Re: [Isms] Moving into some design / architectureissuesofExtendedVACM

To: <isms at ietf.org>
Subject: Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
From: "Randy Presuhn" <randy_presuhn at mindspring.com>
Date: Wed, 10 Jun 2009 18:59:00 -0700
Delivered-to: isms at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=W6gXURL5A7Pg1gFM3Wnxldee3+dTR4sRSooJA+WFOASxvp5sxc8SfZb/QBGegmRi; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com><002201c9e9ea$488a1dc0$6801a8c0 at oemcomputer><7D5B6351B90B4B7FB309277995E141F9 at NEWTON603><00e901c9e9fa$f7642100$6801a8c0 at oemcomputer><000601c9ea00$00795120$0600a8c0 at china.huawei.com> <EBD40065B07A416BB5D47DDD8FC267BD at NEWTON603>

Hi -

> From: "Dave Nelson" <d.b.nelson at comcast.net>
> To: <isms at ietf.org>
> Sent: Wednesday, June 10, 2009 12:38 PM
> Subject: Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
...
> Yes, I see that.  As the default for a new group entry is no access, there
> is no security risk.  OTOH, what's the operational advantage of populating
> the tables with useless / erroneous group names?  Conversely, what's the
> disadvantage of simply ignoring any non-existing group names, and dismissing
> them as a mis-configuration?  You many, of course, want a counter of these
> someplace.

I think the disadvantage is that of introducing yet another special case.
There is no way to tell the difference between "useless," "eroneous,"
and "I got there before the configuration updated was pushed to that
particular node."  (Operationally, the user-group mapping will go out
before there is any guarantee that all nodes for which that policy will
be relevant have been updated to include that policy in their repertoire.)

If we distinguish this case with special handling and counters, do we want
to propagate an error back to RADIUS-land?  (We have no mechanism for
delivering any special indication to the SNMP conversation partner.) What
is the recovery strategy upon receipt of this error, and is it any different from
any other access-denied situation?

Randy

Follow-Ups:
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Dave Nelson

References:
- [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington
- Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Randy Presuhn
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
  - From: Dave Nelson

Prev by Date: Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architectureissuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.