Re: [Isms] open issues

To: Randy Presuhn <randy_presuhn at mindspring.com>
Subject: Re: [Isms] open issues
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Wed, 23 Apr 2008 10:47:01 +0200
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <000d01c8a513$af1af400$6801a8c0 at oemcomputer>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Randy Presuhn <randy_presuhn at mindspring.com>, isms at ietf.org
References: <20080422210355.GA12678 at elstar.local> <002401c8a4dc$869f3400$6801a8c0 at oemcomputer> <20080423064530.GC13183 at elstar.local> <000d01c8a513$af1af400$6801a8c0 at oemcomputer>
Reply-to: j.schoenwaelder at jacobs-university.de
Sender: isms-bounces at ietf.org
User-agent: Mutt/1.5.17 (2007-11-01)

On Wed, Apr 23, 2008 at 01:28:53AM -0600, Randy Presuhn wrote:
 
> So if the manager is an SSH server as far as notification streams
> are concerned, I think things work out about as well as they do with
> USM (if one has configured USM to not be vulnerable to the potential
> compromise of an agent system.)  Specifically, it means that for a 
> notification user, a separate securityName would need to be created
> for each manager/agent pair.  (Otherwise one agent could impersonate
> another.) Though the access control policy is applied on the agent,
> that securityName is also what would be needed to establish the
> SSH connection with whatever manager is to be used as the trap
> destination, thus giving the desired authentication, or at least as
> much authentication as a manger gets when it sends configuration
> data to an agent.

But if the manager is the SSH server, then all you have is an
authenticated host the server is running on. You made the point that
there can be distinct notification receivers on the same host. So how
do you solve that puzzle?

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] open issues
  - From: Randy Presuhn

References:
- Re: [Isms] open issues
  - From: Juergen Schoenwaelder
- Re: [Isms] open issues
  - From: Randy Presuhn
- Re: [Isms] open issues
  - From: Juergen Schoenwaelder
- Re: [Isms] open issues
  - From: Randy Presuhn

Prev by Date: Re: [Isms] open issues
Next by Date: Re: [Isms] open issues
Previous by thread: Re: [Isms] open issues
Next by thread: Re: [Isms] open issues
Index(es):
- Date
- Thread

Re: [Isms] open issues

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.