Re: [Isms] TBD secshell

To: <isms at ietf.org>
Subject: Re: [Isms] TBD secshell
From: "David B Harrington" <dbharrington at comcast.net>
Date: Wed, 28 Jan 2009 20:08:23 -0500
Delivered-to: ietfarch-isms-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <CF95F6B3BDFD3B171FFD4DA3 at atlantis.pc.cs.cmu.edu>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <20090127083933.GC12355 at elstar.local> <200901282258.n0SMw53g024330 at toasties.srv.cs.cmu.edu> <4BB6D8A8E1F91F93B85A62F7 at atlantis.pc.cs.cmu.edu> <200901282344.n0SNiunA000877 at grapenut.srv.cs.cmu.edu> <CF95F6B3BDFD3B171FFD4DA3 at atlantis.pc.cs.cmu.edu>
Sender: isms-bounces at ietf.org
Thread-index: AcmBpHobHrf/Mz9lRvml8/QkUE2CygAAIcIQ

 
> Top-posting makes it really hard to understand what you are 
> replying to.
(sorry. I intended a really short reply.)

> As I understand it, the request and response don't carry 
> tmSecurityName, 
> which is information passed between the TM and the upper layers.
The 
> request carries a securityName, and if that is "alice" then the 
> securityName in the response should also be "alice".
> 
> If a request is sent with securityName="alice" via an SSH 
> transport using 
> transport address "ahopkins at router1.example.net:1234", then 
> what happens 
> next depends on whether tsm or some other security model is 
> used.  At the 
> receiver, tmSecurityName is going to be "ahopkins", derived 
> from the SSH 
> user name.  If the security model in use is TSM, then TSM is 
> going to look 
> at that value, compare it to the securityName in the message, 

I think there is no securityName in the message. 
Per TSM 4.2 3)
   3) Set securityParameters to a zero-length OCTET STRING ('0400').

> and reject 
> the request because they do not match.  

Per rfc3412, matching is done by message processing models, in the
prepareDataElements EOP. prepareDataElements takes only a
transportDomain, transportAddress, a wholeMsg and a message length as
input. It returns the sendPDUHandle that identifies the matching
request, which is used to direct the response to the appropriate
application.

The user@ feature is an SSHTM-specific feature, not a TSM feature. I
think SSHTM needs to pass a transportAddress for the response that
will match the one used in the request. This is symmetrical - it is
the SSHTM that takes the requested ahopkins at ... transportAddress and
splits it into an address and a user name. SSHTM should put
"ahopkins@" and the address back together into a corresponding
transportAddress. Then the appropriate MPM can find the sendPDUHandle.

tmSecurityName is set to "alice" by TSM. SSHTM is the place where the
requested tmSecurityName "alice" is overridden, and ahopkins is chosen
as the user name. For an incoming response, SSHTM should determine
that the matching tmSecurityName for the response should be "alice",
not "ahopkins". This would seem to require an internal mapping table
that keeps track of all the alice-to-"ahopkins@" conversions done
going outward, and back-converting them on the way in. This might
require some type of transport-mapping-specific sendPDUHandle for
matching specific requests and responses.

dbh 

_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

References:
- Re: [Isms] TBD secshell
  - From: Jeffrey Hutzelman
- Re: [Isms] TBD secshell
  - From: Jeffrey Hutzelman

Prev by Date: Re: [Isms] TBD secshell
Next by Date: Re: [Isms] TBD secshell
Previous by thread: Re: [Isms] TBD secshell
Next by thread: Re: [Isms] TBD secshell
Index(es):
- Date
- Thread

Re: [Isms] TBD secshell

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.