Re: [Isms] Moving into some design/architectureissuesofExtendedVACM

To: "'Juergen Schoenwaelder'" <j.schoenwaelder at jacobs-university.de>
Subject: Re: [Isms] Moving into some design/architectureissuesofExtendedVACM
From: "David Harrington" <ietfdbh at comcast.net>
Date: Thu, 11 Jun 2009 13:26:01 -0400
Cc: isms at ietf.org
Delivered-to: isms at core3.amsl.com
In-reply-to: <20090611171411.GA388 at elstar.local>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <01fe01c9e9b1$607f52d0$0600a8c0 at china.huawei.com> <002201c9e9ea$488a1dc0$6801a8c0 at oemcomputer> <7D5B6351B90B4B7FB309277995E141F9 at NEWTON603> <00e901c9e9fa$f7642100$6801a8c0 at oemcomputer> <000601c9ea00$00795120$0600a8c0 at china.huawei.com> <EBD40065B07A416BB5D47DDD8FC267BD at NEWTON603> <006e01c9ea38$30aeccc0$6801a8c0 at oemcomputer> <657B1423308A4454B0CE8A9BC3B92D41 at NEWTON603> <20090611140545.GA9442 at elstar.local> <007601c9eab0$fb7da930$0600a8c0 at china.huawei.com> <20090611171411.GA388 at elstar.local>
Thread-index: AcnquA40mmiN69sfRgyXI5Tq2P4ZGAAAZ2KA

+1 

> -----Original Message-----
> From: Juergen Schoenwaelder 
> [mailto:j.schoenwaelder at jacobs-university.de] 
> Sent: Thursday, June 11, 2009 1:14 PM
> To: David Harrington
> Cc: 'Dave Nelson'; isms at ietf.org
> Subject: Re: [Isms] Moving into some 
> design/architectureissuesofExtendedVACM
> 
> On Thu, Jun 11, 2009 at 06:23:40PM +0200, David Harrington wrote:
>  
> > agreed.
> > 
> > > 
> > > But there are some interesting questions to work out: What is
the
> > > behaviour if a RADIUS client receives a policy attributes but
the
> > > vacmSecurityToGroupTable has already a (different) entry for the
> > > (securityModel, securityName) tuple? 
> > 
> > If we tried to do this with a SET what would happen? If it 
> would fail
> > as a SET, then it should fail as a dynamic creation. You 
> might want to
> > use a different counter for the dynamic creation failure.
> > 
> > > Who wins in this situation - or
> > > does this even cause the authentication of the incoming request
to
> > > fail? 
> > 
> > If the row contains a RowStatus, would that make a difference?
> 
> The table has a RowStatus and a StorageType column and thus there
are
> quite a number of possible failure modes...
>  
> > > What happens if no new entries can be created anymore due to
> > > resource limitations? 
> > 
> > If we tried to do this with a SET, what would happen? we should be
> > consistent, although we have no way of sending back an 
> error RESPONSE
> > message.
> 
> My point is that have to define what the RADIUS client does in case
> the attempt to push something into the vacmSecurityToGroupTable
fails
> - and depending on how long we want to work on this, we might go
into
> all the details of distinguishing different failure modes. It will
> sure get complicated if we make it complicated.
> 
> But the minimum we have to do is to specify what the RADIUS client
> does if the creation fails. And I think we should avoid making this
> really more complicated.
> 
> /js
> 
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
>

Follow-Ups:
- Re: [Isms] Moving into some design/architectureissuesofExtendedVACM
  - From: David B. Nelson

References:
- [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington
- Re: [Isms] FW: [OPS-DIR] [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Randy Presuhn
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design/architectureissuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design/architectureissuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.