Re: [Isms] Moving into some design / architecture issues ofExtended VACM

To: Randy Presuhn <randy_presuhn at mindspring.com>
Subject: Re: [Isms] Moving into some design / architecture issues ofExtended VACM
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Tue, 16 Jun 2009 07:07:14 +0200
Cc: "isms at ietf.org" <isms at ietf.org>
Delivered-to: isms at core3.amsl.com
In-reply-to: <002a01c9ee1c$eeb36900$6801a8c0 at oemcomputer>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Randy Presuhn <randy_presuhn at mindspring.com>, "isms at ietf.org" <isms at ietf.org>
References: <7D5B6351B90B4B7FB309277995E141F9 at NEWTON603> <C656D2E4.36EE6%kaushik at cisco.com> <CDE812BAFEBA4D059FF4B3B7EC3CAF46 at NEWTON603> <002a01c9ee1c$eeb36900$6801a8c0 at oemcomputer>
Reply-to: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
User-agent: Mutt/1.5.19 (2009-01-05)

On Tue, Jun 16, 2009 at 02:53:57AM +0200, Randy Presuhn wrote:
> 
> I think it has a real problem from the perspective of security configuration
> management.  A security administrator should be able to find out how
> a system's security policy is configured, regardless of whether RADIUS
> is in use.  This means the "shadow" table would need to be visible to
> management.  However, the security administrator should also be able
> to configure and update the "real" VACM configuration whether RADIUS
> is in use at the moment or not.  This means that "write" operations
> would need to affect both the shadow and the "real" configuration.
> However, to determine whether the "real" configuration is in need of
> update, it must be possible for the administrator to retrieve it.  This
> conflict is irreconcilable.
> 
> To kluge around it, I think you'd have to use a separate SNMP context for the
> shadow.  This is just too ugly and convoluted a thing to do for no real
> benefit, particularly since it would require standardizing a context name
> for this kluge.

I do not think you need to mess around with contexts. If we can make
multiple ACMs to work, the problem has a solution.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

Follow-Ups:
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design / architecture issuesofExtended VACM
  - From: Randy Presuhn

References:
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: kaushik
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues ofExtended VACM
  - From: Randy Presuhn

Prev by Date: Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
Next by Date: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architecture issues ofExtended VACM
Next by thread: Re: [Isms] Moving into some design / architecture issuesofExtended VACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architecture issues ofExtended VACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.