[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AD review of draft-ietf-radext-management-authorization-05.txt
On Thu, Sep 04, 2008 at 01:29:54PM -0400, David B. Nelson wrote:
> > 2. section 5.2 and the following refer to 'a transport with equal or
> > better protection'. I am wondering whether such a hierarchy of the
> > Management-Transport-Protection is or will be always possible. Actually
> > we may have a problem already, as SNMP allows any combination of
> > authentication and privacy modes, and it is not clear which is the
> > 'better' between (auth, noPriv) and (noAuth, priv).
SNMP only allows _some_ combinations of authentication and privcay
modes and SNMP in particular does not have (noAuth, priv), see for
example RFC 3411 section 3.4.3. And for the three possible
combinations, I think it is obvious how to define the relation
'better'. Furthermore, if there are two security modes for some
hypothetical protocol where the relation 'better' is undefined, then
the text in the ID I think is still fine. So I do not see any reason
to change something here.
> OK, since the options are limited, maybe an enumeration of what's allowed
> and what's not wouldn't be intractable. For example:
> When a NAS receives a Management-Transport-Protection (TBA-3)
> Attribute in an Access-Accept packet, it MUST deliver the management
> access over a transport with at least the specified protection
> properties. Additional protection MAY optionally be provided.
> For example, if No-Protection is specified then either Integrity-
> Protection or Integrity-Confidentiality-Protection MAY be provided.
> If Integrity-Protection is specified then Integrity-Confidentiality-
> Protection MAY be provided. If the minimum protection cannot be
> provided the NAS MUST disconnect the session.
I believe this text is not needed. However, it points out something
else: the document sometimes talks about authentication and sometimes
it talks about integrity protection. For me, these two things are not
necessarily the same. Is this distinction there for a specific reason
or do we actually mean authentication and integrity protection?
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.