Re: [Isms] Moving into some design/architecture issuesofExtendedVACM

To: "'Dave Nelson'" <d.b.nelson at comcast.net>, <isms at ietf.org>
Subject: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
From: "David Harrington" <ietfdbh at comcast.net>
Date: Tue, 16 Jun 2009 18:20:00 -0400
Delivered-to: isms at core3.amsl.com
In-reply-to: <DF63607C56964188990BA875FCEB6FDC at NEWTON603>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <657B1423308A4454B0CE8A9BC3B92D41 at NEWTON603><20090611140545.GA9442 at elstar.local><007601c9eab0$fb7da930$0600a8c0 at china.huawei.com><20090611171411.GA388 at elstar.local><003b01c9ead6$e8e08920$6801a8c0 at oemcomputer><20090611225732.GA840 at elstar.local><0801A762ABE34A88B3FAF6D09192F5BC at NEWTON603><002501c9ee1b$6f5f1600$6801a8c0 at oemcomputer><20090616050156.GA6629 at elstar.local><000401c9ee44$1f2d0240$6801a8c0 at oemcomputer><20090616072902.GB6719 at elstar.local><8E09C8E7F7AC41298C1AAF0979A538C9 at NEWTON603><013b01c9ee85$cd6fff60$0600a8c0 at china.huawei.com> <DF63607C56964188990BA875FCEB6FDC at NEWTON603>
Thread-index: AcnuVc8Kl8jIjfqYTvK3HWeWZgSWPAAJ319QAAIHONAAAMr/sAAAc85w

Hi,

I suggest the RADIUS attributes be stored and associated with a
RADIUS-authorized session. When the session goes down, the attributes
and the session authorization are deleted. The VACM-RADIUS extension
should check whether RADIUS authorization attributes are present and
valid or not, much as SSHTM checks whether we have a present-and-valid
tmStateRefreence. If the session is closed there will be no
authorization attributes available. 

Representing this in a MIB or an ASI construct helps to standardize
this, including the terminology, so we can better check whether
independent implementations will have interoperable assumptions. This
also makes the job for the WG harder. But this may also make the IESG
more comfortable that we have an interoperable solution. An operators
might want to be able to see what is happening regarding RADIUS
authorizations.

I think limiting the MIB-ified part to the VACM user-to-group table,
and augmenting the table using standard MIB things, like lifetime
objects and RowStatus to indicate/manipulate the entries, as Juergen
suggested, could be fairly simple. We might want some type of "void
pointer" in the table to the implementation-dependent
session-associated authorization information. 

We already have a "void pointer" tmSessionID in the tmStateReference
with which the attributes could be associated in an
implementation-dependent manner. 

dbh

> -----Original Message-----
> From: isms-bounces at ietf.org [mailto:isms-bounces at ietf.org] On 
> Behalf Of Dave Nelson
> Sent: Tuesday, June 16, 2009 9:46 AM
> To: isms at ietf.org
> Subject: Re: [Isms] Moving into some design/architecture 
> issuesofExtendedVACM
> 
> David Harrington writes...
> 
> > I think we actually have consensus about persistence.
> > 
> > I think everybody expects that the user-to-group mapping should go
> > away when the radius-authorized session ends; ...
> 
> Excellent!
> 
> > ... we just need to figure how to do that without redesigning
> > snmpv3 and the rfc3411 architecture.
> 
> I eagerly await suggestions, as I have (temporarily) run out of
ideas.
> 
> 
> _______________________________________________
> Isms mailing list
> Isms at ietf.org
> https://www.ietf.org/mailman/listinfo/isms
>

References:
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design /architectureissuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design/architecture issues of ExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Randy Presuhn
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Juergen Schoenwaelder
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Dave Nelson
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: David Harrington
- Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
  - From: Dave Nelson

Prev by Date: Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
Next by Date: Re: [Isms] Further ACM design discussions
Previous by thread: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Next by thread: Re: [Isms] Moving into some design/architecture issuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design/architecture issuesofExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.