[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: survey of isp security practices



Hi -

> From: "George Jones" <eludom@gmail.com>
> To: "Randy Presuhn" <randy_presuhn@mindspring.com>
> Cc: <opsec@ops.ietf.org>
> Sent: Wednesday, November 17, 2004 10:14 AM
> Subject: Re: survey of isp security practices


> On Sun, 14 Nov 2004 18:54:58 -0800, Randy Presuhn
> <randy_presuhn@mindspring.com> wrote:
...
> > In this, or the updated structure, any discussion of authentication
> > and authorization would be incomplete if it didn't address user,
> > access control list, and key management.
>
> The scope here is core network device capabilities.
> I would submit that, given protocols such as RADIUS (Diameter, TACACS)
> that user mangement is largely an external issue (it happens on the
> RADIUS server, etc).

If this is true, then the ISMS WG (in the security area) won't be
necessary.  In order to avoid wasting resources, I think it would
be very helpful for this document to document how operators
currently integrate user management and authentication via RADIUS
and related protocols can be integrated with VACM and USM.

>                        The important bit is that the device needs to
> be able to talk to the  [radius] server, be sure which server it's talking
> to, and be able to get authentication and authorization data (per command...your
> "access control lists ?") from the server.

This is a radically different approach from that taken by VACM with SNMPv3.
Could you give a pointer to where this kind of access control model for SNMP
has been specified?  (The SNMPv3 architecture admits the possibility of
access control models other than VACM.  This is the first time I've heard
of someone actually defining one.)

Randy