RE: Review of Management Authorization -00 document

["David B. Nelson" <d.b.nelson@comcast.net>]

> OK.  You might say "HTTP/HTML" or something like that.

If that's more clear, then sure.  I though web-based management was pretty
clear, though.

> I thought you need to specify what "default" means for each
> Framed-Management entry.

Oh.  That could easily be done, for ease of reference, although it is
normatively defined in other documents.

> Is it possible to specify SNMP over TCP?  TCP is not on the list of
> transports.

No.  The enumerated values of the Management-Transport-Protocol attribute
are intended to describe the _secure_ transport (e.g. TLS), that sits on top
of the transport (e.g. TCP).  Why would it be valuable to be able to specify
the transport?

Should we have a better name for things like SSH and TLS than "secure
transport"?  Does that cause confusion with "classic" transports?

> Personally, I prefer that they not be.  But without specifying exactly
> what is meant, it's not clear what "TLS" means.  For example, you might
> say "TLS with server-side authentication".

One might say that.  Is it important to know how the TLS session keys were
derived or just that a TLS session is being used to protect the management
protocol?

I see this as supporting a high-level policy that system administrators use
protected methods of managing the NAS, as opposed to unprotected methods.

Do we need to go deeper than that?




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>