Re: [Isms] Moving into some design / architecture issues ofExtended VACM

To: <isms at ietf.org>
Subject: Re: [Isms] Moving into some design / architecture issues ofExtended VACM
From: "Dave Nelson" <d.b.nelson at comcast.net>
Date: Fri, 12 Jun 2009 06:37:04 -0400
Delivered-to: isms at core3.amsl.com
In-reply-to: <004201c9eb2c$b09c6e20$6801a8c0 at oemcomputer>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <C656D2E4.36EE6%kaushik at cisco.com> <004201c9eb2c$b09c6e20$6801a8c0 at oemcomputer>
Thread-index: AcnrLKvJ/OBMkCbvRQup/M3drhPl+AAGbJ2g

Randy Presuhn writes...

> "Authoritative source"?  Whoever has the necessary access rights
> to update the vacmSecurityToGroupTable is authoritative, as far
> as VACM is concerned...

That's today's model.  It's not at all clear to me it should be the model
going forward in a RADIUS-enabled extended VACM.

> ...and whatever the current configuration of VACM is will govern
> who can do what to anything via SNMP.

Correct.

> I think the crucial point is whether the information coming
> from the RADIUS server is trusted as much as information coming
> from a security administrator.

Right.  The use case we're talking about is one in which the "security
administrator" has been effectively replaced by the RADIUS server.  The
notion that RADIUS authorization information is considered advisory and
secondary to locally configured data is contrary to the way RADIUS is
intended to be used.  Local data can be used to place certain limitations on
the services provisioned by RADIUS, but that's almost always in the form of
limitations on the consumption of NAS resources.  RADIUS servers are,
generally speaking, unaware of such resource limitations in the NAS.

> If the RADIUS server is not trusted as much as a security 
> administrator, then information from it should not be used
> for making user/group mapping decisions.

I'd go further. If the RADIUS server is not trusted more than the security
administrator, then the I-D were talking about here is simply not applicable
to the use case.  Let's all go home.

> Consider the operational scenario where the update of the RADIUS
> server is slightly out-of-phase with a VACM access control policy
> push.

RADIUS needs to be in control of the user-to-group mapping.  SNMP is in
charge of the group-to-access-rights mapping.  Neither should attempt to
mind the other's business.  Yes, they do need to work in concert, such that
the set of group is commonly understood.  Having commonly understood group
names is REQUIRED to be able to use RADIUS in this fashion.

Follow-Ups:
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington

References:
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: kaushik
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Randy Presuhn

Prev by Date: Re: [Isms] Moving into some design / architecture issues of Extended VACM
Next by Date: Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architecture issues of Extended VACM
Next by thread: Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architecture issues ofExtended VACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.