Re: [Isms] comments on draft-nelson-isms-extended-vacm-00

To: <d.b.nelson at comcast.net>
Subject: Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
From: "David Harrington" <ietfdbh at comcast.net>
Date: Mon, 27 Jul 2009 17:10:20 +0200
Cc: isms at ietf.org
Delivered-to: isms at core3.amsl.com
In-reply-to: <885984616.6039461248705028174.JavaMail.root at sz0057a.westchester.pa.mail.comcast.net>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <01e001ca0ec3$3cc670d0$7958404e at china.huawei.com> <885984616.6039461248705028174.JavaMail.root at sz0057a.westchester.pa.mail.comcast.net>
Thread-index: AcoOxsl5K9Q7w38PS+KU3pSKPPLLgAAAQWug

Hi,

There would be no RADIUS attributes available if the transport model doesn't support RADIUS.

Of course, that works on incoming traffic.

For notifications access control is done before authentication in SNMP, so there would be no RADIUS attributes available (at least for the first time).

I assume notifications might use pre-configured access controls.

dbh

From: d.b.nelson at comcast.net [mailto:d.b.nelson at comcast.net]
Sent: Monday, July 27, 2009 4:30 PM
To: David Harrington
Cc: isms at ietf.org; Juergen Schoenwaelder
Subject: Re: [Isms] comments on draft-nelson-isms-extended-vacm-00

David Harrington writes...

> The RADIUS management attributes are principal-specific.
> The principal-specific attributes can be found using
> securitymodel/securityname/securitylevel.
> isAccessAllowed already supports these fields.

Yes.

I think another way to frame Juergen's original comment is why the (augmented) VACM tables should useTSM in the securityModel field.

My answer was that it need not be restricted to TSM, but it would need to be restricted to some security model that was "dependent" on a RADIUS-aware transport model. Today, that means TSM.

Follow-Ups:
- Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
  - From: d . b . nelson

References:
- Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
  - From: David Harrington
- Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
  - From: d . b . nelson

Prev by Date: Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
Next by Date: Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
Previous by thread: Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
Next by thread: Re: [Isms] comments on draft-nelson-isms-extended-vacm-00
Index(es):
- Date
- Thread

Re: [Isms] comments on draft-nelson-isms-extended-vacm-00

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.