draft-ietf-isms-radius-usage-06.txt   draft-ietf-isms-radius-usage-07.txt 
Network Working Group K. Narayan Network Working Group K. Narayan
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track D. Nelson Intended status: Standards Track D. Nelson
Expires: October 31, 2009 Elbrys Networks, Inc. Expires: December 2, 2009 Elbrys Networks, Inc.
April 29, 2009 May 31, 2009
Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Remote Authentication Dial-In User Service (RADIUS) Usage for Simple
Network Management Protocol (SNMP) Transport Models Network Management Protocol (SNMP) Transport Models
draft-ietf-isms-radius-usage-06.txt draft-ietf-isms-radius-usage-07.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
skipping to change at page 1, line 44 skipping to change at page 1, line 44
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 31, 2009. This Internet-Draft will expire on December 2, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 9 skipping to change at page 3, line 9
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. RADIUS Operational Model . . . . . . . . . . . . . . . . . 4 1.2. System Block Diagram . . . . . . . . . . . . . . . . . . . 4
1.3. RADIUS Usage With Secure Transports . . . . . . . . . . . 5 1.3. RADIUS Operational Model . . . . . . . . . . . . . . . . . 5
1.4. SNMP Transport Models . . . . . . . . . . . . . . . . . . 6 1.4. RADIUS Usage With Secure Transports . . . . . . . . . . . 6
2. RADIUS Usage for SNMP Transport Models . . . . . . . . . . . . 6 1.5. Domain of Applicability . . . . . . . . . . . . . . . . . 7
2.1. RADIUS Authentication for Transport Protocols . . . . . . 8 1.6. SNMP Transport Models . . . . . . . . . . . . . . . . . . 8
2.2. RADIUS Authorization for Transport Protocols . . . . . . . 8 2. RADIUS Usage for SNMP Transport Models . . . . . . . . . . . . 8
2.3. SNMP Service Authorization . . . . . . . . . . . . . . . . 9 2.1. RADIUS Authentication for Transport Protocols . . . . . . 9
3. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 10 2.2. RADIUS Authorization for Transport Protocols . . . . . . . 10
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 2.3. SNMP Service Authorization . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 3. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 12
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7.1. Normative References . . . . . . . . . . . . . . . . . . . 13 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
7.2. Informative References . . . . . . . . . . . . . . . . . . 13 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 7.1. Normative References . . . . . . . . . . . . . . . . . . . 14
7.2. Informative References . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
1.1. General 1.1. General
This memo describes the use of a Remote Authentication Dial-In User This memo describes the use of a Remote Authentication Dial-In User
Service (RADIUS) authentication and authorization service by Simple Service (RADIUS) authentication and authorization service by Simple
Network Management Protocol (SNMP) secure Transport Models to Network Management Protocol (SNMP) secure Transport Models to
authenticate users and authorize creation of secure transport authenticate users and authorize creation of secure transport
sessions. While the recommendations of this memo are generally sessions. While the recommendations of this memo are generally
skipping to change at page 4, line 26 skipping to change at page 4, line 26
In the context of this document, a Network Access Server (NAS) is a In the context of this document, a Network Access Server (NAS) is a
network device or host that contains an SNMP engine implementation, network device or host that contains an SNMP engine implementation,
utilizing SNMP Transport Models. It is customary in SNMP documents utilizing SNMP Transport Models. It is customary in SNMP documents
to indicate which subsystem performs specific processing tasks. In to indicate which subsystem performs specific processing tasks. In
this document we leave such decisions to the implementer, as is this document we leave such decisions to the implementer, as is
customary for RADIUS documents, and simply specify NAS behavior. customary for RADIUS documents, and simply specify NAS behavior.
Such processing would quite likely be implemented in the secure Such processing would quite likely be implemented in the secure
transport module. transport module.
1.2. RADIUS Operational Model 1.2. System Block Diagram
A block diagram of the major system components referenced in this
document may be useful to understanding the text that follows.
+--------+
+......................... |RADIUS |....+
. |Server | .
Shared +--------+ .
User | .
Credentials RADIUS | Shared
. | RADIUS
. | Secret
. | .
+-------------+ +-----------------+
| Network | | RADIUS Client / |
| Management | SNMP | SNMP Engine / |
| Application |------------------| Network Device |
+-------------+ SSH +-----------------+
Block Diagram
This diagram illustrates that a network management application
communicates with a network device, the managed entity, using SNMP
over SSH. The network devices uses RADIUS to communicte with a
RADIUS Server to authenticate the network management application (or
the user whose credentials that application provides) and to obtain
authorization information related to access via SNMP for purpose of
device management. Other secure transport protocols might be used
instead of SSH.
1.3. RADIUS Operational Model
The RADIUS protocol [RFC2865] provides authentication and The RADIUS protocol [RFC2865] provides authentication and
authorization services for network access devices, usually referred authorization services for network access devices, usually referred
to as a Network Access Server (NAS). The RADIUS protocol operates, to as a Network Access Server (NAS). The RADIUS protocol operates,
at the most simple level, as a request-response mechanism. RADIUS at the most simple level, as a request-response mechanism. RADIUS
Clients, within the NAS, initiate a transaction by sending a RADIUS Clients, within the NAS, initiate a transaction by sending a RADIUS
Access-Request message to a RADIUS Server, with which the client Access-Request message to a RADIUS Server, with which the client
shares credentials. The RADIUS Server will respond with either an shares credentials. The RADIUS Server will respond with either an
Access-Accept message or an Access-Reject message. Access-Accept message or an Access-Reject message.
skipping to change at page 5, line 38 skipping to change at page 6, line 24
administrative interfaces of network infrastructure devices, e.g. the administrative interfaces of network infrastructure devices, e.g. the
Command Line Interface (CLI) or SNMP engine of switches and routers. Command Line Interface (CLI) or SNMP engine of switches and routers.
In order for the RADIUS server to have information regarding the type In order for the RADIUS server to have information regarding the type
of access being requested, it is common for the NAS (i.e. the RADIUS of access being requested, it is common for the NAS (i.e. the RADIUS
client) to include "hint" attributes in the RADIUS Access-Request client) to include "hint" attributes in the RADIUS Access-Request
message, describing the NAS and the type of service being requested. message, describing the NAS and the type of service being requested.
This document recommends appropriate "hint" attributes for the SNMP This document recommends appropriate "hint" attributes for the SNMP
service type. service type.
1.3. RADIUS Usage With Secure Transports 1.4. RADIUS Usage With Secure Transports
Some secure transport protocols that can be used with SNMP Transport Some secure transport protocols that can be used with SNMP Transport
Models have defined authentication protocols supporting several Models have defined authentication protocols supporting several
authentication methods. For example, the Secure Shell (SSH) authentication methods. For example, the Secure Shell (SSH)
Authentication protocol [RFC4252] supports multiple methods (Public Authentication protocol [RFC4252] supports multiple methods (Public
Key, Password, Host-Based) to authenticate SSH clients. Key, Password, Host-Based) to authenticate SSH clients.
SSH Server integration with RADIUS traditionally uses the username SSH Server integration with RADIUS traditionally uses the username
and password mechanism. and password mechanism.
skipping to change at page 6, line 18 skipping to change at page 7, line 4
Authentication Modules (PAM) Authentication Modules (PAM)
[http://www.opengroup.org/rfc/rfc86.0.html] interface provided by [http://www.opengroup.org/rfc/rfc86.0.html] interface provided by
operating systems such as Linux and Solaris to integrate with operating systems such as Linux and Solaris to integrate with
password based network authentication mechanisms such as RADIUS, password based network authentication mechanisms such as RADIUS,
TACACS+, Kerberos, etc. TACACS+, Kerberos, etc.
Secure transports do not typically specify how to utilize Secure transports do not typically specify how to utilize
authorization information obtained from an AAA service, such as authorization information obtained from an AAA service, such as
RADIUS. More often, user authentication is sufficient to cause the RADIUS. More often, user authentication is sufficient to cause the
secure transport server to begin delivering service to the user. secure transport server to begin delivering service to the user.
Access control in these situations is supplied by the application to Access control in these situations is supplied by the application to
which the secure transport server session is attached. For example, which the secure transport server session is attached. For example,
if the application is a Linux shell, the user's access rights are if the application is a Linux shell, the user's access rights are
controlled by that user account's group membership and the file controlled by that user account's group membership and the file
system access protections. This behavior does not closely follow the system access protections. This behavior does not closely follow the
traditional service provisioning model of AAA systems, such as traditional service provisioning model of AAA systems, such as
RADIUS. RADIUS.
1.4. SNMP Transport Models 1.5. Domain of Applicability
Most of the RADIUS Attributes referenced in this document have broad
applicability for provisioning remote management access to NAS
devices using SNMP. However, the selection of secure transport
protocols has special considerations. This document does not specify
details of the integration of secure transport protocols with a
RADIUS client in the NAS implementation. However, there are
functional requirements for correct application of framed management
protocols and secure transport protocols that will limit the
selection of such protocols that can be considered for use with
RADIUS. Since the RADIUS user credentials are obtained by the RADIUS
client from the secure transport protocol server, or in some cases
directly from the SNMP engine, the secure transport protocol, and its
implementation in the NAS, MUST support forms of credentials that are
compatible with the authentication methods supported by RADIUS.
RADIUS currently supports the following user authentication methods,
although others may be added in the future:
o Password (RFC 2865)
o CHAP (RFC 2865)
o ARAP (RFC 2869)
o EAP (RFC 2869, RFC 3579)
o HTTP Digest (RFC 5090)
The secure transport protocols selected for use with RADIUS and SNMP
obviously need to support user authentication methods that are
compatible with those that exist in RADIUS. The RADIUS
authentication methods most likely usable with these protocols are
Password, CHAP and possibly HTTP Digest, with Password being the
distinct common denominator. There are many secure transports that
support other, more robust, authentication mechanisms, such as public
key. RADIUS has no support for public key authentication, except
within the context of an EAP Method. The applicability statement for
EAP indicates that it is not intended for use as an application-layer
authentication mechanism, so its use with the mechanisms described in
this document is NOT RECOMMENDED. In some cases, Password may be the
only compatible RADIUS authentication method available.
1.6. SNMP Transport Models
The Transport Subsystem for SNMP [I-D.ietf-isms-tmsm] defines a The Transport Subsystem for SNMP [I-D.ietf-isms-tmsm] defines a
mechanism for providing transport layer security for SNMP, allowing mechanism for providing transport layer security for SNMP, allowing
protocols such as SSH and TLS to be used to secure SNMP protocols such as SSH and TLS to be used to secure SNMP
communication. The Transport Subsystem allows the modular definition communication. The Transport Subsystem allows the modular definition
of Transport Models for multiple secure transport protocols. of Transport Models for multiple secure transport protocols.
Transport Models rely upon the underlying secure transport for user Transport Models rely upon the underlying secure transport for user
authentication services. The Transport Model (TM) then maps the authentication services. The Transport Model (TM) then maps the
authenticated identity to a model-independent principal, which it authenticated identity to a model-independent principal, which it
stores in the tmStateReference. When the selected security model is stores in the tmStateReference. When the selected security model is
skipping to change at page 8, line 19 skipping to change at page 9, line 45
service authorization, network management access may be granted to service authorization, network management access may be granted to
unauthorized, but properly authenticated, users. With SNMPv3, an unauthorized, but properly authenticated, users. With SNMPv3, an
appropriately configured Access Control Model would serve to appropriately configured Access Control Model would serve to
alleviate the risk of unauthorized access. alleviate the risk of unauthorized access.
2.1. RADIUS Authentication for Transport Protocols 2.1. RADIUS Authentication for Transport Protocols
This document will rely on implementation specific integration of the This document will rely on implementation specific integration of the
transport protocols with RADIUS clients for user authentication. transport protocols with RADIUS clients for user authentication.
It is RECOMMENDED that the integration of RADIUS clients with It is REQUIRED that the integration of RADIUS clients with transport
transport protocols utilize appropriate "hint" attributes in RADIUS protocols utilize appropriate "hint" attributes in RADIUS Access-
Access-Request messages, to signal to the RADIUS server the type of Request messages, to signal to the RADIUS server the type of service
service being requested over the transport session. Specific being requested over the transport session. Specific attributes for
attributes for use with SNMP Transport Models are recommended in this use with SNMP Transport Models are recommended in this document.
document.
RADIUS servers, compliant to this specification, MAY use RADIUS hint RADIUS servers, compliant to this specification, MAY use RADIUS hint
attributes, as described herein, to inform the decision whether to attributes, as described herein, to inform the decision whether to
accept or reject the authentication request. accept or reject the authentication request.
2.2. RADIUS Authorization for Transport Protocols 2.2. RADIUS Authorization for Transport Protocols
In compliance with RFC 2865, NASes MUST enforce implicitly mandatory In compliance with RFC 2865, NASes MUST enforce implicitly mandatory
attributes, such as Service-Type, within an Access-Accept message. attributes, such as Service-Type, within an Access-Accept message.
NASes MUST treat Access-Accept Messages that attempt to provision NASes MUST treat Access-Accept Messages that attempt to provision
skipping to change at page 9, line 21 skipping to change at page 10, line 46
2.3. SNMP Service Authorization 2.3. SNMP Service Authorization
The Transport Subsystem for SNMP [I-D.ietf-isms-tmsm] defines the The Transport Subsystem for SNMP [I-D.ietf-isms-tmsm] defines the
notion of a session, although the specifics of how sessions are notion of a session, although the specifics of how sessions are
managed is left to Transport Models. The Transport Subsystem defines managed is left to Transport Models. The Transport Subsystem defines
some basic requirements for transport protocols around creation and some basic requirements for transport protocols around creation and
deletion of sessions. This memo specifies additional requirements deletion of sessions. This memo specifies additional requirements
for transport protocols during session creation, and for session for transport protocols during session creation, and for session
termination. termination.
RADIUS servers compliant to this specification SHOULD use RADIUS RADIUS servers compliant to this specification MUST use RADIUS
service provisioning attributes, as described herein, to specify SNMP service provisioning attributes, as described herein, to specify SNMP
access over a secure transport. Such RADIUS servers MAY use RADIUS access over a secure transport. Such RADIUS servers MAY use RADIUS
hint attributes included in the Access-Request message, as described hint attributes included in the Access-Request message, as described
herein, in determining what, if any, service to provision. herein, in determining what, if any, service to provision.
NASes compliant to this specification MUST use RADIUS service NASes compliant to this specification MUST use RADIUS service
provisioning attributes, as described in this section, when they are provisioning attributes, as described in this section, when they are
present in a RADIUS Access-Accept message, to determine whether the present in a RADIUS Access-Accept message, to determine whether the
session can be created and MUST enforce the service provisioning session can be created and MUST enforce the service provisioning
decisions of the RADIUS server. decisions of the RADIUS server.
The following RADIUS attributes SHOULD be used, as hint attributes The following RADIUS attributes MUST be used, as hint attributes
included in the Access-Request message to signal use of SNMP over a included in the Access-Request message to signal use of SNMP over a
secure transport (i.e. authPriv) to the RADIUS server: secure transport (i.e. authPriv) to the RADIUS server:
1. Service-Type with a value of Framed-Management. 1. Service-Type with a value of Framed-Management.
2. Framed-Management-Protocol with a value of SNMP. 2. Framed-Management-Protocol with a value of SNMP.
3. Management-Transport-Protection with a value of Integrity- 3. Management-Transport-Protection with a value of Integrity-
Confidentiality-Protection. Confidentiality-Protection.
The following RADIUS attributes are used in an Access-Accept message The following RADIUS attributes MUST be used in an Access-Accept
to provision SNMP over a secure transport which provides both message to provision SNMP over a secure transport which provides both
integrity and confidentiality (i.e. authPriv): integrity and confidentiality (i.e. authPriv):
1. Service-Type with a value of Framed-Management. 1. Service-Type with a value of Framed-Management.
2. Framed-Management-Protocol with a value of SNMP. 2. Framed-Management-Protocol with a value of SNMP.
3. Management-Transport-Protection with a value of Integrity- 3. Management-Transport-Protection with a value of Integrity-
Confidentiality-Protection. Confidentiality-Protection.
The following RADIUS attributes MAY be optionally used, to authorize The following RADIUS attributes MUST be optionally used, to authorize
use of SNMP without protection (i.e. authNoPriv): use of SNMP without protection (i.e. authNoPriv):
1. Service-Type with a value of Framed-Management. 1. Service-Type with a value of Framed-Management.
2. Framed-Management-Protocol with a value of SNMP. 2. Framed-Management-Protocol with a value of SNMP.
3. Management-Transport-Protection with a value of No-Protection. 3. Management-Transport-Protection with a value of No-Protection.
There are no combinations of RADIUS attributes that denote the There are no combinations of RADIUS attributes that denote the
equivalent of SNMP noAuthNoPriv access, as RADIUS always involves the equivalent of SNMP noAuthNoPriv access, as RADIUS always involves the
authentication of a user (i.e. a principal) as a prerequisite for authentication of a user (i.e. a principal) as a prerequisite for
authorization. RADIUS can be used to to provide an "Authorize-Only" authorization. RADIUS can be used to provide an "Authorize-Only"
service, but only when the request contains a "cookie" from a service, but only when the request contains a "cookie" from a
previous successful authentication with the same RADIUS server (i.e. previous successful authentication with the same RADIUS server (i.e.
the RADIUS State Attribute). the RADIUS State Attribute).
The following RADIUS attributes are used to limit the extent of a The following RADIUS attributes are used to limit the extent of a
secure transport session carrying SNMP traffic, in conjunction with secure transport session carrying SNMP traffic, in conjunction with
an SNMP Transport Model: an SNMP Transport Model:
1. Session-Timeout 1. Session-Timeout
2. Inactivity-Timeout. 2. Inactivity-Timeout.
skipping to change at page 11, line 34 skipping to change at page 12, line 44
Table 2 defines the meaning of the entries in Table 1. Table 2 defines the meaning of the entries in Table 1.
0 This attribute MUST NOT be present in a packet. 0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in 0+ Zero or more instances of this attribute MAY be present in
a packet. a packet.
0-1 Zero or one instance of this attribute MAY be present in 0-1 Zero or one instance of this attribute MAY be present in
a packet. a packet.
1 Exactly one instance of this attribute MUST be present in 1 Exactly one instance of this attribute MUST be present in
a packet. a packet.
* Only one of these atribute options SHOULD be included. * Only one of these attribute options SHOULD be included.
Table 2 Table 2
SSH integration with RADIUS traditionally uses usernames and SSH integration with RADIUS traditionally uses usernames and
passwords (with the User-Password Attribute), but other secure passwords (with the User-Password Attribute), but other secure
transports could use other authentication mechanisms, and would transports could use other authentication mechanisms, and would
include RADIUS authentication attributes appropriate for that include RADIUS authentication attributes appropriate for that
mechanism instead of User-Password. mechanism instead of User-Password.
This document does not describe the usage of RADIUS Accounting, nor This document does not describe the usage of RADIUS Accounting, nor
skipping to change at page 12, line 22 skipping to change at page 13, line 33
This specification describes the use of RADIUS for purposes of This specification describes the use of RADIUS for purposes of
authentication and authorization. Threats and security issues for authentication and authorization. Threats and security issues for
this application are described in [RFC3579] and [RFC3580]; security this application are described in [RFC3579] and [RFC3580]; security
issues encountered in roaming are described in [RFC2607]. issues encountered in roaming are described in [RFC2607].
Additional security considerations for use of SNMP with secure Additional security considerations for use of SNMP with secure
Transport Models [I-D.ietf-isms-tmsm] and the Transport Security Transport Models [I-D.ietf-isms-tmsm] and the Transport Security
Model [I-D.ietf-isms-transport-security-model] are found in the Model [I-D.ietf-isms-transport-security-model] are found in the
Security Considerations sections of the respective documents. Security Considerations sections of the respective documents.
If the SNMPv1 or SNMPv2c Security Model is used, then securityname If the SNMPv1 or SNMPv2c Security Model is used, then securityName
comes from the community name, as per RFC3584. If the User-based comes from the community name, as per RFC3584. If the User-based
Security Model is selected, then securityName is determined using Security Model is selected, then securityName is determined using
USM. This may not be what is expected when using an SNMP secure USM. This may not be what is expected when using an SNMP secure
Transport Model with an external authentication service, such as Transport Model with an external authentication service, such as
RADIUS. RADIUS.
Simultaneously using a secure transport with RADIUS authentication Simultaneously using a secure transport with RADIUS authentication
and authorization, and the SNMPv1 or SNMPv2c or USM security models and authorization, and the SNMPv1 or SNMPv2c or USM security models
is NOT RECOMMENDED. See the coexistence section of is NOT RECOMMENDED. See the coexistence section of
[I-D.ietf-isms-tmsm]. [I-D.ietf-isms-tmsm].
skipping to change at page 12, line 45 skipping to change at page 14, line 10
AAA-based access, however. When the network is under duress, or the AAA-based access, however. When the network is under duress, or the
AAA-service is unreachable, for any reason, it is important to have AAA-service is unreachable, for any reason, it is important to have
access credentials stored in the local configuration data-store of access credentials stored in the local configuration data-store of
the managed entity. USM credentials are a likely way to fulfill this the managed entity. USM credentials are a likely way to fulfill this
requirement. This is analogous to configuring a local "root" requirement. This is analogous to configuring a local "root"
password in the "/etc/passwd" file of a UNIX workstation, to be used password in the "/etc/passwd" file of a UNIX workstation, to be used
as a backup means of login, for times when the Network Information as a backup means of login, for times when the Network Information
Service (NIS) authentication service is unreachable. Service (NIS) authentication service is unreachable.
The Message-Authenticator (80) attribute [RFC3579] SHOULD be used The Message-Authenticator (80) attribute [RFC3579] SHOULD be used
with RADIUS messages that are described in this memo. with RADIUS messages that are described in this memo. This is useful
because the Message-Authenticator Attribute is the best available
mechanism in RADIUS as it stands today to provide tamper-evident
integrity protection of the service provisioning attributes in an
Access-Accept packet. It is slightly less important for Access-
Request packets, although it may be desirable to protect any "hint"
attributes contained in those messages. This protection mitigates
the fact that RADIUS messages are not encrypted and that attributes
could be added, deleted or modified by an adversary in a position to
intercept the packet.
6. Acknowledgements 6. Acknowledgements
The authors would like to acknowledge the contributions of David The authors would like to acknowledge the contributions of David
Harrington and Juergen Schoenwaelder for numerous helpful discussions Harrington and Juergen Schoenwaelder for numerous helpful discussions
in this space, and Wes Hardaker for his thoughtful review comments. in this space, and Wes Hardaker for his thoughtful review comments.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-isms-tmsm] [I-D.ietf-isms-tmsm]
Harrington, D. and J. Schoenwaelder, "Transport Subsystem Harrington, D. and J. Schoenwaelder, "Transport Subsystem
for the Simple Network Management Protocol (SNMP)", for the Simple Network Management Protocol (SNMP)",
draft-ietf-isms-tmsm-17 (work in progress), April 2009. draft-ietf-isms-tmsm-18 (work in progress), May 2009.
[I-D.ietf-isms-transport-security-model] [I-D.ietf-isms-transport-security-model]
Harrington, D. and W. Hardaker, "Transport Security Model Harrington, D. and W. Hardaker, "Transport Security Model
for SNMP", draft-ietf-isms-transport-security-model-13 for SNMP", draft-ietf-isms-transport-security-model-14
(work in progress), April 2009. (work in progress), May 2009.
[I-D.ietf-radext-management-authorization] [I-D.ietf-radext-management-authorization]
Nelson, D. and G. Weber, "Remote Authentication Dial-In Nelson, D. and G. Weber, "Remote Authentication Dial-In
User Service (RADIUS) Authorization for Network Access User Service (RADIUS) Authorization for Network Access
Server (NAS) Management", Server (NAS) Management",
draft-ietf-radext-management-authorization-06 (work in draft-ietf-radext-management-authorization-06 (work in
progress), October 2008. progress), October 2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
skipping to change at page 13, line 44 skipping to change at page 15, line 18
[RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication
Dial In User Service (RADIUS) Implementation Issues and Dial In User Service (RADIUS) Implementation Issues and
Suggested Fixes", RFC 5080, December 2007. Suggested Fixes", RFC 5080, December 2007.
7.2. Informative References 7.2. Informative References
[I-D.ietf-isms-secshell] [I-D.ietf-isms-secshell]
Harrington, D., Salowey, J., and W. Hardaker, "Secure Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for SNMP", Shell Transport Model for SNMP",
draft-ietf-isms-secshell-16 (work in progress), draft-ietf-isms-secshell-18 (work in progress), May 2009.
April 2009.
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", RFC 2607, June 1999. Implementation in Roaming", RFC 2607, June 1999.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002. December 2002.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
 End of changes. 20 change blocks. 
42 lines changed or deleted 123 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/