Re: [Isms] Moving into some design /architectureissuesofExtendedVACM

To: Randy Presuhn <randy_presuhn at mindspring.com>
Subject: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Fri, 12 Jun 2009 00:57:32 +0200
Cc: "isms at ietf.org" <isms at ietf.org>
Delivered-to: isms at core3.amsl.com
In-reply-to: <003b01c9ead6$e8e08920$6801a8c0 at oemcomputer>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Randy Presuhn <randy_presuhn at mindspring.com>, "isms at ietf.org" <isms at ietf.org>
References: <7D5B6351B90B4B7FB309277995E141F9 at NEWTON603> <00e901c9e9fa$f7642100$6801a8c0 at oemcomputer> <000601c9ea00$00795120$0600a8c0 at china.huawei.com> <EBD40065B07A416BB5D47DDD8FC267BD at NEWTON603> <006e01c9ea38$30aeccc0$6801a8c0 at oemcomputer> <657B1423308A4454B0CE8A9BC3B92D41 at NEWTON603> <20090611140545.GA9442 at elstar.local> <007601c9eab0$fb7da930$0600a8c0 at china.huawei.com> <20090611171411.GA388 at elstar.local> <003b01c9ead6$e8e08920$6801a8c0 at oemcomputer>
Reply-to: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
User-agent: Mutt/1.5.19 (2009-01-05)

On Thu, Jun 11, 2009 at 10:55:09PM +0200, Randy Presuhn wrote:

> > But the minimum we have to do is to specify what the RADIUS client
> > does if the creation fails.
> 
> Yup, and I think the answer is "nothing."  There's no channel for
> signalling back the failure.  From an implementation perspective,
> if there aren't resources to create/update a vacmSecurityToGroupEntry,
> then I'd be wary of trying to do things like queue up special-purpose
> notifications for the security administrator, who'd be the one who'd have
> to figure out a recovery strategy.

I am talking in general about a failure to install the requested
policy / name to group mapping - not just about the resource shortage
case.

Suppose the RADIUS server tells the RADIUS client that "joe" using
"TSM" is authorized for the management policy "restricted" but the
attempt of the RADIUS client to install this policy fails since for
some reason (e.g., there exists an entry for "joe" using "TSM" using
group "poweruser" that for whatever reason can't be modified). Is it
OK to ignore the failure and to let "joe" now use the "poweruser"
rights?  Or should the RADIUS client do something like deny
authentication of joe's session if it can't install the management
policy, or kill joe's session if it is already there (likely a
challenge to write down due to the architectural model we have, but
likely easy to implement ;-).

My understanding is that RADIUS decisions are of the kind "here is
exactly what you do or you deny service" (RADIUS folks, please correct
me if I am wrong). If this is the case, simply ignoring a failure to
install the requested policy sounds kind of wrong.

/js

PS: Does the RADIUS client have the "rights" to modify any existing
    writable matching table entries? Will it revert the changes when
    the session dies?

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

Follow-Ups:
- Re: [Isms] Moving into some design/architecture issues of ExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design/architectureissuesofExtendedVACM
  - From: Randy Presuhn

References:
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Randy Presuhn

Prev by Date: Re: [Isms] Moving into some design / architecture issues of Extended VACM
Next by Date: Re: [Isms] Moving into some design/architectureissuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design/architectureissuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design /architectureissuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.