Re: Proposed Update to Netconf Charter

["Randy Presuhn" <randy_presuhn@mindspring.com>]

Hi -

> From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
> To: <j.schoenwaelder@iu-bremen.de>; "Sharon Chisholm" <schishol@nortel.com>
> Cc: <netconf@ops.ietf.org>
> Sent: Thursday, June 30, 2005 9:27 AM
> Subject: RE: Proposed Update to Netconf Charter
...
> I agree with Juergen on this. In an ideal world I would see the issue of
> access control being dealt with in a common framework with isms, but I
> am quite uncertain right now about where isms is - even with respect to
> its initial goals.
...

The only bits to worry about from isms are whether the identification of
principals and security levels will be compatible with existing SNMP security
models, along with whatever configuration data is needed to support the
use of the new security model(s).

I'm increasingly doubtful that we'll ever see vendor-neutral mappings
between SNMP contexts and OID regions to things in netconf-land, much
less a way of ensuring that netconf security policies and, for example, VACM
policies are logically consistent.  To make this practical, we'd need an
an algorithmic way to relate arbitrary vendor-specific chunks of XML to
constellations of SMI objects.  Even if fancy XSLTs might do the job,
who would actually write these things?

However, those aren't specifically isms issues.  The current isms charter
makes a point of not addressing access control.  Short of starting a new
WG, the place to do the netconf access control work is here in netconf,
unless we just leave it to the vendors as a means of product differentiation.

Randy




--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>