RE: [Fwd: WG Action: RECHARTER: Integrated Security Model for SNMP (isms)]

[Miao Fuyou <miaofy%huawei.com@localhost>]

IMHO, ISMS working group will need a SSH MIB to be developed because now
SNMP may also manage underlying SSH to make itselft works well.  I believe
ISMS WG will not do the work because of scope .  Shall secsh working group
develop a SSH MIB to meet the requirement?

-----Original Message-----
From: ietf-ssh-owner%NetBSD.org@localhost [mailto:ietf-ssh-owner%NetBSD.org@localhost] On Behalf
Of Bill Sommerfeld
Sent: Thursday, October 27, 2005 9:05 AM
To: ietf-ssh%netbsd.org@localhost
Subject: [Fwd: WG Action: RECHARTER: Integrated Security Model for SNMP
(isms)]


FYI: 

ISMS has been rechartered to work on a revision to SNMP which runs over SSH.

					- Bill

-----Forwarded Message-----
From: IESG Secretary <iesg-secretary-reply%ietf.org@localhost>
To: IETF Announcement list <ietf-announce%ietf.org@localhost>
Cc: isms%ietf.org@localhost, Juergen Quittek <quittek%netlab.nec.de@localhost>
Subject: WG Action: RECHARTER: Integrated Security Model for SNMP (isms)
Date: Mon, 24 Oct 2005 17:29:15 -0400

The Integrated Security Model for SNMP (isms) working group in the Security 
Area of the IETF has been rechartered. For additional information, please
contact the Area Directors or the working group Chairs.

+++

Integrated Security Model for SNMP (isms)
==========================================

Current Status: Active Working Group

Chair(s):
Juergen Schoenwaelder <j.schoenwaelder%iu-bremen.de@localhost>
Juergen Quittek <quittek%netlab.nec.de@localhost>

Security Area Director(s):
Russ Housley <housley%vigilsec.com@localhost>
Sam Hartman <hartmans-ietf%mit.edu@localhost>

Security Area Advisor:
Sam Hartman <hartmans-ietf%mit.edu@localhost>

Mailing Lists:
General Discussion: isms%ietf.org@localhost
To Subscribe: isms-request%ietf.org@localhost
In Body: in body: (un)subscribe
Archive:
http://www.ietf.org/mail-archive/working-groups/isms/current/maillist.html

Description of Working Group:
The Simple Network Management Protocol version 3 (SNMPv3) provides message
security services through the security subsystem, for which there is one
currently defined model - the User-based Security Model (USM). However, the
USM approach has seen limited deployment so far. One frequently reported
reasons is the lack of integration of USM key and user management into
deployed authentication infrastructures.

SSH is a widely deployed access protocol for remote devices configuration.
Many devices support the integration of SSH user authentication with AAA
systems via protocols such as RADIUS.

The goal of the ISMS working group is developing a new security model for
SNMP that integrates with widely deployed user and key management systems,
as a supplement to the USM security model.

For this integration the working group will define a standard method for
mapping from AAA-provisioned authorization parameter(s) to corresponding
SNMP parameters.

In order to leverage the authentication information already accessible at
managed devices, the new security model will use the SSH protocol for
message protection, and RADIUS for AAA-provisioned user authentication and
authorization. However, the integration of a transport mapping security
model into the SNMPv3 architecture should be defined such that it is open to
support potential alternative transport mappings to protocols such as BEEP
and TLS.

The new security model must not modify any other aspects of SNMPv3 protocol
as defined in STD 62 (e.g., it must not create new PDU types).

Work on new access control models or centralized administration of
View-based Access Control Model (VACM) rules and mappings is outside the
scope of the working group.

The working group will cover the following work items:

- Specify an architectural extension that describes how transport mapping
security models (TMSMs) fit into the SNMPv3 architecture.
- Specify an architectural extension that describes how to perform a mapping
from AAA-provisioned user-authentication and authorization parameter(s)to
securityName and other corresponding SNMP parameters.
- Specify a mapping from RADIUS-provisioned authentication and authorization
parameter(s) to securityName and other corresponding SNMP parameters. This
item may be a RADEXT work item last-aclled in both groups.
- Specify a mapping from locally-provisioned authentication and
authorization parameter(s) to securityName and other corresponding SNMP
parameters.
- Define how to use SSH between the two SNMP engines
- Specify the SSH security model for SNMP.

Goals and Milestones:
Done    Cut-off date for internet-drafts to be submitted to the working
group
for consideration as a proposed solution  
Done    Decision about which architecture the WG will focus its efforts on  
Oct 05    Initial version of a general transport mapping security models
(TMSMs)
document that specifies how TMSMs fit into the SNMPv3 architecture and that
defines the requirements for transport mapping security models  
Oct 05    Initial version of a document specifying the SSH security model
for
SNMP  
Feb 06    Initial version of an applicability statement that sets up
reasonable
mandatory to implement methods  
Feb 06    Submit TMSM document to IESG  
Jun 06    Submit SSH TMSM to IESG  
Jun 06    Submit RADIUS mapping model for SNMP to IESG  
Aug 06    Submit applicability statement to IESG  
Dec 06    Initial version of a document specifying the RADIUS authentication
and
authorization mapping model for SNMP  

_______________________________________________
IETF-Announce mailing list
IETF-Announce%ietf.org@localhost https://www1.ietf.org/mailman/listinfo/ietf-announce