Re: [Isms] Moving into some design / architecture issues of Extended VACM

To: Dave Nelson <d.b.nelson at comcast.net>, <isms at ietf.org>
Subject: Re: [Isms] Moving into some design / architecture issues of Extended VACM
From: kaushik <kaushik at cisco.com>
Date: Thu, 11 Jun 2009 15:27:32 -0700
Authentication-results: sj-dkim-3; header.From=kaushik at cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1017; t=1244759262; x=1245623262; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kaushik at cisco.com; z=From:=20kaushik=20<kaushik at cisco.com> |Subject:=20Re=3A=20[Isms]=20Moving=20into=20some=20design= 20/=20architecture=20issues=20of=20Extended=0A=20VACM |Sender:=20; bh=E6+FOnuSSs3vwOv4RYjxiWyhJDP1cjXtm5qkHAftAi4=; b=ed0I8XM8cbOE2j01aHE8IZ5scK+j6oIACcCNpgG3bLxeH6gLqcMNNAQYV8 bsdpCBqFXhJ7G33aeB+HnrwWy4mGQhwhzGyTFoxTkaJr06PdfqRo3w7tCWek ccJM3JUhEP;
In-reply-to: <7D5B6351B90B4B7FB309277995E141F9 at NEWTON603>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Thread-index: Acnp6kQLntCJEWlYRvCj/boKTapkQAAC9KRAADtuRmg=
Thread-topic: [Isms] Moving into some design / architecture issues of Extended VACM
User-agent: Microsoft-Entourage/12.12.0.080729

Hi Randy,

Please find my reply inline.

<snipped>

>> (2) if one does not already exist, a corresponding entry is created
>> in the vacmSecurityToGroupTable.
> 
> That, I think, is a potential security hole that you could drive a whole
> fleet of trucks through.  Creating a table entry with some default, null or
> wildcard set of access control rules seems like a very bad idea.  It's good
> for ease-of-use, but bad for security.
> 
> 

<Kaushik> 

The issue I have with this model is that we are using the RADIUS
user-to-group mapping which is a temporal association valid for the duration
of the session and provisioning a persistent piece of configuration on the
SNMP engine. I am not sure the semantics match and this could create
potential problems around whether the RADIUS server or SNMP engine is
authoritative source for user-to-group mapping since entries can be added to
the vacmSecurityToGroupTable without knowledge of the RADIUS server.

Regards,
 kaushik

</Kaushik>

Follow-Ups:
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: David Harrington

References:
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson

Prev by Date: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design / architecture issues of Extended VACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architecture issues of Extended VACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.