Re: [Isms] security name relevant text from the current SSH draftand needed changes

["tom.petch" <cfinss at dial.pipex.com>]

----- Original Message -----
From: "Wes Hardaker" <wjhns1 at hardakers.net>
To: "Jeffrey Hutzelman" <jhutz at cmu.edu>
Cc: <isms at ietf.org>
Sent: Tuesday, March 03, 2009 1:17 AM
Subject: Re: [Isms] security name relevant text from the current SSH draftand
needed changes


> >>>>> On Mon, 02 Mar 2009 17:35:52 -0500, Jeffrey Hutzelman <jhutz at cmu.edu>
said:
>
> JH> The one bit that confused me was that I thought the SNMPv3 message
> JH> carried a security name, in which case it would be necessary to verify
> JH> that that name matched the one provided by the transport layer.  But
> JH> David assures me this is not the case, which means the problem goes
> JH> away.
>
> It does not carry a securityName.  The packet basically is broken down
> as (I created a cheat-sheet years ago when SNMPv3 was first being
> developed in order to understand it all):
>
>   SNMPv3Message ::= SEQUENCE {
>     msgVersion INTEGER { snmpv3 (3) },
>     msgGlobalData HeaderData,
>       msgID      INTEGER (0..2147483647),
>       msgMaxSize INTEGER (484..2147483647),
>       msgFlags   OCTET STRING (SIZE(1)),
>       msgSecurityModel INTEGER (0..2147483647)
>     msgSecurityParameters OCTET STRING,
>       msgData  ScopedPduData
>         ...
>
> The msgSecurityModel valrue in the global headers is a field that all v3
> messages contain.  The msgSecurityParameters is functionally an opaque
> field that the SM gets to put whatever it wants into it.  For USM, the
> user name and other parameters are put into it.  For TSM, we're putting
> nothing (it becomes an empty octet string).  So no, there is user
> information in snmpv3 packet itself unless the SM puts it in there.
>

And it really fascinates me, that after all this time, some think that the name
is there.  That sort of tells me it should be, life would be straightforward if
it was, and the way I see user at example.com:port (and Windows has just told me
that this is an e-mail address which is why I keep saying e-mail format address
:-) is that is exactly what we are doing.  'user' is the name that we do not
have in the PDU so we are using a backdoor to get it from local to remote
engine.  It's a philosophical point but that is how I see it.

Ah well, we chose the difficult way of doing it and at this stage I want to make
that work, not go back and put 'user' into isms securityParameters.  No jokes,
this is me being serious.

Tom Petch

> --
> Wes Hardaker
> Sparta, Inc.