Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS

To: <isms at ietf.org>
Subject: Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
From: "Randy Presuhn" <randy_presuhn at mindspring.com>
Date: Wed, 10 Jun 2009 09:41:19 -0700
Delivered-to: isms at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=gZt5rQa2tAxn9pErqtLu+kIXz2zGOmumSTMaARzT8VreQMNF3aLYzwmbHmeYZpX4; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com>

Hi -

> From: "David B Harrington" <dbharrington at comcast.net>
> To: <isms at ietf.org>
> Sent: Wednesday, June 10, 2009 2:53 AM
> Subject: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
...
> Randy Presuhn described it best. The simplest way to approach this
> problem is to have the RADIUS authorization attributes simply there in
> the background. Screw the ASIs; we want to finish this within five
> years. A RADIUS-aware ACM can simply utilize the RADIUS attributes.
...

Lest I be credited with too much, let me re-cap the idea.  (I do not
claim to be the only person who's thought about it this way!)

(1) the RADIUS  authorization data includes the name of the
group of which this user is an authorized member.  (You can
call it a policy if you will, but to break out of chicken--egg
provisioning problems it must be possible to transform it into
a VACM group name without any prior configuration..)

(2) if one does not already exist, a corresponding entry is created
in the vacmSecurityToGroupTable.

(3) processing continues just like it would for any other transaction.

Details of step (2):
        vacmSecurityModel comes from the security model in use for this message
        vacmSecurityName obvious
        vacmGroupName comes from the RADIUS authorization data
        vacmSecurityToGroupStorageType volatile
        vacmSecurityToGroupStatus  active

If you really want to get fancy, you could AUGMENT  the vacmSecurityToGroupTable
with additional column(s) to make entries created in this manner behave like
elements in a age-out or LRU cache.

I *think* I went through this in more detail in the ancient "miasma" proposal
from the days when ISMS was just getting started.

The only "architectural" issue is that going through step (2) requires the
entity processing the request to be able to act like an SNMP CR application
operating on (rather than merely consulting) the VACM MIB (and possibly
an extension to that MIB).  This does *not* require defining any interfaces
that we don't already have.

Randy

Follow-Ups:
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Juergen Schoenwaelder

References:
- [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington

Prev by Date: [Isms] Protocol Action: 'Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models' to Proposed Standard
Next by Date: Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
Previous by thread: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
Next by thread: Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
Index(es):
- Date
- Thread

Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.