Date: Mon, 17 Oct 2005 14:12:04 -0700
Cc: isms at ietf.org
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Sender: isms-bounces at lists.ietf.org
Thread-index: AcXS4xUlbAu8GFODTRehNFz2ArfQBgASqRQwAASp3/AAA4vC8AACwZ8g
Thread-topic: [Isms] #8: Do we need a mapping between the SSH keyandSNMPengineID?

Hi David,

I was only trying to suggest that VACM will provide ability to authorize
users to management information served by the various SNMP engines, I
agree that my previous statement was not clear about that.

Regards,
 kaushik!

-----Original Message-----
From: David B Harrington [mailto:ietfdbh at comcast.net] 
Sent: Monday, October 17, 2005 12:16 PM
To: Kaushik Narayan (kaushik); 'Blumenthal, Uri'; 'David T. Perkins'
Cc: isms at ietf.org
Subject: RE: [Isms] #8: Do we need a mapping between the SSH
keyandSNMPengineID?

Hi,

> The ability to authorize the user access to the SNMP engines can still

> be achieved via VACM

If you're saying what I'm reading, I disagree.
VACM configuration is contained within an SNMP engine, so it cannot
authorize user access to different SNMP engines.

dbh

> -----Original Message-----
> From: isms-bounces at lists.ietf.org
> [mailto:isms-bounces at lists.ietf.org] On Behalf Of Kaushik Narayan 
> (kaushik)
> Sent: Monday, October 17, 2005 2:54 PM
> To: Blumenthal, Uri; David T. Perkins
> Cc: isms at ietf.org
> Subject: RE: [Isms] #8: Do we need a mapping between the SSH 
> keyandSNMPengineID?
> 
> 
> I think this is a very fundamental issue with the usage model of the 
> underlying transport within Transport Mapped Security Model. The
fact
> that the underlying transport channel would be created prior to any 
> SNMP communication and will be between two hosts makes it difficult in
case
> we have multiple SSH instances with different credentials for each 
> SNMP engine, how does the client identify which SSH instance to 
> authenticate to. The ability to authorize the user access to the SNMP 
> engines can still be achieved via VACM
>  
> 
> -----Original Message-----
> From: isms-bounces at lists.ietf.org
[mailto:isms-bounces at lists.ietf.org]
> On Behalf Of Blumenthal, Uri
> Sent: Monday, October 17, 2005 8:22 AM
> To: David T. Perkins
> Cc: isms at ietf.org
> Subject: RE: [Isms] #8: Do we need a mapping between the SSH key
> andSNMPengineID?
> 
> SSH purpose (besides establishing a secure pipe) is to 
> authenticate the
> user to the host (various mechanisms available) and to prove host's
> identity to the user (by host's PK).
> 
> Since there may be more than one SNMP engine on one host, and they
> (conceivably) may have different "access rights" etc, ability to
> differentiate between them makes sense.
> 
> This implies that different engines should have different public
keys.
> Otherwise from security point of view only one SNMP engine will be
> allowed on one SSH host.
> 
> An alternative: all the security will depend on "SSH layer" - 
> something
> responsible for all the SSH communications of this host, and
> multiplexing traffic between various services that use SSH for
> protection.
> 
> 
> -----Original Message-----
> From: David T. Perkins [mailto:dperkins at dsperkins.com]
> Sent: Monday, October 17, 2005 2:22 AM
> To: Blumenthal, Uri
> Cc: isms at ietf.org
> Subject: RE: [Isms] #8: Do we need a mapping between the SSH key and
> SNMPengineID?
> 
> HI,
> 
> I don't follow. Would you fill in the details. Part of the 
> reason that I
> don't follow is that I see no relationship between the SSH
identifies
> and their keys and SNMP engineIDs.
> In USM, an identity is the pair (engineID (which is called 
> the security
> engineID) and user name). SSH has no notion of SNMP engineIDs.
> 
> On Sun, 16 Oct 2005, Blumenthal, Uri wrote:
> 
> >     David> #8: Do we need a mapping between the SSH key (or 
> other SSH
> >     David> engine identifier) and SNMP engineID? What happens if
an
> >     David> agent "spoofs" another engineID, and an NMS perfoms a
SET
> >     David> of sensitive parameters to the agent?
> > 
> > > I cannot answer this question because I don't have enough 
> > > understanding of SNMP.  I can answer a related question.
> > >
> > > You must authenticate each party  back to some name the user
> provided.
> > 
> > IMHO there must be a mapping between ISMS-usable SSH keys 
> and related 
> > SNMP engine IDs.
> > 
> 
> Regards,
> /david t. perkins
> 
> 
> _______________________________________________
> Isms mailing list
> Isms at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
> 
> _______________________________________________
> Isms mailing list
> Isms at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
> 

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

Prev by Date: RE: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?
Next by Date: RE: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?
Previous by thread: RE: [Isms] #8: Do we need a mapping between the SSH key andSNMPengineID?
Next by thread: RE: [Isms] #2: is server authentication a requirement that SNMP w illrequire
Index(es):
- Date
- Thread

RE: [Isms] #8: Do we need a mapping between the SSH keyandSNMPengineID?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.