Re: [Isms] open issues

To: <isms at ietf.org>
Subject: Re: [Isms] open issues
From: "Randy Presuhn" <randy_presuhn at mindspring.com>
Date: Thu, 24 Apr 2008 12:03:37 -0600
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=W8WqMk47B9mvKS1PB1kz8tQrAsQi5gZFLeDtPYVtMeUJlPNg5MSUIAbLe3QrXcUl; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <20080423213343.GA14614 at elstar.local><1696498986EFEC4D9153717DA325CB7271D4AF at vaebe104.NOE.Nokia.com> <20080424183123.GF17532 at elstar.local>
Sender: isms-bounces at ietf.org

Hi -

> From: "Juergen Schoenwaelder" <j.schoenwaelder at jacobs-university.de>
> To: <Pasi.Eronen at nokia.com>
> Cc: <isms at ietf.org>
> Sent: Thursday, April 24, 2008 12:31 PM
> Subject: Re: [Isms] open issues
...
> I am not so much concerned about the multiplexing on the notification
> receiver side. The real issue is that we need an authenticated
> principal for the access control to work correctly and there might be
> several different principals behind the same notification receiver
> endpoint.
...

With USM, even though the privacy key gives us the other half
of the authentication, we *still* have to trust the notification receiver
to demultiplex things correctly, and that's beyond the scope of the
SNMP RFCs.

So I think the real concern has be making sure that the SNMP
engine in front of the notification receiver application is indeed
the one requested by the subscriber, while still maintaining
sufficient information in the PDU to permit demultiplexing.

The question would still arise about the possibility of a forged
subscription, but that is handled through the design of the
target and notification MIBS in conjunction with VACM, as
long as we don't start coalescing securityNames.

Randy

_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

References:
- Re: [Isms] open issues
  - From: Juergen Schoenwaelder
- Re: [Isms] open issues
  - From: Pasi.Eronen
- Re: [Isms] open issues
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Isms] open issues
Next by Date: [Isms] Review of draft-ietf-isms-radius-usage
Previous by thread: Re: [Isms] open issues
Next by thread: Re: [Isms] open issues
Index(es):
- Date
- Thread

Re: [Isms] open issues

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.