Re: [Isms] Moving into some design / architecture issuesofExtendedVACM

To: <isms at ietf.org>
Subject: Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
From: "Dave Nelson" <d.b.nelson at comcast.net>
Date: Wed, 10 Jun 2009 15:38:17 -0400
Delivered-to: isms at core3.amsl.com
In-reply-to: <000601c9ea00$00795120$0600a8c0 at china.huawei.com>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com><002201c9e9ea$488a1dc0$6801a8c0 at oemcomputer><7D5B6351B90B4B7FB309277995E141F9 at NEWTON603><00e901c9e9fa$f7642100$6801a8c0 at oemcomputer> <000601c9ea00$00795120$0600a8c0 at china.huawei.com>
Thread-index: Acnp+vNQGLDebVoRQmKuBzSv2EzFXAAAMnhwAAFdP7A=

David Harrington writes...

> I think it is fine for RADIUS to provide a user/policy,
> and for VACM to translate...

Are we contemplating something other than the "identity transform" here?  If
not, why use the word "translate"?  If so, how is domain-wide correctness
guaranteed?

> ... that into user/groupname even if there are no entries
> specifying the views and permissions for the groupname. The
> isAccessAllowed() will simply say "no" for any  group for which no
> views/permissions are defined.

Yes, I see that.  As the default for a new group entry is no access, there
is no security risk.  OTOH, what's the operational advantage of populating
the tables with useless / erroneous group names?  Conversely, what's the
disadvantage of simply ignoring any non-existing group names, and dismissing
them as a mis-configuration?  You many, of course, want a counter of these
someplace.

> The WG will need to deal with mid-session changes to user/policy
> assignments and/or policy configuration changes.

This can be tricky.  One possible solution is for a "significant' have of
policy definition in the NAS to trigger a RADIUS re-authentication request.

> IIRC, RADIUS servers can specify "interrupts" - hey, client, I
> need to revoke the current access-accept and force you to ask me
> again, because some things have changed.

You're thinking of Dynamic RADIUS, which allows for changes of
authorization, initiated by the RADIUS server.  Of course, the RADIUS server
isn't likely to be aware of changes in MIB values on the NAS.

Follow-Ups:
- Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
  - From: David Harrington

References:
- [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington
- Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Randy Presuhn
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington

Prev by Date: Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
Next by thread: Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architecture issuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.