[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MIB-DOCTORS] FW: WG Review: Recharter of Integrated Security Model for SNMP (isms)

To: "Ops Directorate" <ops-dir at ietf.org>, <dns-dir at ietf.org>, <aaa-doctors at ietf.org>, <mib-doctors at ietf.org>
Subject: [MIB-DOCTORS] FW: WG Review: Recharter of Integrated Security Model for SNMP (isms)
From: "Romascanu, Dan (Dan)" <dromasca at avaya.com>
Date: Fri, 26 Jun 2009 08:05:55 +0200
Delivered-to: mib-doctors at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/mib-doctors>
List-help: <mailto:mib-doctors-request@ietf.org?subject=help>
List-id: MIB Doctors list <mib-doctors.ietf.org>
List-post: <mailto:mib-doctors@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mib-doctors>, <mailto:mib-doctors-request@ietf.org?subject=unsubscribe>
Thread-index: Acn15I3WITPoDzoTT1qN/I8FUTkbkwAP5NuQ
Thread-topic: WG Review: Recharter of Integrated Security Model for SNMP (isms)

-----Original Message-----
From: iesg-bounces at ietf.org [mailto:iesg-bounces at ietf.org] On Behalf Of
IESG Secretary
Sent: Friday, June 26, 2009 1:30 AM
To: new-work at ietf.org
Subject: WG Review: Recharter of Integrated Security Model for SNMP
(isms) 

A modified charter has been submitted for the Integrated Security Model
for SNMP  (isms) working group in the Security Area of the IETF.  The
IESG has not made any determination as yet.  The modified charter is
provided below for informational purposes only.  Please send your
comments to the IESG mailing list (iesg at ietf.org) by Thursday, July 2,
2009.

Integrated Security Model for SNMP (isms)
=========================================

Last Modified: 2009-06-18

Current Status: Active Working Group

Chair(s):
  Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>

Security Area Director(s):
   Tim Polk <tim.polk at nist.gov>
   Pasi Eronen <pasi.eronen at nokia.com>

Security Area Advisor:
   Pasi Eronen <pasi.eronen at nokia.com>

Mailing Lists:
General Discussion: isms at ietf.org
To Subscribe: isms-request at ietf.org
In Body: in body: (un)subscribe
Archive:
http://www.ietf.org/mail-archive/working-groups/isms/current/maillist.ht
ml

Description of Working Group:

The Simple Network Management Protocol version 3 (SNMPv3) provides
message security services through the security subsystem. Previously the
ISMS Working Group defined a Transport Subsystem definition, a new
Transport Security Model, and a Secure Shell Transport Model and a
method for authenticating SNMPv3 users via the Remote Authentication
Dial-In User Service (RADIUS). The initial body of work to be tackled by
the working group involved only these pieces. Additional work on other
transport models and other security extensions were to wait until the
initial transport architecture and defining documents were completed.

It is now possible to authenticate SNMPv3 messages via a RADIUS when
those messages are sent over the newly defined SSH transport.
However, it still remains impossible to centrally authorize a given SNMP
transaction as on-device pre-existing authorization configuration is
still required. In order to leverage a centralized RADIUS service to its
full extent, the access control decision in the Access Control Subsystem
needs to be based on authorization information received from RADIUS as
well. The result will be an extension to obtain authorization
information for an authenticated principal from RADIUS.
The authorization information will be limited to mapping the
authenticated principal to existing named access control policies,
defining session timeouts, and similar session parameters. This
mechanism will not provision the detailed access control rules.

Additionally, new work will be undertaken to define TLS and DTLS-based
transports that can offer support for environments that prefer
certificate authentication. Certificate based authentication is
desirable for many environments with a centralized authentication
service. DTLS also provides datagram-based transmissions which may be
desired for environments where TCP performance suffers because of
network anomalies (e.g. high packet loss rates). A combination of TLS
and DTLS-based transports offers solutions that addresses both the need
for certificate-based authentication and for datagram-based delivery.
Operators will be able to chose the transport solution that best meets
their needs.

The current goal of the ISMS working group is two-fold: to develop a
method for allowing for access control decisions to be based on
information provide by an AAA provisioning service and to develop
TLS-based and DTLS-based Transport Models.

The new work must not modify any other aspects of SNMPv3 protocol as
defined in STD 62 (e.g., it must not create new PDU types).

The working group will cover the following work items:

- Specify a mechanism to support centralization of SNMPv3 Access Control
decisions by means of a RADIUS-provisioned policy name bound to a
username, which the VACM extension will use to dynamically populate the
securityToGroupname table. Additionally, specify a time limit for access
decisions, and such a time limit should be used to garbage collect
expired dynamic securityToGroup mappings.

- Specify TLS and DTLS transport models for SNMP.

Goals and Milestones:

Jul 2009 Publish initial documentation on the (D)TLS transports for SNMP
Jul 2009 Publish initial documentation for the centralized access
control Jan 2010 Submit documentation on the (D)TLS transports for SNMP
to IESG Jan 2010 Submit documentation for the centralized access control
to IESG

Prev by Date: [MIB-DOCTORS] FW: PRELIMINARY Agenda and Package for July 2, 2009 Telechat
Next by Date: [MIB-DOCTORS] Fw: [CCAMP] MIB Dr. review of draft-ietf-gmpls-ted-mib-5.txt
Previous by thread: [MIB-DOCTORS] FW: PRELIMINARY Agenda and Package for July 2, 2009 Telechat
Next by thread: [MIB-DOCTORS] Fw: [CCAMP] MIB Dr. review of draft-ietf-gmpls-ted-mib-5.txt
Index(es):
- Date
- Thread