Re: [Isms] security name relevant text from the current SSH draft and needed changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Isms] security name relevant text from the current SSH draft and needed changes

To: Jeffrey Hutzelman <jhutz at cmu.edu>
Subject: Re: [Isms] security name relevant text from the current SSH draft and needed changes
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Mon, 02 Mar 2009 16:17:29 -0800
Cc: isms at ietf.org
Delivered-to: isms at core3.amsl.com
In-reply-to: <8EE2F4047370B38725D237F6 at minbar.fac.cs.cmu.edu> (Jeffrey Hutzelman's message of "Mon, 02 Mar 2009 17:35:52 -0500")
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <200903022014.n22KEnTp023769 at toasties.srv.cs.cmu.edu> <8EE2F4047370B38725D237F6 at minbar.fac.cs.cmu.edu>
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.21 (linux, no MULE)

>>>>> On Mon, 02 Mar 2009 17:35:52 -0500, Jeffrey Hutzelman <jhutz at cmu.edu> said:

JH> The one bit that confused me was that I thought the SNMPv3 message
JH> carried a security name, in which case it would be necessary to verify
JH> that that name matched the one provided by the transport layer.  But
JH> David assures me this is not the case, which means the problem goes
JH> away.

It does not carry a securityName.  The packet basically is broken down
as (I created a cheat-sheet years ago when SNMPv3 was first being
developed in order to understand it all):

  SNMPv3Message ::= SEQUENCE {
    msgVersion INTEGER { snmpv3 (3) },
    msgGlobalData HeaderData,
      msgID      INTEGER (0..2147483647),
      msgMaxSize INTEGER (484..2147483647),
      msgFlags   OCTET STRING (SIZE(1)),
      msgSecurityModel INTEGER (0..2147483647)
    msgSecurityParameters OCTET STRING,
      msgData  ScopedPduData
        ...

The msgSecurityModel valrue in the global headers is a field that all v3
messages contain.  The msgSecurityParameters is functionally an opaque
field that the SM gets to put whatever it wants into it.  For USM, the
user name and other parameters are put into it.  For TSM, we're putting
nothing (it becomes an empty octet string).  So no, there is user
information in snmpv3 packet itself unless the SM puts it in there.

-- 
Wes Hardaker
Sparta, Inc.

Follow-Ups:
- Re: [Isms] security name relevant text from the current SSH draftand needed changes
  - From: tom.petch

References:
- Re: [Isms] security name relevant text from the current SSH draft and needed changes
  - From: Jeffrey Hutzelman

Prev by Date: Re: [Isms] security name relevant text from the current SSH draft and needed changes
Next by Date: Re: [Isms] wg last call followup - e-mail address
Previous by thread: Re: [Isms] security name relevant text from the current SSH draft and needed changes
Next by thread: Re: [Isms] security name relevant text from the current SSH draftand needed changes
Index(es):
- Date
- Thread

Re: [Isms] security name relevant text from the current SSH draft and needed changes

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.