Re: [Isms] pre11 comments

To: "'Wes Hardaker'" <wjhns1 at hardakers.net>
Subject: Re: [Isms] pre11 comments
From: "David Harrington" <ietfdbh at comcast.net>
Date: Fri, 4 Jul 2008 11:58:54 +0800
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <sdmykyuzc8.fsf@wes.hardakers.net>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <006401c8dc30$bac0af30$51f780de@china.huawei.com><sd63rmy615.fsf@wes.hardakers.net><4F599A473EF04ECD99F4C358B291245E@xpsuperdvd2><sdskuqwoli.fsf@wes.hardakers.net><00f401c8dd70$e2a997a0$6401a8c0@NEWTON603><024601c8dd81$e7c02c70$51f780de@china.huawei.com> <sdmykyuzc8.fsf@wes.hardakers.net>
Sender: isms-bounces at ietf.org
Thread-index: AcjdglHslwclUg3+RLmkrB81w5Eu8QAAGvCA

Hi Wes,

I don't think VACM is designed to operate differently based on the
security protocol. It is designed to operate differently based on the
asserted securityLevel. Depending on the assertion made by the
security model rather than an assessment of the presumed strength of
the underlying security protocol was a deliberate decision of the
SNMPv3 WG.

In USM and SNMPv1 and SNMPv2c community-based security models, whether
auth and priv are asserted is based on a binary decision (an auth and
priv protocol have been specified or not), not the degree of trust in
the underlying security protocol. (RFC3413 3.1 2) and 3), and RFC3584
5.2.1)

In TSM, we accept the assertion made by the transport model. SSHTM
makes its assertion based on "we have specified that the operator MUST
configure for authpriv and to do otherwise is not compliant with this
specification." It is up to the operator to ensure it is compliant.

If an operator does not feel the underlying protocol really provides
adequate authpriv support, then they should configure it to not be
used with SNMP. I do not support TSM having a table to decide whether
"auth" is "auth enough" or "priv" is "priv enough".

dbh

> -----Original Message-----
> From: Wes Hardaker [mailto:wjhns1 at hardakers.net] 
> Sent: Friday, July 04, 2008 11:02 AM
> To: David Harrington
> Cc: 'David B. Nelson'; isms at ietf.org
> Subject: Re: [Isms] pre11 comments
> 
> >>>>> On Fri, 4 Jul 2008 10:58:45 +0800, "David Harrington" 
> <ietfdbh at comcast.net> said:
> 
> DH> I think the case Wes is concerned with happens 1% of the time,
and
> DH> with thoughtful configuration can be reduced to 0.00763% 
> of the time
> DH> (OK, I'll settle for 80/20).
> 
> Then why was the VACM designed to operate differently based on the
> security protocol?  Was that over-done and it should have 
> been a simple
> vc/v3 enum instead?
> 
> -- 
> Wes Hardaker
> Sparta, Inc.
> 

_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] pre11 comments
  - From: Wes Hardaker

References:
- [Isms] pre11 comments
  - From: David Harrington
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: David B. Nelson
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: David B. Nelson
- Re: [Isms] pre11 comments
  - From: David Harrington
- Re: [Isms] pre11 comments
  - From: Wes Hardaker

Prev by Date: Re: [Isms] pre11 comments
Next by Date: Re: [Isms] pre11 comments
Previous by thread: Re: [Isms] pre11 comments
Next by thread: Re: [Isms] pre11 comments
Index(es):
- Date
- Thread

Re: [Isms] pre11 comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.