Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS

To: David B Harrington <dbharrington at comcast.net>, isms at ietf.org
Subject: Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
From: Jeffrey Hutzelman <jhutz at cmu.edu>
Date: Wed, 10 Jun 2009 07:42:40 -0400
Cc: jhutz at cmu.edu
Delivered-to: isms at core3.amsl.com
In-reply-to: <21008_1244627643_n5A9s2NV001164_01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <21008_1244627643_n5A9s2NV001164_01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com>

--On Wednesday, June 10, 2009 05:53:59 AM -0400 David B Harrington<dbharrington at comcast.net> wrote:

Hi,

Randy Presuhn described it best. The simplest way to approach this
problem is to have the RADIUS authorization attributes simply there in
the background. Screw the ASIs; we want to finish this within five
years. A RADIUS-aware ACM can simply utilize the RADIUS attributes.

My concern is maintaining the modularity that was deliberately created
by the SNMPv3 WG to allow modular extensibility. This is all about
separating who knows what. RADIUS knows about authorization
attributes, not about VACM.

When the charter says that RADIUS provides VACM username-to-groupname
dynamic provisioning, that is wrong. RADIUS provides a policy name.
How that translates to VACM access control is dependent on the
(extended) VACM access control model. That permits additional access
control models to also utilize the RADIUS attributes.

I thought the plan was to charter work specifically to define a way for_VACM_ to get provisioning data from _RADIUS_. That is...


(1) This is an extension to VACM which describes one way it can interact
   with something outside the scope of SNMP to do its job.  It doesn't
   communicate with the rest of SNMP (except to use information that
   any ACM already has at its disposal) and it applies only to VACM.

(2) By the same token, it relates specifically to RADIUS, via the
   just-completed NAS management document, and not to any arbitrary
   AAA protocol.

This really shouldn't create a new "AAA subsystem" abstraction forconnecting any ACM to any AAA. If we did that, we'd _still_ have to

define the interactions between that new abstraction and each of VACM
and RADIUS, and we really don't know enough about the possibilities
to construct an abstraction for any case other than (VACM->RADIUS).

-- Jeff

Follow-Ups:
- Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Dave Nelson

Prev by Date: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
Next by Date: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
Previous by thread: Re: [Isms] Moving into some design / architecture issues of Extended VACM
Next by thread: Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
Index(es):
- Date
- Thread

Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.