Re: [Isms] Moving into some design / architectureissues ofExtendedVACM

To: "'David Harrington'" <ietfdbh at comcast.net>, "'Juergen Schoenwaelder'" <j.schoenwaelder at jacobs-university.de>, "'Randy Presuhn'" <randy_presuhn at mindspring.com>
Subject: Re: [Isms] Moving into some design / architectureissues ofExtendedVACM
From: "Dave Nelson" <d.b.nelson at comcast.net>
Date: Tue, 16 Jun 2009 09:29:54 -0400
Cc: isms at ietf.org
Delivered-to: isms at core3.amsl.com
In-reply-to: <013901c9ee82$c6d13b90$0600a8c0 at china.huawei.com>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <7D5B6351B90B4B7FB309277995E141F9 at NEWTON603><C656D2E4.36EE6%kaushik at cisco.com><CDE812BAFEBA4D059FF4B3B7EC3CAF46 at NEWTON603><002a01c9ee1c$eeb36900$6801a8c0 at oemcomputer><20090616050714.GB6629 at elstar.local> <013901c9ee82$c6d13b90$0600a8c0 at china.huawei.com>
Thread-index: AcnuQFSDvzhgJK2LRtmkwMtDYTdIvQAQU4WAAADw9fA=

David Harrington writes...

> For non-emergency uses, RADIUS could specify the precedence
> order for a group, but somehow, the security admin needs to be
> able to say that "this group needs authorization to override 
> a RADIUS rejection".

I think you're making this *way* too complicated.

First, I don't believe there is a real market requirement for
fine-granularity precedence of AAA sources.  One can posit hypothetical
scenarios where it could be useful, but I think that's outside the
80-percent problem.

Second, no one should *ever* be able to override a RADIUS reject.  If there
is a problem with the RADIUS service, then a good design is to have one (or
a very small number) of locally configured user identities that bypass
RADIUS altogether -- the analog of the "root" account in the /etc/passwd
file.  Having a simple selection mechanism to choose between using RADIUS or
local data is sufficient, and that could be as simple as "root" is always a
local account.

Once you get into the business of second guessing the authoritative AAA
service, as to access control decisions, "Abandon Hope All Ye Who Enter
Here".

References:
- [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: kaushik
- Re: [Isms] Moving into some design / architecture issues of Extended VACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design / architecture issues ofExtended VACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design / architecture issues ofExtended VACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
  - From: David Harrington

Prev by Date: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Next by Date: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
Next by thread: Re: [Isms] Moving into some design / architecture issues ofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architectureissues ofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.