Re: [Isms] Session timeouts?

To: <isms at ietf.org>
Subject: Re: [Isms] Session timeouts?
From: "David B. Nelson" <d.b.nelson at comcast.net>
Date: Wed, 2 Apr 2008 13:45:38 -0400
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <020701c894e6$82a4b380$0600a8c0 at china.huawei.com>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <03c701c894e4$a44811a0$6401a8c0 at NEWTON603> <020701c894e6$82a4b380$0600a8c0 at china.huawei.com>
Sender: isms-bounces at ietf.org
Thread-index: AciU5KM/xj++6LE+TGKccOUhIuAYMQAANbCQAACRkhA=

> Since we don't know which implementation of SSH or which
> implementation of RADIUS will be used, would it make sense to simply
> add an implementer note that they might want to configure their
> implementation to utilize such parameters?

That presumes that it's a configuration option, i.e. that the feature has
been coded into the implementation and simply needs to be enabled at run
time.  That may not always be the case.
 
> Are there some values we should recommend as being appropriate to
> enhance interoperability? Or would this even affect interoperability?

I think all we need to specify is that an SNMP session is closed by the SSH
server after Session-Timeout seconds, or after Idle-Timeout seconds elapse
between SNMP messages.  That is to say, that the SSH server takes notice of
the session limiting authorization information.

> Our SSH transport model is designed to handle finding that no session
> is currently open (so it opens one), or that a session might have
> terminated between the time of receiving a request and sending the
> response (so it discards the response).

Right.

> Is this actually germane to the SNMP mapping? Would this be better
> discussed in the radext draft for mgmt attributes?

Well, the RADEXT draft defines _new_ RADIUS attributes for management
authorization.  It does not indicate how those attributes are used in a
specific application (e.g. SNMP, NETCONF, et. al.), although it does
describe how they are generally used in an application agnostic fashion.  It
does not layer additional usage guidelines _existing_ attributes, for
specific applications.  I think it is preferable to define attributes in one
place (e.g. the base document RFC 2865 or the Management Authorization
draft) and explain how they are applied in a particular application in a
separate draft (like RFC 3580 does for 802.1X).


_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] Session timeouts?
  - From: Jeffrey Hutzelman

References:
- [Isms] Session timeouts?
  - From: David B. Nelson
- Re: [Isms] Session timeouts?
  - From: David Harrington

Prev by Date: Re: [Isms] Session timeouts?
Next by Date: Re: [Isms] Session timeouts?
Previous by thread: Re: [Isms] Session timeouts?
Next by thread: Re: [Isms] Session timeouts?
Index(es):
- Date
- Thread

Re: [Isms] Session timeouts?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.