[Isms] Moving into some design / architecture issues of Extended VACM

To: <isms at ietf.org>
Subject: [Isms] Moving into some design / architecture issues of Extended VACM
From: "Dave Nelson" <d.b.nelson at comcast.net>
Date: Wed, 10 Jun 2009 14:15:26 -0400
Delivered-to: isms at core3.amsl.com
In-reply-to: <002201c9e9ea$488a1dc0$6801a8c0 at oemcomputer>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com> <002201c9e9ea$488a1dc0$6801a8c0 at oemcomputer>
Thread-index: Acnp6kQLntCJEWlYRvCj/boKTapkQAAC9KRA

Randy Presuhn writes...

> (1) the RADIUS authorization data includes the name of the
> group of which this user is an authorized member.  (You can
> call it a policy if you will, but to break out of chicken--egg
> provisioning problems it must be possible to transform it into
> a VACM group name without any prior configuration.)

I don't think the "without any prior configuration" part works.  A group
name or policy name, whatever we call it, is just short-hand for a
potentially long list of policy rules or access control rules.  There's no
practical way that the RADIUS server can know what group names exist on the
NAS and what access rights they convey.  That has to be pre-arranged by the
system administrator.  Similarly, there's no way that the NAS can intuit the
correct set of policy rules from the name.  The name, IMHO, must simply be a
label and MUST NOT be encoded with actual access control semantics.
 
> (2) if one does not already exist, a corresponding entry is created
> in the vacmSecurityToGroupTable.

That, I think, is a potential security hole that you could drive a whole
fleet of trucks through.  Creating a table entry with some default, null or
wildcard set of access control rules seems like a very bad idea.  It's good
for ease-of-use, but bad for security.

Follow-Ups:
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: kaushik
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Randy Presuhn

References:
- [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington
- Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Randy Presuhn

Prev by Date: Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
Next by Date: Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
Previous by thread: Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
Next by thread: Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
Index(es):
- Date
- Thread

[Isms] Moving into some design / architecture issues of Extended VACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.