Re: [Isms] Moving into some design/architecture issues ofExtendedVACM

To: Randy Presuhn <randy_presuhn at mindspring.com>
Subject: Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Tue, 16 Jun 2009 07:01:56 +0200
Cc: "isms at ietf.org" <isms at ietf.org>
Delivered-to: isms at core3.amsl.com
In-reply-to: <002501c9ee1b$6f5f1600$6801a8c0 at oemcomputer>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Randy Presuhn <randy_presuhn at mindspring.com>, "isms at ietf.org" <isms at ietf.org>
References: <EBD40065B07A416BB5D47DDD8FC267BD at NEWTON603> <006e01c9ea38$30aeccc0$6801a8c0 at oemcomputer> <657B1423308A4454B0CE8A9BC3B92D41 at NEWTON603> <20090611140545.GA9442 at elstar.local> <007601c9eab0$fb7da930$0600a8c0 at china.huawei.com> <20090611171411.GA388 at elstar.local> <003b01c9ead6$e8e08920$6801a8c0 at oemcomputer> <20090611225732.GA840 at elstar.local> <0801A762ABE34A88B3FAF6D09192F5BC at NEWTON603> <002501c9ee1b$6f5f1600$6801a8c0 at oemcomputer>
Reply-to: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
User-agent: Mutt/1.5.19 (2009-01-05)

On Tue, Jun 16, 2009 at 02:43:14AM +0200, Randy Presuhn wrote:
> Hi -
> 
> > From: "Dave Nelson" <d.b.nelson at comcast.net>
> > To: <isms at ietf.org>
> > Sent: Thursday, June 11, 2009 8:54 PM
> > Subject: Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
> ...
> > > PS: Does the RADIUS client have the "rights" to modify any existing
> > >     writable matching table entries? Will it revert the changes when
> > >     the session dies?
> > 
> > I think it needs to revert, yes.
> > 
> > While we talk loosely of the RADIUS authorization information being used to
> > update the VACM MIB Module in the same sense that the SNMP engine would do
> > in response to an SNMP SET, we may be taking this too literally.  I think
> > that the RADIUS information kept by the VACM Extension should be transient,
> > with a lifetime limited to that of the secure transport session.
> ...
> 
> Repeating myself: this would interact badly with security policy updates.
> It is much safer for changes to vacmGroupName in a vacmSecurityToGroupEntry
> to behave just like they would if they had been set.  If they can "revert", then an entry
> which appeared to be up-to-date when inspected by a security administrator could
> silently become not-up-to-date because a secure transport session ended.
> This would make a hash  of security policy configuration management.
> 
> Simple really is preferable here.  It's less work for the implementor,
> both of management applications and in the guts of the SNMP implementation.
> It's less work for the security administrator.  And it would be a lot simpler
> for this WG.

Randy,

you have the same probem if I as the security administrator change the
VACM table and then RADIUS comes in and simply changes what I have
carefully configured. I tend to agree with Dave Nelson that having a
single table modified by two different entities is likely asking for
trouble. You might argue that the problem is really the conflict
between RADIUS policy and the security administrator's policy. My
counter argument to that is that if both would be in fine synchrony,
we would not need the RADIUS interface in the first place.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

Follow-Ups:
- Re: [Isms] Moving into some design/architectureissues ofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Randy Presuhn

References:
- Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design/architecture issues of ExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
  - From: Randy Presuhn

Prev by Date: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design / architecture issues ofExtended VACM
Previous by thread: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design/architecture issues ofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.