[Isms] What granularity of attributes do we need for the secure transport?

To: <isms at ietf.org>
Subject: [Isms] What granularity of attributes do we need for the secure transport?
From: "David B. Nelson" <dnelson at elbrysnetworks.com>
Date: Thu, 3 Apr 2008 18:02:19 -0400
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <020401c894df$ddb391d0$0600a8c0 at china.huawei.com>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Elbrys Networks, Inc.
References: <00d701c89389$9f805710$0600a8c0 at china.huawei.com><001101c89430$c4acd020$1f0a0a0a at xpsuperdvd2><017101c89464$6d185210$0600a8c0 at china.huawei.com><038f01c894cb$7cbc5b50$6401a8c0 at NEWTON603> <020401c894df$ddb391d0$0600a8c0 at china.huawei.com>
Sender: isms-bounces at ietf.org
Thread-index: AciTiZ79SOFZmNc6RJWNJ4eQ2H0HlQAl2/IgAAW7hyAAI4RgQAADAIBQAEBgE2A=

David Harrington writes...

> I am concerned that dropping the choice of transport protocol really
> limits how we can communicate with the lower layer to get information
> we need to determine what level of access control should be applied.
> "any protocol that provides transport layer encryption" may not be
> good enough for operators.

We need to have a further discussion of this issue on the list, and I have
the action item start a thread to discuss it.

Let's start that discussion now.

I have a couple of thoughts to start off:

-- If it turns out that we need something more granular than
Management-Transport-Protection = {No-Protection | Integrity-Protection |
Integrity-Confidentiality-Protection} to address the specific needs of SNMP,
could we at that point in time extend the list of enumerated values for the
Management-Transport-Protection to include special cases for SNMP?  That
would eliminate the need to restore the Management-Transport-Protocol
attribute which caused a number of difficulties in terms of management
transports other than those used for SNMP.  Once you specify the protocol,
then you logically need to specify all sorts of other protocol and security
related parameters.  I think we don't want to go down that path.

-- Why do we think that RADIUS authorization should be used to provision
specific secure transport properties, such as protocol, cipher suite,
authentication mechanism, certificate chains, etc?  It seems to me that
these choices, while important to get right, do not need to be conveyed on
each and every user access to the managed entity.  They would typically be
configured and left static for long periods of time.  Yes, it is required
that both ends of any such connection agree on the parameters, but it seems
RADIUS authorization is not the optimal way to ensure that.  I think that
the choice that needs to be made on an access by access basis is simply
whether or not the access needs to be secure.


_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] What granularity of attributes do we need for the secure transport?
  - From: Jeffrey Hutzelman
- Re: [Isms] What granularity of attributes do we need for the secure transport?
  - From: David Harrington

References:
- [Isms] WGLC: draft-ietf-isms-radius-usage-02
  - From: David Harrington
- Re: [Isms] WGLC: draft-ietf-isms-radius-usage-02
  - From: David B. Nelson
- Re: [Isms] WGLC: draft-ietf-isms-radius-usage-02
  - From: David Harrington
- Re: [Isms] WGLC: draft-ietf-isms-radius-usage-02
  - From: David B. Nelson
- Re: [Isms] WGLC: draft-ietf-isms-radius-usage-02
  - From: David Harrington

Prev by Date: Re: [Isms] What granularity of attributes do we need for the secure transport?
Next by Date: Re: [Isms] What granularity of attributes do we need for the securetransport?
Previous by thread: Re: [Isms] WGLC: draft-ietf-isms-radius-usage-02
Next by thread: Re: [Isms] What granularity of attributes do we need for the secure transport?
Index(es):
- Date
- Thread

[Isms] What granularity of attributes do we need for the secure transport?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.