[15:15:06] --- sharonchisholm has joined
[15:15:30] * sharonchisholm has changed the subject to: isms
[15:16:52] <sharonchisholm> Starting
[15:17:04] <sharonchisholm> I seem to be talking to myself at the moment
[15:17:21] --- marz has joined
[15:17:21] --- marz has left: Lost connection
[15:17:24] <sharonchisholm> Status
[15:17:28] <sharonchisholm> ISMS Milestones
[15:17:53] <sharonchisholm> One document not a working groups document yet (Radius).
[15:17:59] <sharonchisholm> Need to discuss that today
[15:18:27] --- kurosaki has joined
[15:18:34] --- j.schoenwaelder@jabber.eecs.iu-bremen.de has joined
[15:18:39] <sharonchisholm> Looking for volunteer to do a certain document, contact your nearest Juergen
[15:18:47] <sharonchisholm> Agenda bashing
[15:19:19] <sharonchisholm> Who's read the first draft?
[15:19:26] <sharonchisholm> 6 people
[15:19:33] <sharonchisholm> the ssh?
[15:19:35] <sharonchisholm> 5
[15:19:40] <sharonchisholm> or 4
[15:19:57] <sharonchisholm> the radius document?
[15:20:03] <sharonchisholm> 0
[15:20:32] <sharonchisholm> Dave Harrington is up ....
[15:20:38] <sharonchisholm> <with his 10000 slides>
[15:21:06] --- hartmans has joined
[15:21:12] <sharonchisholm> <showing a picture with small font>
[15:21:27] <sharonchisholm> Has not yet received a lot of feedback on the document yet
[15:21:31] <sharonchisholm> no list of issues yet
[15:21:43] <sharonchisholm> Wants feedback ... thinks the design of the document is a bit confusing
[15:21:59] <sharonchisholm> part of the security model is in the transport mapping and some is in the security mapping
[15:22:21] <sharonchisholm> In the last rev ... moved transport specific stuff into the transport section, so the other stuff doesn't know about the transport
[15:22:33] --- bert has joined
[15:22:37] <sharonchisholm> went through elements of procedure ... really about session security ... not specific to ssh
[15:22:46] <sharonchisholm> would like to change to be session with a ssh mapping
[15:22:54] <sharonchisholm> If he does this he can kill some acronyms
[15:23:13] <sharonchisholm> it would be ssh mapping and session security model
[15:23:31] <sharonchisholm> modify architecture of 3511
[15:23:54] <sharonchisholm> Three things sitting up top (udp, tcp, ssh)
[15:24:12] <sharonchisholm> modify ("transport subsystem slide")
[15:24:19] <sharonchisholm> Put a block ariund those things
[15:24:27] <sharonchisholm> thinks it would be cleaner
[15:24:32] <sharonchisholm> doesn't want to re-open up 3511.
[15:24:39] <sharonchisholm> It just adds two ASIs
[15:24:58] <sharonchisholm> Sam - are you planning on adding the ASIs
[15:25:07] <sharonchisholm> Large text change and small architecture changes
[15:25:24] <sharonchisholm> That's his one slide!!!!!
[15:25:46] <sharonchisholm> hum time ... can he make this change to the document
[15:25:55] <sharonchisholm> <good hum>
[15:25:55] <sharonchisholm> against
[15:25:56] <sharonchisholm> none
[15:26:02] <sharonchisholm> ------------
[15:26:11] <sharonchisholm> Jeurgen S.
[15:26:29] <sharonchisholm> How to send notifications from agents .....
[15:26:44] <sharonchisholm> Notifcation Authentication, session establishment and call home
[15:26:55] <sharonchisholm> Technical contributor hat on
[15:27:29] <sharonchisholm> Wants to talk about this problem from the beginning
[15:27:40] <sharonchisholm> involves more then just isms
[15:27:44] --- rstory has joined
[15:28:06] <sharonchisholm> <looking at picture>
[15:28:43] <sharonchisholm> agent on left; manager on right
[15:28:48] <sharonchisholm> netconf is similar
[15:29:39] <sharonchisholm> <authentications between acm to data and the nm application, but stuff like protocols and transport running underneath>
[15:29:54] <sharonchisholm> SNMP has ASIs which return true or false
[15:30:47] <sharonchisholm> Some information to be passed to the ASI comes from the request. Some other information comes from either the protocol or the transport
[15:30:53] <sharonchisholm> Sam - still on the agent?
[15:31:10] <sharonchisholm> Sam - I'm not sure you agree with the statement
[15:31:46] <sharonchisholm> Sam - it seemed you needed you need to configure a lot of this information when you subscribe to notifications. So I'm not sure this where the informationc omes from
[15:31:56] <sharonchisholm> Jueregen - I'm saying it comes from the engine somewhere
[15:31:57] <sharonchisholm> Sam - sure
[15:32:22] <sharonchisholm> ssh client - server authentication
[15:32:49] <sharonchisholm> on server side, you know who is talking to you
[15:33:02] <sharonchisholm> is you put this all together ... ssh as transport
[15:33:27] <sharonchisholm> manager does read request ... can open up the session as client ... run authentication and the server knows which user identity you have and you know which box you are talking
[15:33:46] <sharonchisholm> access control system now checks whether this user is allowed to receive the data that he has requested
[15:33:57] <sharonchisholm> in the notification case, I think we want to achieve the same thing
[15:34:17] <sharonchisholm> IF it goes out of the box, you only want it out if the information in the notification can be sent to the reciever
[15:34:22] --- marz has joined
[15:34:37] <sharonchisholm> If you have an established channel, then you know which user has authenticated
[15:35:08] <sharonchisholm> If existing ssh connection, you are in good shape. Sending notifications on a connection that was established by a comand generator is just fine
[15:35:16] <sharonchisholm> (observation #1)
[15:36:01] <sharonchisholm> Robert - when you configure notifications to send, generally it is sent to an ip, not a specific user. What if you have multiple users on it,
[15:36:14] <sharonchisholm> Juergen - have a session where the specific user has already authenticated
[15:36:27] <sharonchisholm> all - in SNMPv3 you configure the user
[15:37:21] <sharonchisholm> Wes - you may have multiple sessions up. In notificaiton and target MIBs, you point to end destination, there is user, but there is also a host. Points to the host. You might have multiple sessions open to that host. need to fiogure out how to use these MIBs to pick the right one
[15:37:40] --- miaofy has joined
[15:38:29] <sharonchisholm> Sam - this is making an assumption which may well be true, but needs to be clearly stated and understood. there may well be multiple people ... aligning SNMP model and SSH model ... multiple people can log into ssh server .... multiple people as root for example. What you are saying here is that anyone who logs in as root
[15:38:41] <sharonchisholm> from a particular IP address is a valid case to send notiifcaations to
[15:39:20] <sharonchisholm> Sam - are you willing to treat all the people who could log in as root as identical. This is analagous to saying send a message to Bob then anyone logged in as Bob is fine
[15:39:30] <sharonchisholm> Sam - this is how "write" works, but it is not how SNMp works
[15:39:42] <sharonchisholm> Sam - so decide if this is true and Ok, then document
[15:40:20] <sharonchisholm> Margaret - assumes that the user is the target of the notification. Sometimes it is the log file. If things are sent to one system and then after a while to another. Then this isn't good.
[15:41:07] <sharonchisholm> Bert - i think that this would be ok. as long as we document it has Sam said, we give the user the ability to be more prescriptive ... we use the same user for read/write which perhaps was not the best idea, could we create new users for notifications?
[15:41:14] <sharonchisholm> Wes - i think this will all work out
[15:41:18] <sharonchisholm> <laughter>
[15:42:08] <sharonchisholm> Wes - we can get the acccess allowed function. We have not worked out the configuration yet. I can see the mappings in my head. Not going to try to descvribe them. margaret saying need to get to the right user on the right host is valid. Let's just not solve it here
[15:42:32] <sharonchisholm> Dave H - In order to send a noticvation .. 5 things to be identifed. That willl identifty the session
[15:42:36] <sharonchisholm> Dave H - <stuff>
[15:42:51] <sharonchisholm> Dave - security model, security level, <other stuff>
[15:43:08] <sharonchisholm> Dave H - whether the user you have is the one that is being authenticated.
[15:43:27] <sharonchisholm> Dave H - <when the session does not exist>
[15:43:34] <sharonchisholm> Juergen - I have not got there yet
[15:43:40] <sharonchisholm> If we didn't have a session
[15:43:45] <sharonchisholm> If there isn't one, create it
[15:43:57] <sharonchisholm> The agent becomes an SSH client and talks to the management system
[15:44:08] <sharonchisholm> You just reverse what you authenticate
[15:44:29] <sharonchisholm> agent authenticates itself to the management system. So need credentials on the agent
[15:44:39] <sharonchisholm> the management system needs to talk to someone to verify
[15:44:42] --- julien.bournelle has joined
[15:44:58] <sharonchisholm> On the agent side .. host identification of management system
[15:45:45] <sharonchisholm> Wes - but, yes. the isAccessAllowed needs to go on the right hand side regardless. There are two identities in an SSH connection. Cannot use the left had some to decide whether to send the notification.
[15:46:30] <sharonchisholm> Wes - there are two scenarios. Can use the host identiy on the agent side to open the connection. The host key as identity to open an SSH connection to the server ... This is not the indentity that hsould be used to access the isAccess Allowed
[15:46:54] <sharonchisholm> Someone - can I suggest we let Juergen finish his talk
[15:46:57] <sharonchisholm> Wes - sure
[15:47:17] <sharonchisholm> Juergen is concerned that you need to do credentials on the agent.
[15:47:22] --- mike has joined
[15:47:35] <sharonchisholm> different behaviour depending on whether or not the session is intact or not
[15:47:43] <sharonchisholm> Would like to live in a simple world
[15:47:58] <sharonchisholm> always have the same stuff authenticated on the same sides
[15:48:15] <sharonchisholm> Need to make sure the SSH session is just there when you send the notification
[15:48:24] <sharonchisholm> If it isn't there, make sure it is connected
[15:48:35] <sharonchisholm> On the netconf list this was discussed.
[15:48:42] <sharonchisholm> The proposal there was to do something simple
[15:49:15] --- jhutz has joined
[15:49:16] <sharonchisholm> listening TCP point, when you need to send ... file descriptors ... get the session established
[15:49:28] <jhutz> I'm going to follow my own advice and not get up yet to explain why that's bad.
[15:49:43] <sharonchisholm> <this must be from the mailing list since it isn't in a formal proposal to my knowledge>
[15:50:30] <sharonchisholm> Chris - recommend that they don't use informs in SNMPv3 for this very reason. if we don't do something like what you are proposing we will be in the same situation. I like this idea
[15:50:38] <sharonchisholm> Robert - two questions/issues
[15:51:04] <sharonchisholm> Robert - when the agent connects to the socket to signal it wants to send a notification, how does the management application know what credentials to send
[15:51:21] <sharonchisholm> Juergen - the only thing unclear is the user identity to use
[15:51:49] <sharonchisholm> Robert - if it is just listening on the tcp sockeet. the connection is open ...
[15:51:50] <jhutz> Not so. In SSH, the client knows a priori what host it wants to connect to.
[15:52:13] <sharonchisholm> Robert - multiple users on the management station. One per user .... needs to know which socket to hit
[15:52:21] <jhutz> It _knows_, and that's how it knows if the credentials the host provides are acceptable.
[15:52:48] <sharonchisholm> Robert - looks like you are saying that the user is the same one on both sides. That would mean that you have both the private and public keys of the user
[15:52:57] <sharonchisholm> Juergen - not in this proposal. I'm trying to avoid that
[15:53:26] <sharonchisholm> Wes - have you discussed this with the ssh folks what the DOS possibilities are against the management application
[15:53:33] <sharonchisholm> Someone - that is the least of the problems with this approach
[15:53:45] <sharonchisholm> Wes - I thought this was frowned upon
[15:55:15] <sharonchisholm> Jeff - The issue with opening a TCP connection and saying 'hi' SSH me ... 1) what credentials to use ... can gloss and say that the managtement station only has one 2) the way ssh works, when and SSH goes to establish a conenction, it knows the host it wants to talk to ... and that is how it can successfully carry out the authenticvation. Can't do it in reverse, because you don't know what host to talk to and if you actually want to talk to it.
[15:55:43] <sharonchisholm> Jeff - some methods do require that you know the host name ... not because you were told, but because you actually want to
[15:55:54] <sharonchisholm> Jeff - ip address is not good enough
[15:56:02] <sharonchisholm> Sam - ip address also have NAT issues
[15:56:19] <sharonchisholm> jefff - if behind NAT, it might get a different address each time
[15:56:24] <sharonchisholm> Jeff - am I making sense
[15:56:34] <sharonchisholm> Juergen - I trust you as an SSH expert
[15:56:40] <sharonchisholm> Jeff - i'd rather make sense
[15:56:50] --- Willi has joined
[15:57:11] <sharonchisholm> Other Juergen - I understood your point and let's move this to the mailing list
[15:57:26] <sharonchisholm> Sam - I wonder if this issue might bennefit from a teleconference call
[15:57:35] <sharonchisholm> Other Juergen - good idea
[15:57:47] --- Willi has left
[15:58:06] <sharonchisholm> -----
[15:58:12] <sharonchisholm> Dave N
[15:58:22] <sharonchisholm> Radius Integration
[15:58:26] <sharonchisholm> Issue number 4
[15:58:43] <sharonchisholm> Sorry, back to the beginning
[15:59:25] <sharonchisholm> Issue 1 - should document be tied to SSH or generalized
[16:00:06] <sharonchisholm> Opinions
[16:00:48] <sharonchisholm> Jeff - think it depends on the answer to issue 4. Some of this stuff .... things that will affect fine grain access control will apply to all transport and to all security models where corse(sp) may not be. It could be specific to the underlying thing
[16:01:23] <sharonchisholm> Bert - do you have any idea how much more complexity that would add. If it is easy then do it, if not, then not in favour
[16:01:27] <sharonchisholm> Dave H - not sure
[16:01:43] <sharonchisholm> Juergen - propose defer questions until the end
[16:01:47] <sharonchisholm> Issue 2
[16:02:01] <sharonchisholm> Issue 3
[16:02:10] --- julien.bournelle has left
[16:02:38] <sharonchisholm> definition of authoriztion
[16:02:45] <sharonchisholm> Issue 4
[16:03:46] <sharonchisholm> in which SNMP subsystem does authorization occur (slides say SNMP model)
[16:03:53] <sharonchisholm> Issue 5
[16:04:23] <sharonchisholm> Issue 6
[16:05:29] <sharonchisholm> this was originally requested by the kerberose guys
[16:06:01] <sharonchisholm> Jeff - as Kerberose chair I don't consider authorization coming from somewhere other then kerberose to be a change to architecture
[16:06:23] <sharonchisholm> Person - this is not new. people separate authentication and authorization all the time
[16:06:27] <sharonchisholm> -----
[16:07:15] <sharonchisholm> Juergen Q - originally wanted to ask people if they wanted to adopted Dave H's stuff, but since no one has read it, I'd rather not add that now
[16:07:17] <sharonchisholm> ---------------------------
[16:07:23] <sharonchisholm> Dave H
[16:07:39] <sharonchisholm> <architecture picture with title Radius for SSH>
[16:07:55] <jhutz> (nit: No 'e' at the end of 'Kerberos')
[16:08:25] <sharonchisholm> <oops sorry>
[16:08:58] <sharonchisholm> SSH should be outside the SNMP engine, but that is where is currently is shown in the picture
[16:09:05] <sharonchisholm> the other use for radius is for access control
[16:09:13] <sharonchisholm> that happens 'down here'
[16:10:10] <sharonchisholm> fill in user to group table
[16:10:19] <sharonchisholm> that gives you the snmp authorization
[16:10:26] <sharonchisholm> they are independant
[16:10:44] <sharonchisholm> at the point we get to access control the user has already been authenticated
[16:11:11] <sharonchisholm> there is a proposal to get 'what he can do' from radius
[16:11:24] <sharonchisholm> two proposals.
[16:11:38] <sharonchisholm> one to do it for the snmp MIB access and the other is to open things up in the first place
[16:12:00] <sharonchisholm> bert - not really asking what he is allowed to do, he will be added to a group depending on what you get back from radius <something> VACM
[16:12:23] <sharonchisholm> Bert - were you planning more then just adding to a group, or something more? With info on what the group can access?
[16:12:36] <sharonchisholm> Dave H - when I wored at En., they have policy based access.
[16:13:17] <sharonchisholm> Dave H - that is more or less what we are talking about here. In our experience there were a small number of groups used. You generally don't do fine grain groups 'engineering' 'hr'
[16:13:45] <sharonchisholm> Dave H - being able to pre-configure these policies on the systems makes it easer. Then do the user to group thing dynamically. This is easier
[16:13:55] <sharonchisholm> <Blue sheet interlude>
[16:14:02] --- hartmans has left
[16:14:03] <sharonchisholm> We are done
[16:14:16] <sharonchisholm> Take stuff to the mailing list and read the drafts
[16:14:22] --- j.schoenwaelder@jabber.eecs.iu-bremen.de has left: Logged out
[16:14:29] --- kurosaki has left
[16:14:29] --- sharonchisholm has left
[16:16:07] --- miaofy has left
[16:17:03] --- mike has left
[16:21:29] --- bert has left
[16:25:26] --- jhutz has left
[16:30:12] --- rstory has left
[16:38:27] --- marz has left: Disconnected.
[17:15:08] --- LOGGING STARTED