[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Review of Management Authorization -00 document



Framed-Management-Protocol

1      SNMP
2      HTTP
3      FTP
4      CP

OK.  What I'm proposing in the -01 version is:

1      SNMP
2      Web-based
3      NETCONF
4      FTP
5      TFTP
6      CP

What does Web-based mean?  Is it  something other than HTTP?

I don't think we want to be specifying the "real" transport layer, e.g. TCP,
UDP, SCTP, etc.  What we need to specify there is the "secure transport"
(which doesn't exactly fit into the classical ISO 7-layer model), e.g. SSH,
TLS, etc.

What I'm proposing for the -01 version is:

1      Default
2      SSH
3      TLS
4      DTLS
5      BEEP
6      SOAP

What does default mean?  Insecure transport (e.g. TCP/UDP)?
Does SNMP over Default mean SNMP over UDP or TCP?

With respect to TLS/DTLS, what mode is intended?  Mutual auth with certs?
Server-only auth?  TLS-PSK?

What does it mean if multiple Management-Policy-Id attributes are
included?
How are the policies merged?  If this is implementation-specific, isn't
the result undefined?

Proposed text for the -01 version:

</t>
No precedence relationship is defined for multiple occurrences of the
Management-Policy-Id attribute.  NAS behavior in such cases is not
predictable.  Therefore, two or more occurrences of this attribute SHOULD
NOT be included in a single service provisioning message, such as
Access-Accept or CoA.
<t>
</t>
The content of the Management-Policy-Id attribute is expected to be the name
of a management access policy of local significance to the NAS, within a
flat namespace of significance to the NAS. Overloading or subdividing this flat name with multi-part specifiers (e.g. Access=remote, Level=7) is likely
to lead to poor multi-vendor interoperability and SHOULD NOT be utilized.
If a simple flat policy name is not sufficient to the anticipated use case,
it is RECOMMEDNED that a Vendor Specific Attribute be used instead, rather
than overloading the semantics of Management-Policy-Id.
</t>

This looks OK.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>