[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IESG review DISCUSS on draft-ietf-radext-management-authorization-06.txt

To: <d.b.nelson@comcast.net>
Subject: RE: IESG review DISCUSS on draft-ietf-radext-management-authorization-06.txt
From: <Pasi.Eronen@nokia.com>
Date: Thu, 16 Apr 2009 21:56:28 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc: <iesg@ietf.org>, <radiusext@ops.ietf.org>
In-reply-to: <3498692FECE04F18828999C2C9EC3768@NEWTON603>
References: <3498692FECE04F18828999C2C9EC3768@NEWTON603>

Dave Nelson wrote:

> > The document recommends using Management-Privilege-Level only for
> > Service-Type 7 (not 6). However, when the NAS receives, for example,
> > an SSH connection, does it know whether the user is asking for full
> > privilege access, or less privileged management access?  If it does
> > not know, what should it do?
> 
> The NAS is not expected to know what level of access the user is
> "asking for", other than perhaps that an SSH sub-system is involved.
> That's purely a matter of implementation detail, BTW, and is not
> being standardized.
>
> The RADIUS server is expected to provision the appropriate level of
> access for the user, based on the user's authorization profile
> stored in the server's database (or otherwise obtained by the
> server). The server may use optional (recommended) hint attributes
> in the Access-Request message that identify the NAS in question and
> the type of interface used, e.g. a virtual terminal connection, in
> conjunction with the user's authorization profile, in making its
> access rights decision.
> 
> After discussion on the RADEXT mailing list and at IETF-74, it does
> not appear that any change to the draft is required.

The situation for Access-Accept (the important part) is clear, and 
I guess for the hints in Access-Request, we can leave it
implementation-specific... (like many other parts in RADIUS :-)

> > Another question: should the document recommend something about
> > Management-Privilege-Level values? For example, should bigger numbers
> > mean "more access" or "less access"? (The actual levels are of course
> > implementation dependent, but if vendors use opposite conventions, it
> > seems that would create unnecessary confusion.)
> 
> There is no one convention used by all vendors, and in fact many
> implementations allow the mapping of the integer access level to
> specific access rights to be configured on the NAS by the user.
> 
> After discussion on the RADEXT mailing list and at IETF-74, the
> recommendation is to clarify this issue by adding the following text to
> Section 5.4 of the draft:
> 
>      The mapping of integer values for this attribute to specific
>      collections of management access rights or permissions on the NAS
>      is vendor and implementation specific.  Such mapping is often a
>      user configurable feature.  It's RECOMMENDED that greater numeric
>      values imply greater privilege.  However, it would be a mistake
>      to assume that this recommendation always holds.

Looks good!

> > It seems that a NAS implementing e.g. NETCONF, FTP or web-based
> > management would often include the IP address (and perhaps port
> > number) where connection came from in the Access-Request message.
> > Should the document give some guidance on NAS-Port-ID (or perhaps
> > Calling-Station-ID) attributes?  (It seems having at least a mild
> > recommendation about the attribute and formatting would be useful,
> > instead of every vendor doing things differently.)
> 
> Discussion on this issue on the RADEXT mailing list and at IETF-74
> yielded the following observations.  These attributes are not
> required for use in management access by RFC 2865 and RFC 2869, and
> the authors don't think we want this draft to update those RFCs.
> The variation in the format of the NAS-Port and Calling-Station-Id
> attributes among different implementations has been an issue for a
> long time.  It's probably an interesting topic for a separate work
> item, but likely doesn't belong in this draft.  It does not appear
> that any change to the draft is required.

Could you provide pointers to the RADEXT mailing list discussions?  
I couldn't find anything in the archive, and the IETF74 minutes don't
mention anything either.

To the degree the source IP/port is just for human consumption
(e.g. troubleshooting or forensics), it's probably OK to leave the
contents implementation-specific. 

But if they're used for something else, to me it seems that this draft
would be the right place to make some recommendations (not necessarily
requirements that would update 2865/2869) for the management 
protocols listed here. (Not for any other use of RADIUS, of course.)

Best regards,
Pasi

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: IESG review DISCUSS on draft-ietf-radext-management-authorization-06.txt
  - From: "Dave Nelson" <d.b.nelson@comcast.net>

References:
- IESG review DISCUSS on draft-ietf-radext-management-authorization-06.txt
  - From: "Dave Nelson" <d.b.nelson@comcast.net>

Prev by Date: IESG review COMMENT on draft-ietf-radext-management-authorization-06.txt
Next by Date: RE: IESG review DISCUSS on draft-ietf-radext-management-authorization-06.txt
Previous by thread: IESG review DISCUSS on draft-ietf-radext-management-authorization-06.txt
Next by thread: RE: IESG review DISCUSS on draft-ietf-radext-management-authorization-06.txt
Index(es):
- Date
- Thread