[Isms] comments on draft-nelson-isms-extended-vacm-00

To: isms at ietf.org
Subject: [Isms] comments on draft-nelson-isms-extended-vacm-00
From: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
Date: Mon, 27 Jul 2009 09:24:52 +0200
Delivered-to: isms at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Mail-followup-to: isms at ietf.org
Reply-to: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>
User-agent: Mutt/1.5.19 (2009-01-05)

Hi,

here are a few comments (posted as a technical contributor) on the
RADIUS / VACM document:

A: How specific should the document refer to the TSM? Should we try to
   phrase things such that things still work in case we replace TSM
   with something else?

B: I suggest that we do not overwrite existing table entries.

C: The aging I think needs more work so that we can handle situations
   where user joe logs into an agent at t1 and a second time at t2 and
   then the first session ends at t3. The second session should not
   loose the group name mapping entry in this case. So implementations
   somehow need to do some reference counting.

D: I am not sure why the USM discussion in the security considerations
   section is needed.

E: Is there a need for a MIB module exposing an augmentation of the
   VACM table with session/timeout information? Such a table would
   allow a management application that is aware of this extension to
   detect where some name to group mapping entries are originating
   from. But on the other hand, we do not generally indicate where
   some config snippet is originating from in SNMP land...

Though we will have time to discuss things later today in the WG
meeting, I brought this to the list since not all contributors and in
particular the document editors make it to Stockholm.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

Follow-Ups:
- Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
  - From: Dave Nelson

Prev by Date: Re: [Isms] (D)TLS question #2: expecting a server side certificate
Next by Date: [Isms] snmp: URI scheme transport extensions
Previous by thread: [Isms] WG Action: RECHARTER: Integrated Security Model for SNMP (isms)
Next by thread: Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
Index(es):
- Date
- Thread

[Isms] comments on draft-nelson-isms-extended-vacm-00

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.