======================================================= Integrated Security Model for SNMP WG (isms) IETF 68 Prague/Czech Republic Thursday, March 22, 2007, 1510-1610 Taken by Juergen Schoenwaelder ======================================================= Chairs: Juergen Schoenwaelder Juergen Quittek Agenda: 1) Agenda bashing, WG status 2) Discussion of transport subsystem draft 3) Discussion of transport security model draft 4) Discussion of SSH transport model draft 5) Discussion of RADIUS draft 6) Review of ISMS milestones 7) Non-WG drafts (TLS transport model / discovery) 8) Wrap up Documents: - Transport Subsystem for the Simple Network Management Protocol (SNMP) - Transport Security Model for SNMP draft-ietf-isms-transport-security-model-03.txt - Secure Shell Transport Model for SNMP draft-ietf-isms-secshell-05.txt - RADIUS Usage for SNMP SSH Security Model - RADIUS NAS-Management Authorization - Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP) - SNMP EngineID Discovery Actors: JS = Juergen Schoenwaelder DH = David Harrington SH = Sam Hartmanns BW = Bert Wijnen JH = Jeffrey Hutzelman JS = Joseph Salowey DN = David Nelson DR = Dan Romascanu ... Summary: The ISMS WG has met on Thursday afternoon. ISMS has three WG documents: 1) The first document is an extension of the SNMPv3 architecture introducing a transport subsystem to allow the introduction of secure transports. This document went through the first WG last call and essentially all raised issues seem to be resolved and will be reflected in the next update. 2) The second document defines a transport security model for utilizing secure transports such as SSH. This document is still in WG last call; so far no critical issues have surfaced. 3) The third document defines how SSH can be used as a secure transport for SNMP. There is still work to be done on this document since the focus since the last IETF meeting was on the first two documents. An individual submission discusses how RADIUS can be utilized for authentication and authorization. While this submission addresses a chartered work item (authentication), but it was concluded that authorization is not well in scope of the charter and should therefore be considered as potential followup work after ISMS has completed the chartered work items. Milestones will be updated with the target to submit the documents to the IESG in August 2007. Discussion: 1. Agenda and WG Status No changes to the agenda were made. However, the discussion of the three existing WG drafts (agenda items 2-4) was done in a single agenda slot. JS explained that the WG is behind some of the milestones and that this needs to be discussed later on agenda item 6. 2. Discussion of existing WG drafts DH lead the discussion of the existing WG drafts. Dave went through the resolution of the transport subsystem last call comments: #1: responses SHOULD go back over the same transport as there is architecturally no requirement for a MUST (concrete transport models should be in charge of definings MUST as needed) #2: content of the cache is implementation specific, but clarify the difference between securityLevel in the cache and the ASIs #3: transport models do not know the difference between requests and notifications #4: remove suggestion to discard cached session info #5: nobody found details why informs do not work BW tried to figure out where things do not work properly and posted a message to the mailing list with his findings. The security model returns a securityEngineID and the specs say that this is an authoritative engineID. TSM makes the securityEngineID equal to the local engineID, which is different from USM. The security people seem to be fine with this. Steve Waldbusser seems to believe that the securityEngineID has meaning outside the security model, but it is unclear where this is. People, especially those familiar with the SNMP Research implementation, should check if and where the authoritative securityEngineID is used outside of USM and post to the mailing list. Otherwise, if we can't get a clear description of the issue, we will declare that there is no issue and move on. #6: remove text about double authentication DH briefly reviewed the updates made for the other documents. No questions were raised during the meeting. 3. Discussion of the RADIUS draft DH's biggest concern is that the document is currently not in sync with the other documents (introduction of transport models). DH explains that SNMP separates authentication and authorization while RADIUS likes to pass authorization information as part of the authentication response which causes a mis-match. There are different options: a) authorization of the ssh subsystem only (which is outside of SNMP access control) b) a backdoor approach to pass authorization information from an SSH transport model into VACM (requiring a defacto update to VACM) c) authorization via an authorize-only request (requiring a defacto update to VACM or a completely new access control model) DN says that dynamic authorization is initiated by the (RADIUS) server. Dynamic re-authorization requires user name and state. DP proposed to map to a number of groups instead of a single group as VACM does today. Note that this requires changes to VACM processing. DH explains that policy mapping in the SNMP architecture happens in the ACM and that the charter literally does not allow this. DH and JH both suggested to focus on authentication at this point in time and to consider authorization work (namely security name to group name mapping) as a potential recharter work item. After some discussion, there seemed to be consensus in the room that this is a workable path forward without requiring an interpretation of the charter. There clearly needs to be more work on this document. The WG chairs will work with the authors to get the document in sync with the other ISMS documents and to get it restricted to the RADIUS support currently within the ISMS charter, that is discussion of securityName to groupName mappings should be moved out of the document. 4. Review of ISMS milestones Milestones will be updated to submit Transport Subsystem, Transport Security Model, SSH Transport Model, and Radius authentication to the IESG in August 2007. The initial version of a WG document specifying RADIUS authentication will be done in May 2007. 5. Discussion of the DISCOVERY draft JS presented the update of a document specifying a localEngineID that can be used as a contextEngineID, which is needed since the TSM does not have an engineID discovery procedure like USM. JS picked a new format value following the rules defined in the SnmpEngineID textual convention but there is no formal IANA registry to allocate such format values. DR suggested that the document should define such an IANA registry and then allocate the format value.