Re: architecture and security

[Andy Bierman <ietf@andybierman.com>]

Martin Bjorklund wrote:
> Andy Bierman <ietf@andybierman.com> wrote:
> > 2) Access control is backwards;
> >    It doesn't make sense to apply access control to the '1 way RPC'
> >    in the same sense as a regular RPC.  It is the manager who is
> >    supposed to have access granted to view specific agent data -- not
> >    the agent that is supposed to have access granted to
> >    send the manager specific agent data.
>
> Could you elaborate on what the problem is?  Is this different/more
> problematic than the SNMP VACM model?  I.e. can't you use a "notify"
> view, and apply it to each notification generated by the agent?  Also,
> I think the filter-based approach that Kent described can be seen as
> one way to implement this model (if I understand him correctly).

Yes.
But my point is that the backwards 1-way RPC also reverses
the access control (incorrectly).

IMO, for the subscribe type of API, a profile name is
specified which points to all the parameters, such as
the access-control view to use.

The agent uses that access control profile when generating
each notification, to check it against the contained content.
If the user is allowed to see all the data, the notification is
sent, otherwise it is simply not sent to that user (i.e., on that
session).

> /martin

Andy

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>