======================================================= Integrated Security Model for SNMP WG (isms) IETF #76, Hiroshima, Japan TUESDAY, November 10, 2008, 1520-1700, Room Acacia West Taken by Juergen Schoenwaelder, Glenn M. Keeni, Russ Mundy ======================================================= WG Chairs: Russ Mundy Juergen Schoenwaelder WG URL: http://tools.ietf.org/wg/isms/ Jabber: xmpp:isms@jabber.ietf.org AGENDA: 1) Agenda bashing, WG status (10 min) (Russ Mundy) - Blue sheets - Minute and note takers - Jabber scribe 2) DTLS / TLS Transport Model (40 min) (Wes Hardaker) 3) RADIUS / VACM Integration (40 min) (David Harrington / David Nelson) 4) Wrap up and review of action items (10 min) (Russ Mundy) WG RFCs: [1] Transport Subsystem for the Simple Network Management Protocol (SNMP) RFC 5590 [2] Transport Security Model for SNMP RFC 5591 [3] Secure Shell Transport Model for SNMP RFC 5592 [4] Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models RFC 5608 WG INTERNET DRAFTS: [5] Datagram Transport Layer Security Transport Model for SNMP RELATED INTERNET DRAFTS: [6] Extensions to View-based Access Control Model for use with RADIUS Summary: ISMS is working on two chartered documents. The first document on is a transport model for running SNMP over TLS and DTLS. A new revision of the document was posted and WG last call was started before the IETF meeting. All last comments received so far were discussed and resolved during the WG meeting. However, additional reviews are more than welcome. The second document describes how RADIUS can be used to provision security name to group name mappings in the VACM access control model. This document is progressing slowly and the chairs are working on finding an additional document editor so that the goal of delivering both documents in January 2010 to the IESG can be met. Actors: PE - Pasi Eronen WH - Wes Hardaker DH - David Harrington JH - Jeffrey Hutzelman JS - Juergen Schoenwaelder RM - Russ Mundy DN - David Nelson Slides: https://datatracker.ietf.org/meeting/76/materials.html Audio: ftp://videolab.uoregon.edu/pub/videolab/media/ietf76/ietf76-ch2-tue-afnoon2.mp3 Meeting Notes: * DTLS / TLS Transport Model (WH) #1: OtherName Mapping to SecurityName After discussing the issue, it was concluded to change the OtherName mapping by replacing it with an external mechanism that allows to have future standards provide a mapping (e.g. for Kerberos). WH to post a proposal to the mailing list. #2: X.509 Certificate Path Validation There was concensus that configuration of all information necessary for path validation is out of scope. Wes will add more text to clarify how an SNMP engine determines that a certificate belongs to the server. It is protocol specific what you expect to find in the certificate. One potential answer is that you look for the value of the corresponding transport address. It is desirable to not depend on DNS lookups. Since transport address are commonly IP addresses and not commonly used names in certificates, it might be necessary to introduce an additional column. The validation steps need to be defined, either directly or via a normative reference. WH to post a proposal to the mailing list. #3: Keep UDP Session Handling Multiplexing should be done based on endpoint information. The text will be shortened but the multiplexing property in general warrants documentation. #4: securityName case sensitivity The resolution is to use lowercase for IPv6 addresses, dNSName, and rfc8222name. #5: Port > || < 1024 We will ask for port numbers > 1024 to be assigned. #6: 3 TransportDomains/Addresses WH explains that we need three TDomain TCs. Following established SNMP practices, there are also three TAddress TCs, even though they are basically the same. #7: FingerPrint Crypto Value Comparison of certificate fingerprints is sufficient, i.e. we drop the requirement to compare the full fingerprints. #8: Drop (D)TLS ASIs? WH will remove the tlsRead and tlsWrite ASIs. #9: failure counter in notification This notification is created in particular by notification senders. DBH asks whether we do get to this level of detail in the SSH TM. Need to check that we are consistent with how our secure TMs peek into the work done by the security protocol. This needs further checks and then resolution on the mailing list. JS asked whether we can get into a loop where a notification fails and leads to a new notification? WH will draft text to make implementors aware of this possibility. #10: CreateAndGo vs Active WH prefers to keep createAndGo even though the RFC 34xx documents use active. Unless someone brings forward an argument on the mailing list for using active, WH will use createAndGo. #11: Dead-Peer Detection WH argues that dead peer detection is a DTLS problem to be solved by DTLS. PE says the document should spell out that implementation of DTLS heartbeats is recommended. Being silent about this issue is not an option. DH said that the syslog document did not reference the DTLS heartbeat document. DH and WH will check the syslog text and try to improve the current text. #12: Fate Sharing Not discussed due to a lack of time. Needs to go on the mailing list. * RADIUS / VACM Integration DH presented quickly the slides provided by DN. There are a number of open issues related to the MIB desing that need to be addressed. WH says that end users prefer tables related to each other in the OID space. It needs to be checked whether updates of the EoP in RFC 3414 are needed - so far assumption is that we do not need updates of the EoP. * Action Items - WH will post resolutions of issues as mentioned above - WH will produce a revised DTLS transport mapping document - JS and RM will find another editor to move the RADIUS document forward - Additional last call reviews are needed