[09:17:35] --- ietfdbh has become available
[09:28:04] --- ietfdbh has left
[09:41:49] --- stpeter has become available
[09:42:04] --- stpeter has left
[18:54:12] --- mike has become available
[18:55:44] --- mike has left
[19:05:44] --- kenh has become available
[19:10:34] --- hartmans has become available
[19:10:50] <hartmans> Good evening, Ken
[19:11:29] <kenh> hiya, Sam.
[19:17:46] <hartmans> Had dinner with Joe.
[19:18:05] <hartmans> he explained that. I'm actually even more uncomfortable with the radius use on the client.
[19:20:33] <kenh> I know the "original" RADIUS was rather lousy in terms of security, I don't know what the new EAP-ified RADIUS is like.
[19:21:26] --- hartmans has left: Replaced by new connection
[19:21:34] --- hartmans has become available
[19:21:48] <hartmans> Mostly the same.
[19:22:06] --- dbh has become available
[19:22:08] <hartmans> The radius interactions in eusm sound a lot like implementing Kerberos badly
[19:23:57] <kenh> I'm not sure I follow .... you mean, it would interact badly with Kerberos, or it's as bad as when people implemented Kerberos badly?
[19:24:28] <dbh> Hi, is the ISMS session in Salon G? The audio isn't present yet.
[19:24:34] <hartmans> I mean it is a trusted third party authentication system that sucks more than Kerberos
[19:24:47] <hartmans> Yes.
[19:24:59] <kenh> Oh, heh, yeah.
[19:25:08] <kenh> Hey, I'm hearing some audio now.
[19:25:19] <dbh> yes I can hear it as well
[19:25:30] <hartmans> Walked over to mic.
[19:26:27] --- dinakar has become available
[19:26:43] <dbh> It sounds like there is only one mike and it is off in a remote corner. Are the mikes turned on?
[19:27:24] <hartmans> No, there is a mic for presenters and for questions.
[19:27:34] <hartmans> I'll make sure we use good mic discipline
[19:27:55] <hartmans> Does anyone here need a jabber scribe
[19:28:03] --- mike has become available
[19:28:11] <hartmans> Or is everyone listening to audio?
[19:28:15] <kenh> I can hear the audio, so I don't need a scribe.
[19:28:22] <dbh> We don't need a jabber scribe, but somebody to relay questions and responses.
[19:28:37] --- dinakar has left
[19:28:49] <hartmans> I'll do that. If the net fails I'll pull up my cell phone connection
[19:29:01] <dbh> The audio, assuming it is being properly recorded, can serve as the basis of the minutes.
[19:31:26] --- dinakar has become available
[19:31:59] <kenh> Speaker name?
[19:32:03] --- dinakar has left
[19:32:21] <hartmans> I don't know.
[19:32:33] <hartmans> isms Elliot Lear
[19:32:33] --- weshardaker has become available
[19:32:35] <dbh> ask the speaker toidentify himself, please?
[19:32:39] <weshardaker> will do
[19:35:24] <hartmans> Training people is hard.
[19:37:13] <dbh> can you ask the speakers to speak into th emike more? They're a bit hard to hear.
[19:39:45] <hartmans> Sure.
[19:40:19] <kenh> I heard Wes fine before, FWIW.
[19:40:24] <dbh> much better. Actually Wes was ok.
[19:41:27] --- hartmans has left
[19:41:38] --- hartmans has become available
[19:47:31] --- mike has left: Disconnected
[19:49:29] <kenh> Can we use EAP even when using RADIUS, or is that outside of the applicability statement?
[19:50:00] --- weshardaker has left
[19:50:10] <hartmans> I'm not sure. I'll review it more than other things.
[19:50:31] <kenh> (I can see a way of using RADIUS without involving the client, and that shouldn't involve EAP)
[19:57:48] <hartmans> Sure. I certainly hope we can find a way to use raidus
[19:58:48] <kenh> I lost some of the audio for a bit, but that seems to be a problem with my end.
[19:59:03] <kenh> (I think I can make up the context FWIW)
[19:59:55] <dbh> who is speaking?
[20:02:50] <dbh> I don't think it would be a good approach to design something with an EAP-like "magic happens here". We need concrete proposals that will be implemntable in the near future or SNMPv3 will simply die.
[20:03:30] <kenh> Definately agree.
[20:05:51] <dbh> I think we should try to be similar to netconf if possible. We should have a security model that maps to an application-layer protoco rathert than a transport-layer protocol.
[20:06:06] <dbh> BTW, dbh is Dave Harrington, oneof the TLSM authors.
[20:07:15] <kenh> That would force the use of TCP as a transport using what we have today ...
[20:07:27] <kenh> (if people are willing to accept that, then that's fine of course)
[20:07:47] <dbh> I think moving to TCP would be a good idea.
[20:10:43] --- weshardaker has become available
[20:10:48] <weshardaker> test
[20:11:15] <dbh> Hi Wes
[20:11:17] <kenh> I hear ya, wes.
[20:12:08] <weshardaker> tanx
[20:12:21] <weshardaker> waps keep rebooting here... whee...
[20:13:51] <dbh> I think TCP shoul dbe supported for monitoring and management, but it should be supplemented with UDP for troubleshoorintg purposes.
[20:14:58] <dbh> VACM is a MIB that can be configured using SNMP once you have an authenticated and confidential message capability.
[20:16:28] <kenh> I'm not sure any of the proposed security models would let you send only one "kiss of life" packet (they all seem to involve a few round trips or communication with another server).
[20:17:12] <hartmans> Yeah, arbitrary credentials implies multi-round-trip
[20:18:03] <dbh> I think VACM is somewhat broken in that it doesn't map to other approaches to management authorization. VACM is data-oriented, while CLI authz is function/task-oriented.
[20:20:01] <dbh> The user-ti-group mapping maps a user to a "named policy", and any authentication security model should be able to map to an access control policy.
[20:20:02] <weshardaker> many of the proposals allow
[20:20:07] <weshardaker> whoops.
[20:20:37] <weshardaker> vacm merely authorizes snmp, which itself is not a function/task protocol. It's not VACMs fault.
[20:24:16] <dbh> I think the three proposals represent three different architectures, and we need to pick one architecture. Another eval will not make progress until we pick an architecture.
[20:29:48] <kenh> About RADIUS/EUSM ... EUSM specified that "client talking to RADIUS" mode very well, but it didn't specify nearly as well the other method (EAP/TLS).
[20:30:07] <kenh> (e.g, it said things like, "You could use a protocol like PANA")
[20:33:48] <dbh> I concur with Eliot that CLI auth/auth frequently uses RADIUS, even though RADIUS is deisgned to be a network access protocol, not a management authorization protocol. We should try to utilize an approach that is imilar to what is used for the CLI.
[20:38:58] <dbh> Who cares about cleazn procedurally? We need to choose a direction of which architecture to follow.
[20:39:55] <dbh> To a large degree, it is six of one, half dozen of the other. Let's stop dithering and make a decision. If that decision fails, we can go back and try a different approach.
[20:41:54] <hartmans> dbh - Fine if you can pull it off.
[20:53:23] <weshardaker> sam: "can be once a document is approved"
[20:53:51] <dbh> I suggest that single sign-on os fairly important to many operators - they deliberately want to use the same credentials network access as for application authorization. Microsoft's .NET archgitecture is working toward this strongly. The CLI approach follows this approach. SNMP is just another application in which the user-authentication should be tied to network access authentication, and that should be able to be tied to application-specific authorization.
[20:55:39] <dbh> hummm to proposal #2 - choose an architecture
[20:55:41] <weshardaker> architecture consensus
[20:58:40] <dbh> I don't agree there is only one architecture; TLSM seems very different than EUSM or SBSM.
[21:00:20] --- hartmans has left: Disconnected
[21:01:59] <dbh> help! who is talking away from th emike and what points ar ethey making?
[21:14:06] <dbh> Can you please ask speakers to use the mike so remoters can hear?
[21:14:42] <weshardaker> we're in chaos
[21:14:56] <dbh> I can hear that !
[21:15:13] <weshardaker> charter will be architectural discussion, architecture draft and recharter in paris.
[21:15:14] <kenh> I wonder how much delay there is from the audio.
[21:15:27] <dbh> It seems to be fairly close.
[21:15:34] <kenh> (I saw the message from Wes at the same time he was talking)
[21:15:42] --- hartmans has become available
[21:16:19] <dbh> who's talking?
[21:16:40] <kenh> lakshimah(sp?)
[21:17:01] <hartmans> Sorry, the net was sucktastic for a while
[21:22:23] <dbh> Is negotiable session lifetime something that exists in current infrastructure?
[21:23:21] <hartmans> GSS and some SASL mechansims have it. ssh, tls basically don't.
[21:23:29] <hartmans> Not sure about EAP. IPsec does
[21:23:47] <dbh> thanks
[21:24:19] <hartmans> I'd sort of like GSS to mostly lose it.
[21:31:06] <dbh> do we have consensus on which beach? ;-)
[21:38:21] <weshardaker> tech difficulties
[21:46:29] <dbh> test
[21:52:37] <dbh> bye
[21:52:46] --- dbh has left
[21:54:15] <kenh> later
[21:54:17] --- kenh has left: Disconnected
[21:55:01] --- weshardaker has left
[21:55:29] --- hartmans has left: Disconnected