Re: [Isms] What granularity of attributes do we need for the securetransport?

[Jeffrey Hutzelman <jhutz at cmu.edu>]

--On Friday, April 04, 2008 01:22:01 PM +0200 Juergen Schoenwaelder 
<j.schoenwaelder at jacobs-university.de> wrote:

> On Thu, Apr 03, 2008 at 05:41:20PM -0700, Randy Presuhn wrote:
>
>> The strength of encryption provded by a given security model when the
>> securityLevel is authPriv must be taken into account when formulating
>> an access control policy.  Consequently, from the choice of securityModel
>> one needs to be able to, at the very least, infer what the minimum level
>> of protection provided by authPriv would be.
>
> I like to point to the minutes of the ISMS meeting at the 64th IETF
> <http://tools.ietf.org/wg/isms/minutes?item=minutes64.html>:
>
>  [12] There was some notion in the room to allow SSH to always provide
>       auth/priv services, even in cases where less is requested by the
>       SNMP security level parameter.
>
>       SSH supports a null cipher. The security considerations perhaps
>       should explain that usage of the null cipher is generally not
>       expected, even though implementations might support it for
>       special cases (e.g. someone running ISMS over a secure IPsec
>       tunnel or environments where encryption is illegal).

SSH supports a "none" cipher, and imposes the following requirement:

   The "none" cipher is provided for debugging and SHOULD NOT be used
   except for that purpose.  Its cryptographic properties are
   sufficiently described in [RFC2410], which will show that its use
   does not meet the intent of this protocol.

I believe this is sufficient.  And in fact, the situations in which an SSH 
implementation might reasonably violate that SHOULD are likely to apply 
equally well to SNMP as to any other use.


> Security people were in the room when this was discussed and part of
> the discussion was also that the SSHTM can blindly trust the SSH layer
> without having to peek into the internals of the session state. Since
> this meeting, we have worked under the assumption that the SSHTM can
> trust the SSH layer to provide proper security. Unless there is a
> major new argument, I would prefer to stick with this decision.

I (still) think this is the right approach.

-- Jeff
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms