[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Editorial review of draft-ietf-radext-management-authorization-03.txt

To: <radiusext@ops.ietf.org>
Subject: RE: Editorial review of draft-ietf-radext-management-authorization-03.txt
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
Date: Mon, 7 Jul 2008 14:30:14 -0400
Cc: "'Bernard Aboba'" <aboba@internaut.com>
In-reply-to: <Pine.LNX.4.64.0806240643400.18704@internaut.com>
Organization: Elbrys Networks, Inc.
References: <Pine.LNX.4.64.0806240643400.18704@internaut.com>

Bernard Aboba writes...
 
> Abstract
> 
>    This document describes Remote Authentication Dial-In User Service
>    (RADIUS) attributes for the authorization and service provisioning of
>    Network Access Servers (NASes).  Both local and remote management are
>    supported, with granular access rights and management privileges.
>    Specific provisions are made for remote management via framed
>    management protocols, and for specification of a protected transport
>    protocol.
> 
> [BA] This document is about NAS management authorization, not
> authorization of NASes.  Suggest the following:
> 
>    This document specifies Remote Authentication Dial-In User Service
>    (RADIUS) attributes for Network Access Server (NAS) management.
>    Both local and remote management are
>    supported, with granular access rights and management privileges.
>    Specific provisions are made for remote management via framed
>    management protocols, which may run over a secure transport
>    protocol.

Yeah, something went awry in the editing.  How about:

  This document specifies Remote Authentication Dial-In User Service
  (RADIUS) attributes for authorizing management access to a Network 
  Access Server (NAS).  Both local and remote management are supported,
  with granular access rights and management privileges.  Specific
  provisions are made for remote management via framed management
  protocols, which may run over a secure transport protocol.
 
> 2. Introduction and Rationale
> 
> [BA] How about combining Sections 2, part of 3 and 6 into a Section 1 that
> reads as follows?  The Terminology section can then be Section 1.1.
> 
> 1. Introduction
> 
>    RFC 2865 [RFC 2865] defines the NAS-Prompt and Administrative values of
>    the Service-Type Attribute.   Both of these values provide access to
>    the interactive, text-based Command Line Interface (CLI) of the NAS,
>    and were originally developed to control access to the physical
>    console port of the NAS, most often a serial port.
> 
>    Remote access to the CLI of the NAS has been available in NAS
>    implementations for many years, using protocols such as Telnet,
>    Rlogin and the remote terminal service of SSH.  In order to distinguish
>    local, physical, console access from remote access, the NAS-Port-Type
>    Attribute is generally included in Access-Request and Access-Accept
>    messages, along with the Service-Type Attribute, to indicate the form
>    of access.  A NAS-Port-Type of Async (0) is used to signify a local
>    serial port connection, while a value of Virtual (5) is used to
>    signify a remote connection, via a remote terminal protocol.  This
>    usage provides no selectivity among the various available remote
>    terminal protocols (e.g.  Telnet, Rlogin, SSH, etc.).

OK with me.

>    Today, it is common for network devices to support more than two
>    privilege levels for management access than just NAS-Prompt
>    (non-privileged) and Administrative (privileged).  Also, other
>    management mechanisms may be used, such as Web-based management,
>    Simple Network Management Protocol (SNMP) and NETCONF.
>    To provide support for these additional features, this specification
>    defines attributes for framed management protocols, management protocol
>    security, and management access privilege levels.

Looks OK to me, with minor grammatical tweaking.  How about:

  Today, it is common for network devices to support more than the two
  privilege levels for management access provided by NAS-Prompt
  (non-privileged) and Administrative (privileged).

>    Remote management via the command line is carried over protocols
>    such as Telnet, Rlogin and the remote terminal service of SSH.  Since
>    these protocols are primarily for the delivery of terminal or
>    pseudo-TTY services,  the term "Framed Management" is used to describe
>    management protocols supporting techniques other than the command-line.
>    Typically these mechanisms format management information in a binary or
>    textual encoding such as HTML, XML or ASN.1/BER.  Examples include
>    web-based management (HTML over HTTP or HTTPS), NETCONF (XML over
>    SSH/BEEP/SOAP) and SNMP (SMI over ASN.1/BER).  Command line
>    interface, menu interface or other text-based (e.g. ASCII or UTF-8)
>    terminal emulation services are not considered to be Framed Management
>    protocols.

OK with me.

> [BA] How about combining part of Section 3, as well as 4, 5 and 6 into
> a Section 2 that reads as follows?
> 
> 2. Overview
> 
>    To support the authorization and provisioning of Framed Management
>    access to managed entities, this document introduces a new value for
>    the Service-Type Attribute [RFC2865], and one new attribute.  The new
>    value for the Service-Type Attribute is Framed-Management, used for
>    remote device management via a Framed Management Protocol.  The new
>    attribute is Framed-Management-Protocol, the value of which specifies a
>    particular protocol for use in the remote management session.
> 
>    Two new attributes are introduced in this document in support of
>    granular management access rights or command privilege levels.
>    The Management-Policy-Id Attribute provides a text string
>    specifying  a policy name of local scope, that is assumed to have
>    been pre-provisioned on the NAS.  This use of an attribute to
>    specify use of a pre-provisioned policy is similar to
>    the Filter-Id Attribute defined in [RFC2865] Section 5.11.
> 
>    The local application of the Management-Policy-Id within the managed
>    entity may take the form of (a) one of an enumeration of command
>    privilege levels, (b) a mapping into an SNMP Access Control Model,
>    such as the View Based Access Control Model (VACM) [RFC3415], or (c)
>    some other set of management access policy rules that is mutually
>    understood by the managed entity and the remote management
>    application.  Examples are given in Section X.
> 
>    The Management-Privilege-Level Attribute contains an
>    integer-valued management privilege level indication.  This attribute
>    serves to modify or augment the management permissions provided by
>    the NAS-Prompt value of the Service-Type Attribute, and thus applies to
>    CLI management.
> 
>    To enable management security requirements to be specified, the
>    Management-Transport-Protection Attribute is introduced.  The value
>    of this attribute indicates the minimum level of secure transport
>    protocol protection required for the provisioning of NAS-Prompt,
>    Administrative or Framed-Management service.

This looks, OK, too.

Obviously we need to see the edited version, in context, but I don't see any
loss of information in this condensed version.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Editorial review of draft-ietf-radext-management-authorization-03.txt
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: RE: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Next by Date: RE: Additional comments on draft-ietf-radext-management-authorization-03.txt
Previous by thread: Editorial review of draft-ietf-radext-management-authorization-03.txt
Next by thread: Additional comments on draft-ietf-radext-management-authorization-03.txt
Index(es):
- Date
- Thread