[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts on NetConf Requirements

To: Wes Hardaker <wjhns1@hardakers.net>
Subject: Re: Thoughts on NetConf Requirements
From: Eliot Lear <lear@cisco.com>
Date: Mon, 16 Jun 2003 14:10:27 -0700
Cc: Andy Bierman <abierman@cisco.com>, Randy Bush <randy@psg.com>, "David T. Perkins" <dperkins@dsperkins.com>, Kevin C Miller <kevinm@andrew.cmu.edu>, netconf@ops.ietf.org
In-reply-to: <sd8ys194bq.fsf@wanderer.hardakers.net>
References: <274753314.1054652094@portatool.dhcp.nanog28.merit.net> <5.2.0.9.2.20030603140800.037e66e0@127.0.0.1> <4.3.2.7.2.20030604142148.023ca900@mira-sjc5-c.cisco.com> <sd8ys194bq.fsf@wanderer.hardakers.net>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529

Wes Hardaker wrote:

On Wed, 04 Jun 2003 14:33:48 -0700, Andy Bierman <abierman@cisco.com> said:


Andy> So what's so complex about reads? The authorization model?
Andy> IMO, the authorization model amounts to a set of tuples:
Andy> { user, operations-allowed, element-subtree }.
Andy> Read operations amount to 1 more bit in the operations-allowed field.

[aside: I agree with Juergen that "filter" would be a better word than
"element-subtree"].

Authorization should probably be able to select stuff on more
information than that.  Specifically, you're designing a protocol that
is expected to run over multiple transports each with their own notion
of how security is performed.

Waitasecond.

The protocols are going to serve as substrates. The semantics will remain within XMLCONF. To do otherwise means you have multiple protocols that will all prove equally difficult to mediate to and from a native operating environment.

Authorization should be tied to opaque strings such as users or distinguished names, if it is to be handled at all (and I believe it is a big if) prior to any agreement on a meta-data model (which may take quite some time to get).

I also do not agree with the following:

1) you probably want to build operational policy based on how the data
   is being transferred.  It's likely that you'll want to change what
   your policy allows based on how the requests are arriving.
   Specifically, if I'm using xmlconf over raw telnet, I certainly
   wouldn't want to allow write operations to my data set.  I'd also
   want to reduce the view of the data that could be seen (IE, keys,
   etc, would never be transmitted within get-config results over an
   insecure link).

Only in the grossest sense. You don't want to even be listen()ing on a port that is insecure because by its very nature this stuff is sensitive. OTOH it's a knob to listen() on a particular port/service, whether it's port 22, 23, 80, 443, or whatever.

And...

3) Similar arguments as 1 and 2 can be made for authentication (IE,
   don't let RADIUS authenticated sessions do more than a limited set
   of operations on a limited set of data).

I see no evidence that this is an operational requirement. Furthermore, I don't see any evidence that we need to standardize this even if it is. You can do that on your box as part of your config.

Eliot

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

Follow-Ups:
- Re: Thoughts on NetConf Requirements
  - From: Wes Hardaker <wjhns1@hardakers.net>

References:
- Thoughts on NetConf Requirements
  - From: Kevin C Miller <kevinm@andrew.cmu.edu>
- Re: Thoughts on NetConf Requirements
  - From: "David T. Perkins" <dperkins@dsperkins.com>
- Re: Thoughts on NetConf Requirements
  - From: Andy Bierman <abierman@cisco.com>
- Re: Thoughts on NetConf Requirements
  - From: Wes Hardaker <wjhns1@hardakers.net>

Prev by Date: Re: netconf and SNMP evolution?
Next by Date: Re: Thoughts on NetConf Requirements
Previous by thread: Re: Thoughts on NetConf Requirements
Next by thread: Re: Thoughts on NetConf Requirements
Index(es):
- Date
- Thread