Re: [Isms] Moving into some design / architecture issues ofExtendedVACM

To: "'Dave Nelson'" <d.b.nelson at comcast.net>, <isms at ietf.org>
Subject: Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
From: "David Harrington" <ietfdbh at comcast.net>
Date: Fri, 12 Jun 2009 11:38:21 -0400
Delivered-to: isms at core3.amsl.com
In-reply-to: <438E7CA1B8E64074865BDD873BD0ED30 at NEWTON603>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <C656D2E4.36EE6%kaushik at cisco.com><004201c9eb2c$b09c6e20$6801a8c0 at oemcomputer> <438E7CA1B8E64074865BDD873BD0ED30 at NEWTON603>
Thread-index: AcnrLKvJ/OBMkCbvRQup/M3drhPl+AAGbJ2gAAs9+SA=

 

> > "Authoritative source"?  Whoever has the necessary access rights
> > to update the vacmSecurityToGroupTable is authoritative, as far
> > as VACM is concerned...
> 
> That's today's model.  It's not at all clear to me it should 
> be the model
> going forward in a RADIUS-enabled extended VACM.
> 
[...]
> RADIUS needs to be in control of the user-to-group mapping.  
> SNMP is in
> charge of the group-to-access-rights mapping.  Neither should 
> attempt to
> mind the other's business.  Yes, they do need to work in 
> concert, such that
> the set of group is commonly understood.  Having commonly 
> understood group
> names is REQUIRED to be able to use RADIUS in this fashion.

I strongly object to a "VACM extension" that works this way.
That is a totally different access control model, with different
assumptions, and it shoulkd use its own MIB module.

That way VACM and RADIUS-ACM models can coexust.
And THAT is a key tenet of SNMPv3.

dbh

Follow-Ups:
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: David B. Nelson
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Dave Nelson

References:
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: kaushik
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtended VACM
  - From: Dave Nelson

Prev by Date: Re: [Isms] Moving into some design / architecture issues ofExtended VACM
Next by Date: Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architecture issues ofExtended VACM
Next by thread: Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architecture issues ofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.