Re: [Isms] Moving into some design/architecture issuesofExtendedVACM

To: <isms at ietf.org>
Subject: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
From: "Randy Presuhn" <randy_presuhn at mindspring.com>
Date: Mon, 15 Jun 2009 22:34:27 -0700
Delivered-to: isms at core3.amsl.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=mindspring.com; b=gMPem0caebT3enkl5nbWiThnsgUnm5YlohkoF8Rpq/Jt6hz+ukkmffx3pli18bVC; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <EBD40065B07A416BB5D47DDD8FC267BD at NEWTON603> <006e01c9ea38$30aeccc0$6801a8c0 at oemcomputer> <657B1423308A4454B0CE8A9BC3B92D41 at NEWTON603> <20090611140545.GA9442 at elstar.local> <007601c9eab0$fb7da930$0600a8c0 at china.huawei.com> <20090611171411.GA388 at elstar.local> <003b01c9ead6$e8e08920$6801a8c0 at oemcomputer> <20090611225732.GA840 at elstar.local> <0801A762ABE34A88B3FAF6D09192F5BC at NEWTON603> <002501c9ee1b$6f5f1600$6801a8c0 at oemcomputer> <20090616050156.GA6629 at elstar.local>

Hi -

> From: "Juergen Schoenwaelder" <j.schoenwaelder at jacobs-university.de>
> To: "Randy Presuhn" <randy_presuhn at mindspring.com>
> Cc: <isms at ietf.org>
> Sent: Monday, June 15, 2009 10:01 PM
> Subject: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
...
> you have the same probem if I as the security administrator change the
> VACM table and then RADIUS comes in and simply changes what I have
> carefully configured.

I don't think this is operationally a problem.

As a matter of sanity, we have to assume that what the security administrator
tells RADIUS to do is the same as what he wants the SNMP-alone policy to be.
If they're at odds, he's got a bigger problem than we can solve here.

So the cases we need to worry about are those where SNMP and RADIUS
policy updates get out of phase.  The case you describe is the worst case
that can happen with a sane adminstrator, so it's worth exploring.

Consider what a security administrator needs to do to effect a policy change:
  (1) he needs to tell the RADIUS servers about the change
  (2) he needs to tell the SNMP management infrastructure about the change

(1) is going to generally propagate faster than (2), particularly since
(2) isn't complete until ever single managed device in the administrative
domain has been updated.

Even in the case that  (2) happens for some node before the
RADIUS servers are notified of the policy change,
it will "heal" when the RADIUS server is finally updated
and that user needs access again.  Furthermore, this behaviour is
in line with the "RADIUS is always definitive" philosophy folks
have been arguing for.

This worst-case scenario is still more desirable than the failure
mode I described with the proposed "revert" behaviour.

> I tend to agree with Dave Nelson that having a
> single table modified by two different entities is likely asking for
> trouble. You might argue that the problem is really the conflict
> between RADIUS policy and the security administrator's policy. My
> counter argument to that is that if both would be in fine synchrony,
> we would not need the RADIUS interface in the first place.

No, demanding synchronization is unrealistic.  We need to assume
they'll be out of sync at least some of the time, but we also should
assume that it's operationally desirable for them to converge.
Consequently, the "dueling manager" scenarios fall under the
general rubric of "don't do that", and we only need to check through
the cases where things are temporarily out of sync to understand
the implications.  In those cases, as far as I can tell, nothing worse
happens than would occur if updates were slow to be propageted
to the RADIUS servers in the absence of SNMP-based policy
updates.

Randy

Follow-Ups:
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Juergen Schoenwaelder

References:
- Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design/architecture issues of ExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Isms] Moving into some design / architecture issues ofExtended VACM
Next by Date: Re: [Isms] Moving into some design / architecture issuesofExtended VACM
Previous by thread: Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
Next by thread: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design/architecture issuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.