======================================================= Integrated Security Model for SNMP WG (isms) IETF 73 Minneapolis Monday, November 17, 2008, 1300-1500 Taken by Juergen Schoenwaelder, Juergen Quittek ======================================================= Chair: Juergen Schoenwaelder Meeting Chair: Bert Wijnen Agenda: 1) Agenda bashing, WG status ( 5 min) (Bert Wijnen) - Blue sheets - Minute and note takers - Jabber scribe 2) Last call comment resolution (40 min) (David Harrington, David Nelson) - Transport Subsystem for SNMP [1] - Transport Security Model for SNMP [2] - Secure Shell Transport Model for SNMP [3] - RADIUS Usage for SNMP SSH Security Model [4] 3) Discussion of related drafts (10 min) (Wes Hardaker) 4) Wrap up and review of action items ( 5 min) (Bert Wijnen) WG Documents: [1] Transport Subsystem for the Simple Network Management Protocol (SNMP) [2] Transport Security Model for SNMP [3] Secure Shell Transport Model for SNMP [4] Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models Related Documents: [5] Datagram Transport Layer Security Transport Model for SNMP [6] Simplified View-based Access Control Model (SVACM) for the Simple Network Management Protocol (SNMP) [7] Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management Actors: - Bert Wijnen (BW) - Juergen Quittek (JQ) - David Nelson (DN) - David Harrington (DH) - Jeff Hutzelman (JH) - Dan Romascanu (DR) - Wes Hardaker (WH) - Juergen Schoenwaelder (JS) - Dave Shield (DS) Summary: The ISMS WG has four WG documents: the Transport Subsystem for SNMP , the Transport Security Model for SNMP , the Secure Shell Transport Model for SNMP , and the Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models . All four documents are in WG last call until November 23rd. The WG last call comments received so far are mainly editorial and for most of them the editor understands the edits. For one issue, the document editor will come up with a proposal for the resolution on the WG list. Additional reviews of the WG documents in last call have been requested by the chair. A DTLS transport mapping for SNMP, which is not part of the current ISMS charter, has been presented. The DTLS transport mapping author confirmed that the WG documents establish a suitable framework for defining additional secure transport models in the future and the room showed some interest in a DTLS transport for SNMP. The meeting was attended by approximately 20 people. Discussions: 1. Agenda and WG Status (BW) - BW presents the ISMS status slides - no changes to the agenda 2. Last Call Discussion (DH) - DH presents the slides detailing the changes since IETF 72 Q: What if tmSameSecurity is set but there is no LCD entry? The problematical section is 5.2 steps 3 & 4 from the SSH document. (DS) There was agreement that the message should be discarded. This is what the transport subsystem document already says but this needs to be clarified in the elements of procedure of the SSH transport mapping document Q: Another issue is related to the exposure of session information outside of the SNMP engine (DS) DH will come up with a proposal how to resolve the issue - BW polls for additional reviewers 3. Last Call Discussion (DN) - Very minor mostly editorial changes of the radius usage document since the last revision posted in October - No last call comments received so far on the radius usage document - BW and DN poll for additional reviewers 4. SVACM: Simplified VACM (DH) - SVACM is a simplified view-based access control model trying to reduce complexity and implementation costs (e.g. just one context, just one security model) - Three people in the room seem to have read the document - Authors could not present due to travel restrictions from China and the time it takes to obtain visas etc. - Some concerns were raised by JH and DR that work on access control models might be out of scope of ISMS and that any new work on access control models might require a proper IETF wide BoF 5. SNMP over DTLS (WH) - WH presents his DTLS over SNMP slides. SNMP over DTLS is not a WG work item according to the current WG charter. - Three people in the room seem to have read the document. Q: Are certificates used somewhere else for login authentication? I suspect that the name mapping problem is not specific to SNMP and that other WGs must have dealt with this before (DN) JH reports that there are a few cases where X.509 certificates are used for user authentication. Some discussion started about the usage of particular fields of X.509 certificates for identifying identities, in particular concerning subjectAltName JH stated that other WGs have not solved this problem and they usually leave the details wide open and let ultimately the application decide (JH) Q: Have there been any issues with the transport mapping specs that caused trouble in writing the dtls transport? If not, this is a good sign that we got things right (JS) WH did not find any major issues - this is a good sign that we got things right. WH also has some implementation experience with the core documents and believes they are fine to implement. C: We might have an issue with length restriction of security names (32 octets) in the longer run; if we do future work, we might have to look into this (DH) - About 10 people in the room showed interest in a DTLS transport model 6. Wrap Up and Action Points (BW) - all to review the WG documents and tell the WG mailing list - DH will present to the WG a solution for the raised technical issue - DH will apply the editorial changes received so far - DN will address any issues if they come up during last call - JS to decide what the next steps are concerning the SVACM document - JS to decide what the next steps are concerning DTLS-TM