Re: [Isms] ISMS/SSH and notifications

To: "Purvis\, Ray" <rpurvis at mitre.org>
Subject: Re: [Isms] ISMS/SSH and notifications
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Fri, 09 May 2008 07:28:10 -0700
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:cc:subject:organization:references:date:in-reply-to:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=pDXY27xnq3BgJtJCBRezwulXM3A=; b=CDGjxI4LxqmqMDAlu7GKQ6snyUBmCSw9LB9gk6NYcOgW9ZFD9ycYu28saen3B5CwnS7rkQH2k5ALog1KFaKs0/Vi2kjmJsPWlKJ6+owr1C/hJZec7XOzujRoGYciNJo1IRIEQNVcvR0LiOpQmjw2VJ/USB1waLLnvfZ4j2m/GU0=
In-reply-to: <6AC65FD74E2B984A95EED496FBFC59FC9C36CA@IMCSRV3.MITRE.ORG> (Ray Purvis's message of "Fri, 9 May 2008 08:17:05 -0400")
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <sdskx1wof3.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72809B78@vaebe104.NOE.Nokia.com> <sdwsmcekir.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72890CAD@vaebe104.NOE.Nokia.com> <sdej8g3365.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72924F92@vaebe104.NOE.Nokia.com> <6AC65FD74E2B984A95EED496FBFC59FC9C36C8@IMCSRV3.MITRE.ORG> <1696498986EFEC4D9153717DA325CB72925044@vaebe104.NOE.Nokia.com> <6AC65FD74E2B984A95EED496FBFC59FC9C36CA@IMCSRV3.MITRE.ORG>
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110007 (No Gnus v0.7) XEmacs/21.4.21 (linux, no MULE)

>>>>> On Fri, 9 May 2008 08:17:05 -0400, "Purvis, Ray" <rpurvis at mitre.org> said:

RP> Yes, of course, I had USM on the brain.  For TSM, the notification receiver
RP> doesn't really have a whole lot to do with the securityName, does it?

It is important to identify who sent the message.  Notification
receivers are fairly boring in their current ability to log stuff,
however.  Frequently they just display logs associated with an IP
address and possibly a port.

Right now the SNMP standards don't dictate that the securityName be used
much on the notification receiver side.  Note that even the
NOTIFICATION-LOG-MIB doesn't have an entry fro the securityName used to
send the message (just the context engineID and transport information).
There is no securityName for SNMPv1/SNMPv2c so to some extent this does
make sense.

Net-SNMP (a single point of data as a reference) actually does use the
securityName to authorize what a received notification is allowed to do
(log, forward and execute being the current 3 possible outputs to the
authorization process).  I think Net-SNMP is fairly unique here as most
notification receivers don't do any authorization checks other than to
assure the packet has been properly authenticated.

But...  My point was that there is no current standard that requires
they be the same on both sides.  Both sides may need to make a decision
or use the resulting securityName.  But there isn't a requirement that
the be administratively identical on both sides.  The SSH transport will
accept a user name on the client side to "use" in the transport, and the
server side will be able to extract that same name.  There is no reason
why administratively it can't be the name configured on both sides to be
*the* securityName.  But there is no *current* great reason why on the
sending side it couldn't be different as well.

I think I'm digressing a bit though.  The original point of my message
had nothing to do with the security name the notification receiver was
using (it essentially would be the ssh user name accepted through the
ssh transport).

The issue on the table originally "if USM INFORMs considers the remote
notification receiver to be authoritative, and thus the securityName is
technically defined by the remote side and if SSH doesn't give us a
"name" to use to identify the INFORM receiver with, then what do we use
to do a VACM authorization check?".   My point was: we have information
on the client side that we can use already.  If we want to use the user
name we sent as a client, that's fine.  If we want to use something
different, that's fine too (IMHO here).  The important thing, and this
is critical, is that whatever we decide to call the notification
receiver securityName-wise we MUST make sure the public key returned by
the SSH server and authenticated by the SSH client side is the same as
the public key we were expecting.  Otherwise, all bets are off.
-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

References:
- [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen at nokia.com
- Re: [Isms] ISMS/SSH and notifications
  - From: Purvis, Ray
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen at nokia.com
- Re: [Isms] ISMS/SSH and notifications
  - From: Purvis, Ray

Prev by Date: Re: [Isms] ISMS/SSH and notifications
Next by Date: Re: [Isms] ISMS/SSH and notifications
Previous by thread: Re: [Isms] ISMS/SSH and notifications
Next by thread: Re: [Isms] ISMS/SSH and notifications
Index(es):
- Date
- Thread

Re: [Isms] ISMS/SSH and notifications

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.