Re: [Isms] pre11 comments

To: "David Harrington" <ietfdbh at comcast.net>
Subject: Re: [Isms] pre11 comments
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Thu, 03 Jul 2008 21:41:21 -0700
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:cc:subject:organization:references:date:in-reply-to:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=WLPFq3+BnjOGmVUdJh6+1tr4Gdw=; b=ZVMB5w79EKvpl6LrBtvCx3QdHT0dxqd3BW7Mhgy1yQooqafELwj9XnuDuIuHt3ylxDoSw/t3sYjVLQIv4o8ttFsLQ0QdBvP7e7AMdCpnr66OQTj6SygYJSFR42f5s+kXOsXTJ8e0kpvK+zjcVh9yBeZt2WC0P0aPmIoHCAKQA1g=
In-reply-to: <024a01c8dd8a$50370eb0$51f780de@china.huawei.com> (David Harrington's message of "Fri, 4 Jul 2008 11:58:54 +0800")
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <006401c8dc30$bac0af30$51f780de@china.huawei.com> <sd63rmy615.fsf@wes.hardakers.net> <4F599A473EF04ECD99F4C358B291245E@xpsuperdvd2> <sdskuqwoli.fsf@wes.hardakers.net> <00f401c8dd70$e2a997a0$6401a8c0@NEWTON603> <024601c8dd81$e7c02c70$51f780de@china.huawei.com> <sdmykyuzc8.fsf@wes.hardakers.net> <024a01c8dd8a$50370eb0$51f780de@china.huawei.com>
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.21 (linux, no MULE)

>>>>> On Fri, 4 Jul 2008 11:58:54 +0800, "David Harrington" <ietfdbh at comcast.net> said:

DH> I don't think VACM is designed to operate differently based on the
DH> security protocol.

But it is; that's my point...  And we're loosing that.  The security to
group table is indexed by the model and the name that the model provides:

  +--vacmSecurityToGroupTable(2)
     |
     +--vacmSecurityToGroupEntry(1)
        |  Index: vacmSecurityModel, vacmSecurityName
        |
        +-- ---- INTEGER   vacmSecurityModel(1)
        +-- ---- String    vacmSecurityName(2)
        +-- CR-- String    vacmGroupName(3)
        +-- CR-- EnumVal   vacmSecurityToGroupStorageType(4)
        +-- CR-- EnumVal   vacmSecurityToGroupStatus(5)

It provided the ability for "wes" in USM land to be different than "wes"
in KSM land.  Or the same; it was an operator decision.

Now with the ISMS based solution then all future transport protocols
operating as a TM underneath TSM will always have identical
securityNames mapped to the same group and there is no way to change
that.  "wes" in SSH will have to be equivalent to "wes" in TLS because
the model number will be constant for both (which will be the enum value
for TSM).

The WG needs to make a decision whether we care about this or not.  It
will mean that "wes" will be locked into the same group regardless of
whether the transport is SSH or any other future transport from now on
that is TM/TSM based, be it TLS, DTLS, or TELNET (yeah, I know...).
The point, though, is that there will be no separation from an access
right like we already have today with a different security model number
per security feature set.  Maybe we're willing to live with that; but I
personally think it's short sighted.

DH> In USM and SNMPv1 and SNMPv2c community-based security models, whether
DH> auth and priv are asserted is based on a binary decision

It has nothing to do with auth/priv decisions (well; it's related but it
wasn't part of the point I was trying to make).

DH> If an operator does not feel the underlying protocol really provides
DH> adequate authpriv support, then they should configure it to not be
DH> used with SNMP. I do not support TSM having a table to decide whether
DH> "auth" is "auth enough" or "priv" is "priv enough".

I think you're missing my point.  Again, I'm not at all making
suggestions that we map specific auth/priv algorithms into VACM
decisions.  We don't do that with the USM now and I'm not proposing we
add such a new feature.
-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] pre11 comments
  - From: David B. Nelson
- Re: [Isms] pre11 comments
  - From: David Harrington

References:
- [Isms] pre11 comments
  - From: David Harrington
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: David B. Nelson
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: David B. Nelson
- Re: [Isms] pre11 comments
  - From: David Harrington
- Re: [Isms] pre11 comments
  - From: Wes Hardaker
- Re: [Isms] pre11 comments
  - From: David Harrington

Prev by Date: Re: [Isms] pre11 comments
Next by Date: Re: [Isms] pre11 comments
Previous by thread: Re: [Isms] pre11 comments
Next by thread: Re: [Isms] pre11 comments
Index(es):
- Date
- Thread

Re: [Isms] pre11 comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.