Re: [Isms] What granularity of attributes do we need forthe securetransport?

To: David Harrington <ietfdbh at comcast.net>
Subject: Re: [Isms] What granularity of attributes do we need forthe securetransport?
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Wed, 9 Apr 2008 15:34:15 +0200
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <05ce01c899cf$9f4ad260$0600a8c0 at china.huawei.com>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Mail-followup-to: David Harrington <ietfdbh at comcast.net>, 'Wes Hardaker' <wjhns1 at hardakers.net>, 'Randy Presuhn' <randy_presuhn at mindspring.com>, isms at ietf.org
References: <sd8wzonjji.fsf at wes.hardakers.net> <05ce01c899cf$9f4ad260$0600a8c0 at china.huawei.com>
Reply-to: j.schoenwaelder at jacobs-university.de
Sender: isms-bounces at ietf.org
User-agent: Mutt/1.5.17 (2007-11-01)

On Tue, Apr 08, 2008 at 07:23:58PM -0400, David Harrington wrote:
 
> If I have the relationship between the NAS (RADIUS client) and the
> RADIUS server correct, then the NAS asks the RADIUS server how the
> service to be provided must be provisioned before providing that
> service to the authenticated entity. In the case of the SSHTM, the
> service we are looking to have authorized is an SSH subsystem over
> which we want to run an SNMP session. It is specifically the SSHTM
> that is asking whether an SSH subsystem is authorized for this user. I
> don't know how we provide a "hint" that an SSH subsystem is what we
> want, without having an attribute to specify that is the protocol we
> are interested in running SNMP over. 

I think this thinking is backwards. RADIUS is not a provisioning
protocol as far as I can tell.

Since the secure transport already exists when RADIUS comes into play,
all we can reasonably do is ship information about the actual secure
transport to the RADIUS server so that the RADIUS server can take this
into account when it takes a decision.

Radius experts, please correct me if I got this wrong.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] What granularity of attributes do we need for the secure transport?
  - From: David B. Nelson
- Re: [Isms] What granularity of attributes do we need forthesecuretransport?
  - From: David Harrington

References:
- Re: [Isms] What granularity of attributes do we need for the securetransport?
  - From: Wes Hardaker
- Re: [Isms] What granularity of attributes do we need forthe securetransport?
  - From: David Harrington

Prev by Date: Re: [Isms] What granularity of attributes do we need forthe securetransport?
Next by Date: Re: [Isms] What granularity of attributes do we need for the securetransport?
Previous by thread: Re: [Isms] What granularity of attributes do we need forthe securetransport?
Next by thread: Re: [Isms] What granularity of attributes do we need forthesecuretransport?
Index(es):
- Date
- Thread

Re: [Isms] What granularity of attributes do we need forthe securetransport?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.