[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MIB-DOCTORS] FW: Recharter: ISMS

To: <ops-dir at ietf.org>, <aaa-doctors at ietf.org>, <mib-doctors at ietf.org>
Subject: [MIB-DOCTORS] FW: Recharter: ISMS
From: "Romascanu, Dan (Dan)" <dromasca at avaya.com>
Date: Tue, 9 Jun 2009 19:17:25 +0200
Delivered-to: mib-doctors at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/mib-doctors>
List-help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-id: MIB Doctors list <mib-doctors.ietf.org>
List-post: <mailto:mib-doctors@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
Thread-index: Acno15ngbywwnJ8UQ7+4FDVMH9D+vgATmAWw
Thread-topic: Recharter: ISMS

Please send me your comments and concerns before Wednesday 6/17. 

Thanks and Regards,

Dan


-----Original Message-----
From: iesg-bounces at ietf.org [mailto:iesg-bounces at ietf.org] On Behalf Of
Pasi.Eronen at nokia.com
Sent: Tuesday, June 09, 2009 10:55 AM
To: iesg at ietf.org
Subject: Recharter: ISMS

[Secretariat (Bcc'd), please place this on 2009-06-18 agenda for IETF
review, and send out an internal review announcement]

ISMS WG has completed its major deliverables for securing SNMP with SSH,
and is planning to take on new work: obtaining VACM authorization
information via RADIUS, and specifying TLS/DTLS based transport for
SNMP. The proposed charter text is included below.

Tim and I are still looking for a co-chair (Juergen Schoenwaelder has
indicated that he cannot continue as the only chair, and will not be
able to attend IETF76 and IETF77), but let's review the contents while
Tim and I look for someone...

Best regards,
Pasi

---------------------------------------------------------------------

Integrated Security Model for SNMP (isms)

Description of Working Group:

The Simple Network Management Protocol version 3 (SNMPv3) provides
message security services through the security subsystem.  Previously
the ISMS Working Group defined a Transport Subsystem definition, a new
Transport Security Model, and a Secure Shell Transport Model and a
method for authenticating SNMPv3 users via the Remote Authentication
Dial-In User Service (RADIUS).  The initial body of work to be tackled
by the working group involved only these pieces.  Additional work on
other transport models and other security extensions were to wait until
the initial transport architecture and defining documents were
completed.

It is now possible to authenticate SNMPv3 messages via a RADIUS when
those messages are sent over the newly defined SSH transport.
However, it still remains impossible to centrally authorize a given SNMP
transaction as on-device pre-existing authorization configuration is
still required.  In order to leverage a centralized RADIUS service to
its full extent, the access control decision in the Access Control
Subsystem needs to be based on authorization information received from
RADIUS as well.  The result will be an extension to the View-based
Access Control Model (VACM), to obtain authorization information for an
authenticated principal from RADIUS.  The authorization information will
be limited to mapping the authenticated principal to existing access
control polices, defining session timeouts, and similar session
parameters.  This mechanism will not provision the detailed access
control rules.

Additionally, new work will be undertaken to define TLS and DTLS-based
transports that can offer support for environments that prefer
certificate authentication.  Certificate based authentication is
desirable for many environments with a centralized authentication
service.  DTLS also provides datagram-based transmissions which may be
desired for environments where TCP performance suffers because of
network anomalies (e.g. high packet loss rates).  A combination of TLS
and DTLS-based transports offers solutions that addresses both the need
for certificate-based authentication and for datagram-based delivery.
Operators will be able to chose the transport solution that best meets
their needs.

The current goal of the ISMS working group is two-fold: to develop a
method for allowing for access control decisions to be based on
information provide by an AAA provisioning service and to develop
TLS-based and DTLS-based Transport Models.

The new work must not modify any other aspects of SNMPv3 protocol as
defined in STD 62 (e.g., it must not create new PDU types).

The working group will cover the following work items:

  - Specify a mechanism to support centralization of SNMPv3 Access
    Control decisions by means of a RADIUS-provisioned
    username-to-groupname dynamic mapping, that would provide a binding
    between a user and preconfigured VACM policies via dynamic additions
    to the securityToGroupname table. Additionally, specify a time limit
    for access decisions, and such a time limit should be used to
    garbage collect expired dynamic securityToGroup mappings.

  - Specify TLS and DTLS transport models for SNMP.

Goals and Milestones:

Jul 2009 Publish initial documentation on the (D)TLS transports for SNMP
Jul 2009 Publish initial documentation for the centralized access
control Jan 2010 Submit documentation on the (D)TLS transports for SNMP
to IESG Jan 2010 Submit documentation for the centralized access control
to IESG

---------------------------------------------------------------------

Follow-Ups:
- Re: [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington

Prev by Date: [MIB-DOCTORS] FW: [Dime] WGLC: draft-ietf-dime-diameter-base-protocol-mib-00.txt
Next by Date: [MIB-DOCTORS] FW: Internal WG Review: Recharter of Diameter Maintenance and Extensions (dime)
Previous by thread: [MIB-DOCTORS] FW: [Dime] WGLC: draft-ietf-dime-diameter-base-protocol-mib-00.txt
Next by thread: Re: [MIB-DOCTORS] FW: Recharter: ISMS
Index(es):
- Date
- Thread