Re: [Isms] Moving into some design /architectureissuesofExtendedVACM

To: <isms at ietf.org>
Subject: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
From: "Dave Nelson" <d.b.nelson at comcast.net>
Date: Thu, 11 Jun 2009 09:28:34 -0400
Delivered-to: isms at core3.amsl.com
In-reply-to: <006e01c9ea38$30aeccc0$6801a8c0 at oemcomputer>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com><002201c9e9ea$488a1dc0$6801a8c0 at oemcomputer><7D5B6351B90B4B7FB309277995E141F9 at NEWTON603><00e901c9e9fa$f7642100$6801a8c0 at oemcomputer><000601c9ea00$00795120$0600a8c0 at china.huawei.com><EBD40065B07A416BB5D47DDD8FC267BD at NEWTON603> <006e01c9ea38$30aeccc0$6801a8c0 at oemcomputer>
Thread-index: AcnqOC2M5DkwrcdOTN2rIwhVupb3TwAX5NQg

Randy Presuhn writes...

> I think the disadvantage is that of introducing yet another special case.
> There is no way to tell the difference between "useless," "eroneous,"
> and "I got there before the configuration updated was pushed to that
> particular node."  (Operationally, the user-group mapping will go out
> before there is any guarantee that all nodes for which that policy will
> be relevant have been updated to include that policy in their repertoire.)
> 
> If we distinguish this case with special handling and counters, do we want
> to propagate an error back to RADIUS-land?  (We have no mechanism for
> delivering any special indication to the SNMP conversation partner.) What
> is the recovery strategy upon receipt of this error, and is it any
> different from any other access-denied situation?

All good questions.  We do need to define behavior for all the corner cases
as part of this effort.

If there is a mismatch in policy/group names between the RADIUS server and
the network devices, users will get authenticated, an SNMP session will
start, e.g. over SSH, but the VACM will not provide any access to MIB
objects.  Is there an SNMP-level error message that will inform the user
where the problem lies?

Follow-Ups:
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder

References:
- [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington
- Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Randy Presuhn
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
  - From: Randy Presuhn

Prev by Date: Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design /architectureissuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.