Re: [Isms] Moving into some design/architecture issuesofExtendedVACM

To: "'Dave Nelson'" <d.b.nelson at comcast.net>, <isms at ietf.org>
Subject: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
From: "David Harrington" <ietfdbh at comcast.net>
Date: Tue, 16 Jun 2009 09:24:39 -0400
Delivered-to: isms at core3.amsl.com
In-reply-to: <8E09C8E7F7AC41298C1AAF0979A538C9 at NEWTON603>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <657B1423308A4454B0CE8A9BC3B92D41 at NEWTON603><20090611140545.GA9442 at elstar.local><007601c9eab0$fb7da930$0600a8c0 at china.huawei.com><20090611171411.GA388 at elstar.local><003b01c9ead6$e8e08920$6801a8c0 at oemcomputer><20090611225732.GA840 at elstar.local><0801A762ABE34A88B3FAF6D09192F5BC at NEWTON603><002501c9ee1b$6f5f1600$6801a8c0 at oemcomputer><20090616050156.GA6629 at elstar.local><000401c9ee44$1f2d0240$6801a8c0 at oemcomputer><20090616072902.GB6719 at elstar.local> <8E09C8E7F7AC41298C1AAF0979A538C9 at NEWTON603>
Thread-index: AcnuVc8Kl8jIjfqYTvK3HWeWZgSWPAAJ319QAAIHONA=

Hi,

I think we actually have consensus about persistence. 

I think everybody expects that the user-to-group mapping should go
away when the radius-authorized session ends; we just need to figure
how to do that without redesigning snmpv3 and the rfc3411
architecture. 

I do not think we have consensus on reverting.

dbh

> -----Original Message-----
> From: isms-bounces at ietf.org [mailto:isms-bounces at ietf.org] On 
> Behalf Of Dave Nelson
> Sent: Tuesday, June 16, 2009 8:39 AM
> To: isms at ietf.org
> Subject: Re: [Isms] Moving into some design/architecture 
> issuesofExtendedVACM
> 
> Juergen Schoenwaelder writes...
>  
> > I am familiar with envrionments where the SNMP configuration
> > is rather static and never changed unless really really really
> > necessary.
> 
> I suspect that this broadly applies to the access control 
> rules and the
> "roles" that are defined by the collections of rules, i.e. 
> the "groups".  I
> think that "roles" change very infrequently, once initially 
> debugged and
> tuned, unless something in the organization changes, such as 
> a different
> division of responsibilities or some new type of equipment with new
> management challenges is introduced.
> 
> I think it's fair to say that the group definitions are 
> semi-static, and
> managed by traditional SNMP access.  These definitions are 
> certainly *not*
> managed by RADIUS.
> 
> I also think it's fair to say that most organizations have 
> only a handful of
> roles / groups.  What changes most frequently is the 
> assignment of people to
> roles.  From all the postings to date, I believe we have 
> rough consensus on
> that much.
> 
> What seems to be in contention is *how* the dynamic 
> information from RADIUS
> is applied.
> 
> The issue that seems to be most contentions is whether the 
> securityName to
> groupName binding provided by RADIUS is persistent in the NAS 
> after the
> session has ended.  While this is the way SNMP works it is not the
way
> RADIUS works.  This is the root of the disagreement -- very
different
> persistence models between RADIUS provisioning and SNMP 
> provisioning.  Each
> camp naturally views the issues from their own experience 
> base and comfort
> zone.
> 
> How do we resolve this?
> 
> 
> _______________________________________________
> Isms mailing list
> Isms at ietf.org
> https://www.ietf.org/mailman/listinfo/isms
>

Follow-Ups:
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Dave Nelson

References:
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design/architecture issues of ExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Dave Nelson

Prev by Date: Re: [Isms] Moving into some design/architectureissuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design / architectureissues ofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design/architecture issuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.