Re: [Isms] Multiple user namespaces

To: <isms at ietf.org>
Subject: Re: [Isms] Multiple user namespaces
From: "David B. Nelson" <dnelson at elbrysnetworks.com>
Date: Mon, 28 Jul 2008 13:09:20 -0400
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <20080728160356.GA8708@elstar.local>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Elbrys Networks, Inc.
References: <20080728144229.GA8421@elstar.local> <01F0572D5B3C4A3F96F9B3FBA9DFF78E@xpsuperdvd2> <20080728160356.GA8708@elstar.local>
Sender: isms-bounces at ietf.org
Thread-index: Acjwy5NHToPmfovER/yjGmA/qcTS5QACAcrg

Juergen Schoenwaelder writes...

> The mappings then become part of the SNMP configuration and
> I do not see a multi-vendor interoperability issue
> (at least nothing worse than what we are used to ;-).

Well, perhaps.  I thought part of the issue with non-deployment of SNMPv3
that we are attempting to solve was that the configuration required today
*is* too complicated.

> We need to figure out how we can keep simple installations
> simple and put the costs on more complex installations.

OK, that *sounds* good.

> This might require [us] to think about a wildcarding mechanism
> that allows me to specify a policy such as "all SSH user names
> not listed in the table are passed unaltered as securityNames" or 
> "all TLS/DTLS names not found in the table are mapped to a 
> specific securityName (so VACM can deny access for example)".

The issue arises when there are multiple authentication methods (i.e.
multiple user namespaces).  That most often occurs with there are multiple
transport protocols.  I think that is likely already outside the "80% rule",
and that the simple case is a single protocol with a single user namespace.


_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

References:
- Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
  - From: Juergen Schoenwaelder
- Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
  - From: David B. Nelson
- Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
Next by Date: Re: [Isms] Multiple user namespaces
Previous by thread: Re: [Isms] Multiple user namespaces (was RE: pre11 comments)
Next by thread: Re: [Isms] Multiple user namespaces
Index(es):
- Date
- Thread

Re: [Isms] Multiple user namespaces

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.