Re: [Isms] Moving into some design /architectureissuesofExtendedVACM

To: Dave Nelson <d.b.nelson at comcast.net>
Subject: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Thu, 11 Jun 2009 16:05:45 +0200
Cc: "isms at ietf.org" <isms at ietf.org>
Delivered-to: isms at core3.amsl.com
In-reply-to: <657B1423308A4454B0CE8A9BC3B92D41 at NEWTON603>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Dave Nelson <d.b.nelson at comcast.net>, "isms at ietf.org" <isms at ietf.org>
References: <01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com> <002201c9e9ea$488a1dc0$6801a8c0 at oemcomputer> <7D5B6351B90B4B7FB309277995E141F9 at NEWTON603> <00e901c9e9fa$f7642100$6801a8c0 at oemcomputer> <000601c9ea00$00795120$0600a8c0 at china.huawei.com> <EBD40065B07A416BB5D47DDD8FC267BD at NEWTON603> <006e01c9ea38$30aeccc0$6801a8c0 at oemcomputer> <657B1423308A4454B0CE8A9BC3B92D41 at NEWTON603>
Reply-to: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
User-agent: Mutt/1.5.19 (2009-01-05)

On Thu, Jun 11, 2009 at 03:28:34PM +0200, Dave Nelson wrote:
> Randy Presuhn writes...
> 
> > I think the disadvantage is that of introducing yet another special case.
> > There is no way to tell the difference between "useless," "eroneous,"
> > and "I got there before the configuration updated was pushed to that
> > particular node."  (Operationally, the user-group mapping will go out
> > before there is any guarantee that all nodes for which that policy will
> > be relevant have been updated to include that policy in their repertoire.)
> > 
> > If we distinguish this case with special handling and counters, do we want
> > to propagate an error back to RADIUS-land?  (We have no mechanism for
> > delivering any special indication to the SNMP conversation partner.) What
> > is the recovery strategy upon receipt of this error, and is it any
> > different from any other access-denied situation?
> 
> All good questions.  We do need to define behavior for all the corner cases
> as part of this effort.

No, the behaviour is already defined in VACM. Just be happy with what
it does and the lets move on. ;-)

> If there is a mismatch in policy/group names between the RADIUS server and
> the network devices, users will get authenticated, an SNMP session will
> start, e.g. over SSH, but the VACM will not provide any access to MIB
> objects.  Is there an SNMP-level error message that will inform the user
> where the problem lies?

According to RFC 3413 section 3.2. (page 11), I think this should
result in an authorizationError.

But more important: SNMP has defined ways to handle this situation,
which can occur due to manual mis-configuration of VACM tables. It
should not make any difference whether the "broken" group name was
manually configured or installed by a RADIUS client.

But there are some interesting questions to work out: What is the
behaviour if a RADIUS client receives a policy attributes but the
vacmSecurityToGroupTable has already a (different) entry for the
(securityModel, securityName) tuple? Who wins in this situation - or
does this even cause the authentication of the incoming request to
fail? What happens if no new entries can be created anymore due to
resource limitations? These are examples of new error situations
that we have to deal with.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

Follow-Ups:
- Re: [Isms] Moving into some design/architecture issues of ExtendedVACM
  - From: David B. Nelson
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: David Harrington

References:
- [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington
- Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Randy Presuhn
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Dave Nelson

Prev by Date: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design /architectureissuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.