[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS

To: "'David B Harrington'" <dbharrington at comcast.net>, "'Romascanu, Dan $Dan$'" <dromasca at avaya.com>, <ops-dir at ietf.org>, <aaa-doctors at ietf.org>, <mib-doctors at ietf.org>
Subject: Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS
From: "Dave Nelson" <d.b.nelson at comcast.net>
Date: Wed, 10 Jun 2009 08:03:50 -0400
Cc: 'Pasi Eronen' <pasi.eronen at nokia.com>
Delivered-to: mib-doctors at core3.amsl.com
In-reply-to: <01dd01c9e989$de473610$0600a8c0 at china.huawei.com>
List-archive: <http://www.ietf.org/mail-archive/web/mib-doctors>
List-help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-id: MIB Doctors list <mib-doctors.ietf.org>
List-post: <mailto:mib-doctors@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
References: <EDC652A26FB23C4EB6384A4584434A04017900B5 at 307622ANEX5.global.avaya.com> <019a01c9e93b$3bfcdf20$0600a8c0 at china.huawei.com> <2DFEB3A3F37D43C9B5337339B9535DF0 at NEWTON603> <01dd01c9e989$de473610$0600a8c0 at china.huawei.com>
Thread-index: Acno15ngbywwnJ8UQ7+4FDVMH9D+vgATmAWwAAMMVZAAEWu0gAAELMrgAA4CjOA=

David B Harrington writes...

> The simplest way to approach this problem is to have the
> RADIUS authorization attributes simply there in the background.

OK.  This was supposed to be a chartering discussion, but it's turning into
an architecture and design discussion.  Maybe going down that path for a
moment will help resolve the charter text issue. I'm not sure.

So, how do systems typically use RADIUS?  Well, you have a device to which
network connections can be made, that is sessions established and service
provided.  There is some gatekeeper function that moderates access.  That
gatekeeper function can call the RADIUS client module and ask the "Mother,
may I?" question on behalf of the user identity associated with the
connection attempt.  RADIUS comes back with a "Yes" or a "No" and perhaps
some modifiers or limitations.  The result of that consultation with RADIUS
does indeed exist in the background.  The gatekeeper function typically
keeps it as part of some session state.  Or maybe not.  It depends on what's
needed.

The key point here is that the gatekeeper function calls the RADIUS client
function to ask an access control question.  The RADIUS client, after
talking to the RADIUS server, provided an answer.  Typically this happens
only once at the point of session establishment.  For scalability and
efficiency reasons, it can't happen for every discrete operation.

All of that comports with the notion that the RADIUS attributes exist in the
background.  What is not accounted for is that doesn't happen by magic.
Something has to call on RADIUS to request that information, and if that
something isn't the Access Control Model, what is it?

> My concern is maintaining the modularity that was deliberately created
> by the SNMPv3 WG to allow modular extensibility. This is all about
> separating who knows what. RADIUS knows about authorization
> attributes, not about VACM.

The RADIUS client does not know about VACM.  VACM is simply a module (yes I
mean that, a piece of code) that calls the RADIUS client's API.  The RADIUS
client (asynchronously) calls back with the results of the authentication /
authorization request.  The RADIUS client doesn't know what VACM (the VACM
extension) is going to do with this the information.  As a matter of
practicality, the VACM extension will probably dynamically update one of its
MIB modules with the information obtained from RADIUS.  That information
will exist for the duration of the "session".  Probably the hardest thing
about this work will be for the VACM extension to figure out when the
"session" is over and when to flush the temporary information from its MIB
module.  We've encountered this issue already.

> When the charter says that RADIUS provides VACM username-to-groupname
> dynamic provisioning, that is wrong. RADIUS provides a policy name.

Pedantically, you're correct.  The RADIUS client provides the VACM extension
with a policy name that's bound to a username and the VACM extension uses
that information to populate the MIB table.

Follow-Ups:
- Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS
  - From: David B Harrington

References:
- [MIB-DOCTORS] FW: Recharter: ISMS
  - From: Romascanu, Dan (Dan)
- Re: [MIB-DOCTORS] FW: Recharter: ISMS
  - From: David B Harrington
- Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS
  - From: Dave Nelson
- Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS
  - From: David B Harrington

Prev by Date: Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS
Next by Date: Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS
Previous by thread: Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS
Next by thread: Re: [MIB-DOCTORS] [OPS-DIR] FW: Recharter: ISMS
Index(es):
- Date
- Thread