[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Evaluation: draft-ietf-policy-qos-info-model - Policy QoS Information Model
- To: Russ Housley <housley@vigilsec.com>, Internet Engineering Steering Group <iesg@ietf.org>
- Subject: RE: Evaluation: draft-ietf-policy-qos-info-model - Policy QoS Information Model
- From: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
- Date: Tue, 8 Jul 2003 12:02:40 +0200
Russ writes:
> > Yes No-Objection Discuss Abstain
> >Russ Housley [ ] [ ] [ X ] [ ]
>
> The first paragraph of the Introduction indicates that the QPIM includes
> a standard framework for controlling access to network QoS resources. Yet,
> I do not find any discussion of authentication, authorization, or access
> control. The discussion of admission control actions is not sufficient to
> meet fulfill the expectation of the Introduction. At a minimum, access
> control should be discussed in the Security Considerations.
>
>
Russ, this document is an Information-Model document.
It extends RFC3060 (and RFC3460) with more modeling text.
It points to RFC3060 for security considerations. That text in
RFC3060 was created in co-operation with the security Advisor
at the time (Russ Mundy) and agreed to by the sec ADs at the
time.
The security considerations in 3060 start with:
The Policy Core Information Model (PCIM) presented in this document
provides an object-oriented model for describing policy information.
It provides a basic framework for describing the structure of policy
information, in a form independent of any specific repository or
access protocol, for use by an operational system. PCIM is not
intended to represent any particular system design or implementation,
nor does it define a protocol, and as such it does not have any
specific security requirements.
And I believe that for these extensions in the modeling (extensions
for specific services like QoS or device speicifc stuff) this is
equally applicable. Pls explain to me why such would not be the case.
Bert