From j.schoenwaelder@jacobs-university.de Thu Oct 15 10:48:12 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 490FE3A6867 for ; Thu, 15 Oct 2009 10:48:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.68 X-Spam-Level: X-Spam-Status: No, score=-0.68 tagged_above=-999 required=5 tests=[AWL=0.080, BAYES_05=-1.11, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgEBxBXbYI5h for ; Thu, 15 Oct 2009 10:48:11 -0700 (PDT) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 5E1DF3A6816 for ; Thu, 15 Oct 2009 10:48:11 -0700 (PDT) Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id 33779C0021 for ; Thu, 15 Oct 2009 19:48:14 +0200 (CEST) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id q2gSwwL4IknK; Thu, 15 Oct 2009 19:48:13 +0200 (CEST) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 98CE5C000C; Thu, 15 Oct 2009 19:48:13 +0200 (CEST) Received: by elstar.local (Postfix, from userid 501) id 21597D435F3; Thu, 15 Oct 2009 19:48:13 +0200 (CEST) Date: Thu, 15 Oct 2009 19:48:13 +0200 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20091015174813.GA29908@elstar.local> Mail-Followup-To: isms@ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: [Isms] wg activity and upcoming meeting X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Oct 2009 17:48:12 -0000 Hi, the WG has been pretty quiet the last few weeks. I think what we need is more review of the SNMP over [D]TLS document. So please, if you have some spare time, review this document and send your feedback. The RADIUS document is being worked on and I hope some new version pops up before the ID cutoff. We have a meeting slot allocated at the next IETF. I like to have discussion points clearly identified before the meeting, which hopefully is the last meeting before we can wrap up the [D]TLS transport and the RADIUS document. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From wjhns1@hardakers.net Thu Oct 15 11:00:41 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E6D528C118 for ; Thu, 15 Oct 2009 11:00:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNjkwyynMr0f for ; Thu, 15 Oct 2009 11:00:40 -0700 (PDT) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 2C8D328C13A for ; Thu, 15 Oct 2009 11:00:40 -0700 (PDT) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 160119830D for ; Thu, 15 Oct 2009 11:00:43 -0700 (PDT) From: Wes Hardaker To: isms@ietf.org Organization: Sparta References: <20091015174813.GA29908@elstar.local> Date: Thu, 15 Oct 2009 11:00:42 -0700 In-Reply-To: <20091015174813.GA29908@elstar.local> (Juergen Schoenwaelder's message of "Thu, 15 Oct 2009 19:48:13 +0200") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: [Isms] Ismswg activity and upcoming meeting X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Oct 2009 18:00:41 -0000 >>>>> On Thu, 15 Oct 2009 19:48:13 +0200, Juergen Schoenwaelder said: JS> the WG has been pretty quiet the last few weeks. I think what we need JS> is more review of the SNMP over [D]TLS document. So please, if you JS> have some spare time, review this document and send your feedback. I'm actually a very very short time away from submitting an update. I've incorporated all the recent suggestions and have reviewed the entire body of text again. If you wait another few days before reviewing, I should have it published. Once published, I don't believe there will be any outstanding issues left and it'll be ready (IMHO) for WGLC. -- Wes Hardaker Cobham Analytic Solutions From root@core3.amsl.com Fri Oct 23 13:45:01 2009 Return-Path: X-Original-To: isms@ietf.org Delivered-To: isms@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 6E2DA3A6804; Fri, 23 Oct 2009 13:45:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091023204501.6E2DA3A6804@core3.amsl.com> Date: Fri, 23 Oct 2009 13:45:01 -0700 (PDT) Cc: isms@ietf.org Subject: [Isms] I-D Action:draft-ietf-isms-dtls-tm-01.txt X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2009 20:45:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Integrated Security Model for SNMP Working Group of the IETF. Title : Transport Layer Security Transport Model for SNMP Author(s) : W. Hardaker Filename : draft-ietf-isms-dtls-tm-01.txt Pages : 67 Date : 2009-10-23 This document describes a Transport Model for the Simple Network Management Protocol (SNMP), that uses either the Transport Layer Security protocol or the Datagram Transport Layer Security (DTLS) protocol. The TLS and DTLS protocols provide authentication and privacy services for SNMP applications. This document describes how the TLS Transport Model (TLSTM) implements the needed features of a SNMP Transport Subsystem to make this protection possible in an interoperable way. This transport model is designed to meet the security and operational needs of network administrators. The TLS mode can make use of TCP's improved support for larger packet sizes and the DTLS mode provides potentially superior operation in environments where a connectionless (e.g. UDP or SCTP) transport is preferred. Both TLS and DTLS integrate well into existing public keying infrastructures. This document also defines a portion of the Management Information Base (MIB) for use with network management protocols. In particular it defines objects for managing the TLS Transport Model for SNMP. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-isms-dtls-tm-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-isms-dtls-tm-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-10-23133147.I-D@ietf.org> --NextPart-- From wjhns1@hardakers.net Tue Oct 27 16:03:57 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33BF628C14B for ; Tue, 27 Oct 2009 16:03:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDBC369Ecmbc for ; Tue, 27 Oct 2009 16:03:56 -0700 (PDT) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 567C228C149 for ; Tue, 27 Oct 2009 16:03:56 -0700 (PDT) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 9016598248 for ; Tue, 27 Oct 2009 16:04:09 -0700 (PDT) From: Wes Hardaker To: isms@ietf.org Organization: Sparta Date: Tue, 27 Oct 2009 16:04:09 -0700 Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: [Isms] SNMP over (D)TLS draft available for review X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2009 23:03:57 -0000 As you probably saw from the official draft announcement, a new copy of the SNMP over (D)TLS draft is available from: http://tools.ietf.org/html/draft-ietf-isms-dtls-tm-01 A diff from the previous version can be found here: http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-isms-dtls-tm-01.txt The -01 version reflects all outstanding issues that I'm aware of. It would be good if WG participants could review the document and/or changes prior to the WG meeting in Hiroshima and list any issues you have with the draft so we can use the meeting time to discuss any of them that require a face-to-face meeting. -- Wes Hardaker Cobham Analytic Solutions From hamid.mukhtar@gmail.com Tue Oct 27 22:58:54 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1D183A689C for ; Tue, 27 Oct 2009 22:58:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-o-QBuilNa6 for ; Tue, 27 Oct 2009 22:58:53 -0700 (PDT) Received: from mail-pz0-f204.google.com (mail-pz0-f204.google.com [209.85.222.204]) by core3.amsl.com (Postfix) with ESMTP id DA5933A635F for ; Tue, 27 Oct 2009 22:58:53 -0700 (PDT) Received: by pzk42 with SMTP id 42so408847pzk.31 for ; Tue, 27 Oct 2009 22:59:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=7KA03fKJlNai0FpmV1PabBStjhZSpWZr3aPAvpSpjls=; b=wBx838hH1SJq3TUdFXzb9rZPmy1h12CKahnDsvZEQJHeKodniSa89htVrRs9ANzM3V ahSUVBkLjP2KS+Fj+EnzUs9BfwOzpnp1joH8ZZtf7k83iWjxFAffv7r29Ise/vTFMOMd rSf+SL8NTtnsURMpjEoCr2Uoe/ooKJ7OVi3VY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=U8avSmuKUbKAOT43FSvRDe4UWdekr+H1IDOZymfD6CBGQ8xhx7wEcDEmBY4Z0Ur1Ez KkVeT5AfhUqxjK0Zijjj3baU3YNKb7XG0QV1VGhhcOsUt/jW5yhuNx32loOLYJ1UhsAV nMmSwkLATFUdjr8CTZLVkgDI6baRtisvX+CQg= MIME-Version: 1.0 Received: by 10.142.1.24 with SMTP id 24mr1332956wfa.73.1256709546141; Tue, 27 Oct 2009 22:59:06 -0700 (PDT) In-Reply-To: References: From: Hamid Mukhtar Date: Wed, 28 Oct 2009 14:58:51 +0900 Message-ID: To: Wes Hardaker Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2009 05:58:55 -0000 Dear Wes, In section 3.1.2 its mentioned that > the NULL integrity and encryption algorithms MUST NOT be used to fulfil= l > security level requests for authentication or privacy. > Implementations MAY choose to force (D)TLS to only allow > cipher_suites that provide both authentication and privacy to > guarantee this assertion. IMO the requirement, as stated currently, may have to be changed to consider authentication-only cipher suites (with no encryption) [RFC4785]. On Wed, Oct 28, 2009 at 8:04 AM, Wes Hardaker wrote: > > As you probably saw from the official draft announcement, a new copy of > the SNMP over (D)TLS draft is available from: > > =A0http://tools.ietf.org/html/draft-ietf-isms-dtls-tm-01 > > A diff from the previous version can be found here: > > =A0http://tools.ietf.org/rfcdiff?difftype=3D--hwdiff&url2=3Ddraft-ietf-is= ms-dtls-tm-01.txt > > The -01 version reflects all outstanding issues that I'm aware of. =A0It > would be good if WG participants could review the document and/or > changes prior to the WG meeting in Hiroshima and list any issues you > have with the draft so we can use the meeting time to discuss any of > them that require a face-to-face meeting. > -- > Wes Hardaker > Cobham Analytic Solutions > _______________________________________________ > Isms mailing list > Isms@ietf.org > https://www.ietf.org/mailman/listinfo/isms > From wjhns1@hardakers.net Wed Oct 28 09:20:48 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 87AB128C20D for ; Wed, 28 Oct 2009 09:20:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BngC9ecU6JLp for ; Wed, 28 Oct 2009 09:20:47 -0700 (PDT) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id D9BA128C20A for ; Wed, 28 Oct 2009 09:20:43 -0700 (PDT) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 5ED74981F9; Wed, 28 Oct 2009 09:20:58 -0700 (PDT) From: Wes Hardaker To: Hamid Mukhtar Organization: Sparta References: Date: Wed, 28 Oct 2009 09:20:57 -0700 In-Reply-To: (Hamid Mukhtar's message of "Wed, 28 Oct 2009 14:58:51 +0900") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2009 16:20:48 -0000 >>>>> On Wed, 28 Oct 2009 14:58:51 +0900, Hamid Mukhtar said: >> the NULL integrity and encryption algorithms MUST NOT be used to fulfill >> security level requests for authentication or privacy. >> Implementations MAY choose to force (D)TLS to only allow >> cipher_suites that provide both authentication and privacy to >> guarantee this assertion. HM> IMO the requirement, as stated currently, may have to be changed to HM> consider authentication-only cipher suites (with no encryption) HM> [RFC4785]. First, thanks for reviewing the text. The intent of that text is to allow for the following combinations: | | noAuthNoPriv | authNoPriv | authPriv | | Authentication | NULL | something* | something | | Encryption | NULL | NULL | something | But to explicitly disallow: | | noAuthNoPriv | authNoPriv | authPriv | | Authentication | | NULL | NULL | | Encryption | | | NULL | So the text is not intended to prohibit what you're describing. Functionally what you want is the * above (in the allowed table), where the authentication algorithm is not NULL. The actual algorithm would be an authenticating encryption algorithm, but since it's doing authentication it's functionally acting "in that slot". So, I don't think the intent of the text needs to change but if the wording is unclear then the text should be updated to make it explicitly clear. -- Wes Hardaker Cobham Analytic Solutions From hamid.mukhtar@gmail.com Wed Oct 28 18:30:19 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DBD53A67F5 for ; Wed, 28 Oct 2009 18:30:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kubb9hxlpBq3 for ; Wed, 28 Oct 2009 18:30:18 -0700 (PDT) Received: from mail-yx0-f192.google.com (mail-yx0-f192.google.com [209.85.210.192]) by core3.amsl.com (Postfix) with ESMTP id 3F8BA3A6359 for ; Wed, 28 Oct 2009 18:30:17 -0700 (PDT) Received: by yxe30 with SMTP id 30so1426498yxe.29 for ; Wed, 28 Oct 2009 18:30:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=6QXY51rWiFqECwdqEK7iX8iCOlwV6NzmYjay3Wv70U8=; b=CjCl/osMbNQpSPTuQDuo8MsHPcKAzgvJ64yec/Nvl757DTMEbwbLZr7LtRXMVBYVbh Eb3VIpFXzygfmaKZjumwBuKNgOMWlFVudqmwG+elzQ7aV3itXsr3t+IcgjBrXeRZ5MCP HquCscPu8/KOaBt7YkBiq5zPKYmdGdWbRFMeU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=f1QmKBoVp2B1KRUTgmcIU+QMiDriasTs7z8Jm5evoBFnh6DqX3Eu8Z6z8s/sL3b6mR uyCNCEbX/ZQxq3VnMgpEsq0t/XDfRu28IO4aHAYRfOfn89soxGhWULa4R4E421PLyTGm 44wLgD/5XeLbyrrtVV7oISxGBfiGSasYfkjck= MIME-Version: 1.0 Received: by 10.101.190.32 with SMTP id s32mr727877anp.47.1256779827580; Wed, 28 Oct 2009 18:30:27 -0700 (PDT) In-Reply-To: References: From: Hamid Mukhtar Date: Thu, 29 Oct 2009 10:30:12 +0900 Message-ID: To: Wes Hardaker Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Oct 2009 01:30:19 -0000 On Thu, Oct 29, 2009 at 1:20 AM, Wes Hardaker wrote: >>>>>> On Wed, 28 Oct 2009 14:58:51 +0900, Hamid Mukhtar said: > >>> the NULL integrity and encryption algorithms MUST NOT be used to fulfil= l >>> security level requests for authentication or privacy. >>> Implementations MAY choose to force (D)TLS to only allow >>> cipher_suites that provide both authentication and privacy to >>> guarantee this assertion. > > HM> IMO the requirement, as stated currently, may have to be changed to > HM> consider authentication-only cipher suites (with no encryption) > HM> [RFC4785]. > > First, thanks for reviewing the text. > > The intent of that text is to allow for the following combinations: > > =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0| noAuthNoPriv | authNoPriv | authPr= iv =A0| > =A0 | Authentication | NULL =A0 =A0 =A0 =A0 | something* | something | > =A0 | Encryption =A0 =A0 | NULL =A0 =A0 =A0 =A0 | NULL =A0 =A0 =A0 | some= thing | > > But to explicitly disallow: > > =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0| noAuthNoPriv | authNoPriv | authPr= iv | > =A0 | Authentication | =A0 =A0 =A0 =A0 =A0 =A0 =A0| NULL =A0 =A0 =A0 | NU= LL =A0 =A0 | > =A0 | Encryption =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0| =A0 =A0 =A0 =A0 = =A0 =A0| NULL =A0 =A0 | > > So the text is not intended to prohibit what you're describing. > Functionally what you want is the * above (in the allowed table), where > the authentication algorithm is not NULL. =A0The actual algorithm would > be an authenticating encryption algorithm, but since it's doing > authentication it's functionally acting "in that slot". > > So, I don't think the intent of the text needs to change but if the > wording is unclear then the text should be updated to make it explicitly > clear. Yes, the wording might cause confusion. I think its better to be more expli= cit. > -- > Wes Hardaker > Cobham Analytic Solutions > From j.schoenwaelder@jacobs-university.de Thu Oct 29 01:50:30 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 330843A68CE for ; Thu, 29 Oct 2009 01:50:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.785 X-Spam-Level: X-Spam-Status: No, score=-1.785 tagged_above=-999 required=5 tests=[AWL=0.464, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id meXVqH6119mi for ; Thu, 29 Oct 2009 01:50:29 -0700 (PDT) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 2E5203A68FC for ; Thu, 29 Oct 2009 01:50:29 -0700 (PDT) Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id B78B2C000D for ; Thu, 29 Oct 2009 09:50:44 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id JTLV2423-MoK; Thu, 29 Oct 2009 09:50:44 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 1E0FBC000B; Thu, 29 Oct 2009 09:50:44 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id ECB6ED5D358; Thu, 29 Oct 2009 09:50:42 +0100 (CET) Date: Thu, 29 Oct 2009 09:50:42 +0100 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20091029085042.GB20029@elstar.local> Mail-Followup-To: isms@ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: [Isms] radius vacm integration editing volunteer needed X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Oct 2009 08:50:30 -0000 Hi, the two editors of the chartered RADIUS / VACM integration document (Kaushik Narayan, David Nelson) are looking for help. Ideally, we would find a volunteer who is familiar with the SNMP architecture and terminology and who is able to allocate some time to this document in the next few weeks so that we can meet the chartered milestone to deliver this document in January. Please consider helping us in finalizing this document and volunteer by send an email to the WG chairs. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From j.schoenwaelder@jacobs-university.de Thu Oct 29 04:12:18 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED1473A67AF for ; Thu, 29 Oct 2009 04:12:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.8 X-Spam-Level: X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[AWL=0.449, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ac07l7yvwTTQ for ; Thu, 29 Oct 2009 04:12:18 -0700 (PDT) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 1001E3A6869 for ; Thu, 29 Oct 2009 04:12:18 -0700 (PDT) Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id D90C7C000D for ; Thu, 29 Oct 2009 12:12:33 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id n+Qq1zN3QilC; Thu, 29 Oct 2009 12:12:30 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id BE95EC000B; Thu, 29 Oct 2009 12:12:30 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id DD52DD5D6B0; Thu, 29 Oct 2009 12:12:29 +0100 (CET) Date: Thu, 29 Oct 2009 12:12:29 +0100 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20091029111229.GA20307@elstar.local> Mail-Followup-To: isms@ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: [Isms] wg last call on the (d)tls transport model X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Oct 2009 11:12:19 -0000 This message starts the working group last call on the following document: Transport Layer Security Transport Model for SNMP Since the next IETF meeting is coming up, the last call period is not two weeks as usual, but extends until the the end of the IETF week. I like to encourage people to review this documents _before_ the ISMS meeting in Hiroshima (currently scheduled for Tuesday November 10th) so that the WG meeting time can be used to resolve any issues that might come up during document review. Please do review the documents and post your comments on this list until November 14, 2009. Please also post to the list if you have read the documents and you are fine with them. It is very useful to know how many people have read the documents. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From j.schoenwaelder@jacobs-university.de Thu Oct 29 04:18:52 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79E063A68A0 for ; Thu, 29 Oct 2009 04:18:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.814 X-Spam-Level: X-Spam-Status: No, score=-1.814 tagged_above=-999 required=5 tests=[AWL=0.435, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WyN0l782THBy for ; Thu, 29 Oct 2009 04:18:51 -0700 (PDT) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 3813E3A6869 for ; Thu, 29 Oct 2009 04:18:51 -0700 (PDT) Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 0F096C0031 for ; Thu, 29 Oct 2009 12:19:07 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id QYi8WPyY0mfV; Thu, 29 Oct 2009 12:19:04 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 963A7C0030; Thu, 29 Oct 2009 12:19:03 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id C4C77D5D707; Thu, 29 Oct 2009 12:19:02 +0100 (CET) Date: Thu, 29 Oct 2009 12:19:02 +0100 From: Juergen Schoenwaelder To: isms@ietf.org Message-ID: <20091029111902.GB20307@elstar.local> Mail-Followup-To: isms@ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: [Isms] tlstm last call comments from js X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Oct 2009 11:18:52 -0000 Hi, I have reviewed the tlstm document and even though I have compiled a relatively long list of issues and editorial nits, I believe the document is in good shape and none of the issues I identified seem to be difficult to address. Technical comments: a) In Appendix C, you use the RowStatus value createAndGo, which however is a transient value for creating rows. I suggest to use active instead, like in Appendix A of RFC 3414. b) I found section 4.1 somewhat difficult to follow. It is not very clear what maps what to what. Perhaps a picture helps showing the mapping from the certification via tlstmCertToSNTable to a tmSecurityName and then via TSM to a securityName? c) Is 4.5.1 needed as a subsection? It is just one sentence (well if the final missing to would be there ;-) d) Is tlsRead() and tlsWrite() really needed? Implementation wise I understand tlsRead(), architecturally it may look odd. I know, you read something from a socket, you pass it through (D)TLS and then you deal with the content. But architecturally, you just get an SNMP message out of (D)TLS, no? tlsWrite is also not referenced in any other place. Is all this just there because DTLS/UDP lacks proper multiplexing support? See also below... e) What does "consistently deterministic" in 5.1.1 mean? f) In section 5.1.1 step (1), how can I know if a UDP message is a DTLS message or not? And how do I establish new session state if I throw away all messages that are not (D)TLS (should this be DTLS?) Application Data messages? It seems that the multiplexing generally needs to happen for all received UDP datagrams and all this happens below the TLSTM layer: ... -> | UDP | -> | DEMUX | -> | DTLS | -> | TLSTM | -> ... If I am right, then I think we should factor this multiplexing out of the TLSTM elements of procedure and discuss it in some separate section. (How does DTLS for SYSLOG deal with this? Is this not a rather general issue to be fixed in a generic way?) g) The last paragraph in 5.3 says that there is no way to indicate server certificate selection. Is there work underway to eventually fix this in (D)TLS? h) There is no explicit text talking about clearing (and setting up) multiplexing state. But I guess this needs to be discussed where multiplexing is discussed and this likely requires some timer to do something equivalent as TCP's TIME_WAIT. i) The first sentence in 6.2 can probably be removed. j) Why "public" in "Public certificate fingerprint"? The TC likely does not control what is public or non-public. k) Condense the text in 6.5 (do not repeat twice that the MIB is for TLSTM - this has already been said). I also find "is likely ... will implement" a bit too vague of a language since some of the MIB objects really depend on the other modules to be implemented. l) The LAST-UPDATED and REVISION timestamps are likely wrong. Also note that there is again a shorter copyright notice that can be used. m) The message size requirement in snmpDTLSUDPDomain may be difficult to meet on generic platforms. (How shall I prepare for an unknown interface on a Linux box?) n) There is text in the DESCRIPTION of SnmpTLSAddress talking about TransportAddress, TransportAddressType, TransportDomain and this seems to be a cut'n'paste error. (This text is in all *Address TC definitions and need to be fixed in all instances.) o) The phrases "UDP connection address" and "TCP connection address" and "SCTP connection address" sound strange, especially since UDP does not have a notion of a connection. I suggest to talk about endpoints instead. p) I do not understand the REFERENCEs for Fingerprint. Looks like another cut'n'paste error. q) Exclude 0 from the tlstmCertToSNID? This is usually useful so that a special value exists for reference purposes. r) The last sentence in the DESCRIPTION of tlstmParamsEntry should be rewritten to make it clear that it only applies to targets that use certificates (as written now, this is not clear cut). s) Lifecycle of tlstmParamsEntry: It seems I can create an entry while there is no target entry yet. But then, when I delete a target, the tlstmParamsEntry goes away. I find this inconsistent. t) It would be nice to have the elements of procedure spell out when the two notifications are generated. u) I am confused by section 9.2. I think both SNMPv1 and SNMPv2c MPs actually use the community-based security model. Is there really a "SNMPv2c(2) Security Model"? Editorial nits: s/Jurgen Schonwalder/Juergen Schoenwaelder/ s/value is a value that needs derive/value is a value derived/ s/tmSecurityNome/tmSecurityName/ s/Appendix C/Appendix C./ s/establishing a new sessions/establishing new sessions/ s/statical counters/counters/ s/is are/are/ s/US-US-ASCII/US-ASCII/ s/tlstmCertToSNecurityName/tlstmCertToSNSecurityName/ s/points to an usable/points to an unusable/ s/TRAPS and INFORMS/notifications/ s/RFC3484/RFC3584/ /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From adonati@motorola.com Thu Oct 29 06:41:30 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DBE823A6964 for ; Thu, 29 Oct 2009 06:41:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nUpp-cQ1M4Ry for ; Thu, 29 Oct 2009 06:41:29 -0700 (PDT) Received: from mail119.messagelabs.com (mail119.messagelabs.com [216.82.241.195]) by core3.amsl.com (Postfix) with ESMTP id 1F0D53A68B3 for ; Thu, 29 Oct 2009 06:41:28 -0700 (PDT) X-VirusChecked: Checked X-Env-Sender: adonati@motorola.com X-Msg-Ref: server-11.tower-119.messagelabs.com!1256823696!36072007!1 X-StarScan-Version: 6.1.3; banners=-,-,- X-Originating-IP: [136.182.1.14] Received: (qmail 2327 invoked from network); 29 Oct 2009 13:41:36 -0000 Received: from motgate4.mot.com (HELO motgate4.mot.com) (136.182.1.14) by server-11.tower-119.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 29 Oct 2009 13:41:36 -0000 Received: from il27exr04.cig.mot.com (il27exr04.mot.com [10.17.196.73]) by motgate4.mot.com (8.14.3/8.14.3) with ESMTP id n9TDfZl3017845 for ; Thu, 29 Oct 2009 06:41:35 -0700 (MST) Received: from az10vts04.mot.com (il27vts04.cig.mot.com [10.17.196.88]) by il27exr04.cig.mot.com (8.13.1/Vontu) with SMTP id n9TDfZnj008681 for ; Thu, 29 Oct 2009 08:41:35 -0500 (CDT) Received: from de01exm63.ds.mot.com (de01exm63.am.mot.com [10.176.8.108]) by il27exr04.cig.mot.com (8.13.1/8.13.0) with ESMTP id n9TDfUQr008597 for ; Thu, 29 Oct 2009 08:41:35 -0500 (CDT) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 29 Oct 2009 09:41:08 -0400 Message-ID: In-Reply-To: <20091029111902.GB20307@elstar.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Isms] tlstm last call comments from js Thread-Index: AcpYiaeFbDxa0JCDQIaUy8B8YtGDMAAEM+GA References: <20091029111902.GB20307@elstar.local> From: "Donati Andrew-MGIA0477" To: "Juergen Schoenwaelder" , X-CFilter-Loop: Reflected Subject: Re: [Isms] tlstm last call comments from js X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Oct 2009 13:41:30 -0000 =20 > a) In Appendix C, you use the RowStatus value createAndGo, which > however is a transient value for creating rows. I suggest to use > active instead, like in Appendix A of RFC 3414. Appendix C appears to show how to configure or, using the software term, how to "instantiate" the entries. =20 If 'active' is used for RowStatus in these examples, the following sentence will also need to change; Below shows an illustration of how it may change if 'active' is used:=20 Otherwise, if 'createAndGo' is used, all of the examples in Appendix C may have to explicitly indicate that they are showing how to configure the entries by pointing out that the illustrations are showing a SET request, as indicated in the first of the three examples. - Andy -----Original Message----- From: isms-bounces@ietf.org [mailto:isms-bounces@ietf.org] On Behalf Of Juergen Schoenwaelder Sent: Thursday, October 29, 2009 7:19 AM To: isms@ietf.org Subject: [Isms] tlstm last call comments from js Hi, I have reviewed the tlstm document and even though I have compiled a relatively long list of issues and editorial nits, I believe the document is in good shape and none of the issues I identified seem to be difficult to address. Technical comments: a) In Appendix C, you use the RowStatus value createAndGo, which however is a transient value for creating rows. I suggest to use active instead, like in Appendix A of RFC 3414. b) I found section 4.1 somewhat difficult to follow. It is not very clear what maps what to what. Perhaps a picture helps showing the mapping from the certification via tlstmCertToSNTable to a tmSecurityName and then via TSM to a securityName? c) Is 4.5.1 needed as a subsection? It is just one sentence (well if the final missing to would be there ;-) d) Is tlsRead() and tlsWrite() really needed? Implementation wise I understand tlsRead(), architecturally it may look odd. I know, you read something from a socket, you pass it through (D)TLS and then you deal with the content. But architecturally, you just get an SNMP message out of (D)TLS, no? tlsWrite is also not referenced in any other place. Is all this just there because DTLS/UDP lacks proper multiplexing support? See also below... e) What does "consistently deterministic" in 5.1.1 mean? f) In section 5.1.1 step (1), how can I know if a UDP message is a DTLS message or not? And how do I establish new session state if I throw away all messages that are not (D)TLS (should this be DTLS?) Application Data messages? It seems that the multiplexing generally needs to happen for all received UDP datagrams and all this happens below the TLSTM layer: ... -> | UDP | -> | DEMUX | -> | DTLS | -> | TLSTM | -> ... If I am right, then I think we should factor this multiplexing out of the TLSTM elements of procedure and discuss it in some separate section. (How does DTLS for SYSLOG deal with this? Is this not a rather general issue to be fixed in a generic way?) g) The last paragraph in 5.3 says that there is no way to indicate server certificate selection. Is there work underway to eventually fix this in (D)TLS? h) There is no explicit text talking about clearing (and setting up) multiplexing state. But I guess this needs to be discussed where multiplexing is discussed and this likely requires some timer to do something equivalent as TCP's TIME_WAIT. i) The first sentence in 6.2 can probably be removed. j) Why "public" in "Public certificate fingerprint"? The TC likely does not control what is public or non-public. k) Condense the text in 6.5 (do not repeat twice that the MIB is for TLSTM - this has already been said). I also find "is likely ... will implement" a bit too vague of a language since some of the MIB objects really depend on the other modules to be implemented. l) The LAST-UPDATED and REVISION timestamps are likely wrong. Also note that there is again a shorter copyright notice that can be used. m) The message size requirement in snmpDTLSUDPDomain may be difficult to meet on generic platforms. (How shall I prepare for an unknown interface on a Linux box?) n) There is text in the DESCRIPTION of SnmpTLSAddress talking about TransportAddress, TransportAddressType, TransportDomain and this seems to be a cut'n'paste error. (This text is in all *Address TC definitions and need to be fixed in all instances.) o) The phrases "UDP connection address" and "TCP connection address" and "SCTP connection address" sound strange, especially since UDP does not have a notion of a connection. I suggest to talk about endpoints instead. p) I do not understand the REFERENCEs for Fingerprint. Looks like another cut'n'paste error. q) Exclude 0 from the tlstmCertToSNID? This is usually useful so that a special value exists for reference purposes. r) The last sentence in the DESCRIPTION of tlstmParamsEntry should be rewritten to make it clear that it only applies to targets that use certificates (as written now, this is not clear cut). s) Lifecycle of tlstmParamsEntry: It seems I can create an entry while there is no target entry yet. But then, when I delete a target, the tlstmParamsEntry goes away. I find this inconsistent. t) It would be nice to have the elements of procedure spell out when the two notifications are generated. u) I am confused by section 9.2. I think both SNMPv1 and SNMPv2c MPs actually use the community-based security model. Is there really a "SNMPv2c(2) Security Model"? Editorial nits: s/Jurgen Schonwalder/Juergen Schoenwaelder/ s/value is a value that needs derive/value is a value derived/ s/tmSecurityNome/tmSecurityName/ s/Appendix C/Appendix C./ s/establishing a new sessions/establishing new sessions/ s/statical counters/counters/ s/is are/are/ s/US-US-ASCII/US-ASCII/ s/tlstmCertToSNecurityName/tlstmCertToSNSecurityName/ s/points to an usable/points to an unusable/ s/TRAPS and INFORMS/notifications/ s/RFC3484/RFC3584/ /js --=20 Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 _______________________________________________ Isms mailing list Isms@ietf.org https://www.ietf.org/mailman/listinfo/isms From wjhns1@hardakers.net Thu Oct 29 08:07:20 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC97E3A6828 for ; Thu, 29 Oct 2009 08:07:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCrEzjdNYFK3 for ; Thu, 29 Oct 2009 08:07:20 -0700 (PDT) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 2AF7E3A6807 for ; Thu, 29 Oct 2009 08:07:20 -0700 (PDT) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 29E0198099; Thu, 29 Oct 2009 08:07:35 -0700 (PDT) From: Wes Hardaker To: Hamid Mukhtar Organization: Sparta References: Date: Thu, 29 Oct 2009 08:07:34 -0700 In-Reply-To: (Hamid Mukhtar's message of "Thu, 29 Oct 2009 10:30:12 +0900") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Oct 2009 15:07:21 -0000 >>>>> On Thu, 29 Oct 2009 10:30:12 +0900, Hamid Mukhtar said: HM> Yes, the wording might cause confusion. I think its better to be HM> more explicit. I'll look at rewording the text. Thanks for the comments about it. -- Wes Hardaker Cobham Analytic Solutions From wjhns1@hardakers.net Thu Oct 29 15:34:38 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E30BF3A6A6A for ; Thu, 29 Oct 2009 15:34:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afRAqNM930o3 for ; Thu, 29 Oct 2009 15:34:38 -0700 (PDT) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 11E163A6A3E for ; Thu, 29 Oct 2009 15:34:38 -0700 (PDT) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 9F2E79832B for ; Thu, 29 Oct 2009 15:34:53 -0700 (PDT) From: Wes Hardaker To: isms@ietf.org Organization: Sparta References: <20091029111902.GB20307@elstar.local> Date: Thu, 29 Oct 2009 15:34:53 -0700 In-Reply-To: <20091029111902.GB20307@elstar.local> (Juergen Schoenwaelder's message of "Thu, 29 Oct 2009 12:19:02 +0100") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: [Isms] Ismstlstm last call comments from js X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Oct 2009 22:34:39 -0000 >>>>> On Thu, 29 Oct 2009 12:19:02 +0100, Juergen Schoenwaelder said: JS> I have reviewed the tlstm document and even though I have compiled a JS> relatively long list of issues and editorial nits, I believe the JS> document is in good shape and none of the issues I identified seem JS> to be difficult to address. Thanks for the review and the list of nits. I'll look over those in the next few weeks, but glancing through them quickly I agree they look easy to address. One immediate comment: JS> s/Jurgen Schonwalder/Juergen Schoenwaelder/ Way back when, before my Emacs installation was UTF-8 compliant you ended up in my address book with that misspelling when the accented characters got dropped during some conversion process (and I just now realized this). I'm in shock that I've just now noticed that your record in my address book was incorrect (which is where I did a copy from). Thanks for pointing this out to me and accept my apologies for taking so long to notice (especially since I've been spelling it correctly by hand correctly for a long time). -- Wes Hardaker Cobham Analytic Solutions From adonati@motorola.com Fri Oct 30 07:01:21 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DDD443A68DA for ; Fri, 30 Oct 2009 07:01:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1siPs2sO8YN9 for ; Fri, 30 Oct 2009 07:01:21 -0700 (PDT) Received: from mail55.messagelabs.com (mail55.messagelabs.com [216.82.241.163]) by core3.amsl.com (Postfix) with ESMTP id DAE593A67DB for ; Fri, 30 Oct 2009 07:01:20 -0700 (PDT) X-VirusChecked: Checked X-Env-Sender: adonati@motorola.com X-Msg-Ref: server-15.tower-55.messagelabs.com!1256911288!93330980!1 X-StarScan-Version: 6.1.3; banners=-,-,- X-Originating-IP: [136.182.1.15] Received: (qmail 25054 invoked from network); 30 Oct 2009 14:01:29 -0000 Received: from motgate5.mot.com (HELO motgate5.mot.com) (136.182.1.15) by server-15.tower-55.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 30 Oct 2009 14:01:29 -0000 Received: from il27exr04.cig.mot.com ([10.17.196.73]) by motgate5.mot.com (8.14.3/8.14.3) with ESMTP id n9UE1SY3012272 for ; Fri, 30 Oct 2009 07:01:28 -0700 (MST) Received: from il27vts03 (il27vts03.cig.mot.com [10.17.196.87]) by il27exr04.cig.mot.com (8.13.1/Vontu) with SMTP id n9UE1RGP002513 for ; Fri, 30 Oct 2009 09:01:27 -0500 (CDT) Received: from de01exm63.ds.mot.com (de01exm63.am.mot.com [10.176.8.108]) by il27exr04.cig.mot.com (8.13.1/8.13.0) with ESMTP id n9UE1R4j002490 for ; Fri, 30 Oct 2009 09:01:27 -0500 (CDT) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 30 Oct 2009 10:01:05 -0400 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Isms] SNMP over (D)TLS draft available for review - Group compliance statements for notifications Thread-Index: AcpXWdMOMCTu5lDeT6WBAj4rdpFefQB+PHmQ References: From: "Donati Andrew-MGIA0477" To: "Wes Hardaker" , X-CFilter-Loop: Reflected Subject: Re: [Isms] SNMP over (D)TLS draft available for review - Group compliance statements for notifications X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 14:01:22 -0000 Wes, The tlstmCompliance module is not listing each group with a compliance description and was wondering if the implementation of notifications are optional or mandatory. - Andy Donati -----Original Message----- From: isms-bounces@ietf.org [mailto:isms-bounces@ietf.org] On Behalf Of Wes Hardaker Sent: Tuesday, October 27, 2009 7:04 PM To: isms@ietf.org Subject: [Isms] SNMP over (D)TLS draft available for review As you probably saw from the official draft announcement, a new copy of the SNMP over (D)TLS draft is available from: http://tools.ietf.org/html/draft-ietf-isms-dtls-tm-01 A diff from the previous version can be found here: =20 http://tools.ietf.org/rfcdiff?difftype=3D--hwdiff&url2=3Ddraft-ietf-isms-= dtl s-tm-01.txt The -01 version reflects all outstanding issues that I'm aware of. It would be good if WG participants could review the document and/or changes prior to the WG meeting in Hiroshima and list any issues you have with the draft so we can use the meeting time to discuss any of them that require a face-to-face meeting. -- Wes Hardaker Cobham Analytic Solutions _______________________________________________ Isms mailing list Isms@ietf.org https://www.ietf.org/mailman/listinfo/isms From wjhns1@hardakers.net Fri Oct 30 07:44:37 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CCA13A6A55 for ; Fri, 30 Oct 2009 07:44:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQMQsH-SVuie for ; Fri, 30 Oct 2009 07:44:36 -0700 (PDT) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 7FA1D3A69B9 for ; Fri, 30 Oct 2009 07:44:36 -0700 (PDT) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 4A3F5984CE; Fri, 30 Oct 2009 07:44:53 -0700 (PDT) From: Wes Hardaker To: "Donati Andrew-MGIA0477" Organization: Sparta References: Date: Fri, 30 Oct 2009 07:44:52 -0700 In-Reply-To: (Donati Andrew-MGIA's message of "Fri, 30 Oct 2009 10:01:05 -0400") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review - Group compliance statements for notifications X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 14:44:37 -0000 >>>>> On Fri, 30 Oct 2009 10:01:05 -0400, "Donati Andrew-MGIA0477" said: DA> The tlstmCompliance module is not listing each group with a compliance DA> description and was wondering if the implementation of notifications are DA> optional or mandatory. The 4th mandatory group of the the "tlstmComlpiance" object is "tlstmNotificationGroup" which contains the "tlstmServerCertNotFound" and "tlstmServerAuthFailure" notification definitions, which are the only two defined NOTIFICATION-TYPEs. So they're definitely listed. Or are you indicating that there is no surrounding human-readable text describing the requirements? -- Wes Hardaker Cobham Analytic Solutions From adonati@motorola.com Fri Oct 30 08:18:53 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 100573A6A8C for ; Fri, 30 Oct 2009 08:18:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hScdI4swC2ju for ; Fri, 30 Oct 2009 08:18:52 -0700 (PDT) Received: from mail119.messagelabs.com (mail119.messagelabs.com [216.82.241.195]) by core3.amsl.com (Postfix) with ESMTP id 11F4A3A6974 for ; Fri, 30 Oct 2009 08:18:51 -0700 (PDT) X-VirusChecked: Checked X-Env-Sender: adonati@motorola.com X-Msg-Ref: server-4.tower-119.messagelabs.com!1256915948!38667758!1 X-StarScan-Version: 6.1.3; banners=-,-,- X-Originating-IP: [129.188.136.8] Received: (qmail 25533 invoked from network); 30 Oct 2009 15:19:08 -0000 Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-4.tower-119.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 30 Oct 2009 15:19:08 -0000 Received: from il06exr04.mot.com (il06exr04.mot.com [129.188.137.134]) by motgate8.mot.com (8.14.3/8.14.3) with ESMTP id n9UFJ5La015743 for ; Fri, 30 Oct 2009 08:19:07 -0700 (MST) Received: from il06vts04.mot.com (il06vts04.mot.com [129.188.137.144]) by il06exr04.mot.com (8.13.1/Vontu) with SMTP id n9UFJ5v8003379 for ; Fri, 30 Oct 2009 10:19:05 -0500 (CDT) Received: from de01exm63.ds.mot.com (de01exm63.am.mot.com [10.176.8.108]) by il06exr04.mot.com (8.13.1/8.13.0) with ESMTP id n9UFJ5TX003372 for ; Fri, 30 Oct 2009 10:19:05 -0500 (CDT) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 30 Oct 2009 11:18:43 -0400 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SNMP over (D)TLS draft available for review - Group compliance statements for notifications Thread-Index: AcpZb4y17EHdJMIXTIONP1F8WPys9gAAQs+A References: From: "Donati Andrew-MGIA0477" To: "Wes Hardaker" X-CFilter-Loop: Reflected Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review - Group compliance statements for notifications X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 15:18:53 -0000 =20 -----Original Message----- From: Wes Hardaker [mailto:wjhns1@hardakers.net]=20 Sent: Friday, October 30, 2009 10:45 AM To: Donati Andrew-MGIA0477 Cc: Wes Hardaker; isms@ietf.org Subject: Re: SNMP over (D)TLS draft available for review - Group compliance statements for notifications >>>>> On Fri, 30 Oct 2009 10:01:05 -0400, "Donati Andrew-MGIA0477" said: DA> The tlstmCompliance module is not listing each group with a=20 DA> compliance description and was wondering if the implementation of=20 DA> notifications are optional or mandatory. The 4th mandatory group of the the "tlstmComlpiance" object is "tlstmNotificationGroup" which contains the "tlstmServerCertNotFound" and "tlstmServerAuthFailure" notification definitions, which are the only two defined NOTIFICATION-TYPEs. So they're definitely listed. Or are you indicating that there is no surrounding human-readable text describing the requirements? -- Wes Hardaker Cobham Analytic Solutions =20 WH> Or are you indicating that there is no surrounding human-readable text describing the requirements? Yes. They are indeed listed in the in the 'MANDATORY-GROUPs' clause, but was looking for additional 'GROUP' and 'DESCRIPTION' clauses for each group. The 'DESCRIPTION' clause can contain information on whether or not the group is mandatory or optional to implement, as illustrated in rfc2580. When the discussion began on adding tlstm notifications, there may have been some consideration of not making implementers use them if they did not have a need for it and was wondering what the final decision was. - Andy =20 From ietfdbh@comcast.net Fri Oct 30 08:49:33 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73ED03A696E for ; Fri, 30 Oct 2009 08:49:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.317 X-Spam-Level: X-Spam-Status: No, score=-2.317 tagged_above=-999 required=5 tests=[AWL=0.282, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q2uDqexg9Bzw for ; Fri, 30 Oct 2009 08:49:32 -0700 (PDT) Received: from QMTA11.westchester.pa.mail.comcast.net (qmta11.westchester.pa.mail.comcast.net [76.96.59.211]) by core3.amsl.com (Postfix) with ESMTP id 9224828C0FC for ; Fri, 30 Oct 2009 08:49:25 -0700 (PDT) Received: from OMTA21.westchester.pa.mail.comcast.net ([76.96.62.72]) by QMTA11.westchester.pa.mail.comcast.net with comcast id yzto1c00C1ZXKqc5B3pjFn; Fri, 30 Oct 2009 15:49:43 +0000 Received: from Harrington73653 ([24.147.240.98]) by OMTA21.westchester.pa.mail.comcast.net with comcast id z3wc1c004284sdk3h3wc7R; Fri, 30 Oct 2009 15:56:36 +0000 From: "David Harrington" To: "'Donati Andrew-MGIA0477'" , "'Wes Hardaker'" References: Date: Fri, 30 Oct 2009 11:49:42 -0400 Message-ID: <0ded01ca5978$98ae2e60$0600a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Thread-Index: AcpZb4y17EHdJMIXTIONP1F8WPys9gAAQs+AAAH7MzA= Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review - Groupcompliance statements for notifications X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 15:49:33 -0000 I think it makes sense to mandate them in implmentations, so they are available if an operator wants to use them. dbh > -----Original Message----- > From: isms-bounces@ietf.org [mailto:isms-bounces@ietf.org] On > Behalf Of Donati Andrew-MGIA0477 > Sent: Friday, October 30, 2009 11:19 AM > To: Wes Hardaker > Cc: isms@ietf.org > Subject: Re: [Isms] SNMP over (D)TLS draft available for > review - Groupcompliance statements for notifications > > > > -----Original Message----- > From: Wes Hardaker [mailto:wjhns1@hardakers.net] > Sent: Friday, October 30, 2009 10:45 AM > To: Donati Andrew-MGIA0477 > Cc: Wes Hardaker; isms@ietf.org > Subject: Re: SNMP over (D)TLS draft available for review - Group > compliance statements for notifications > > >>>>> On Fri, 30 Oct 2009 10:01:05 -0400, "Donati Andrew-MGIA0477" > said: > > DA> The tlstmCompliance module is not listing each group with a > DA> compliance description and was wondering if the implementation of > DA> notifications are optional or mandatory. > > The 4th mandatory group of the the "tlstmComlpiance" object is > "tlstmNotificationGroup" which contains the "tlstmServerCertNotFound" > and "tlstmServerAuthFailure" notification definitions, which are the > only two defined NOTIFICATION-TYPEs. So they're definitely > listed. Or > are you indicating that there is no surrounding human-readable text > describing the requirements? > -- > Wes Hardaker > Cobham Analytic Solutions > > > WH> Or are you indicating that there is no surrounding human-readable > text describing the requirements? > > Yes. They are indeed listed in the in the 'MANDATORY-GROUPs' clause, > but was looking for additional 'GROUP' and 'DESCRIPTION' clauses for > each group. The 'DESCRIPTION' clause can contain information > on whether > or not the group is mandatory or optional to implement, as illustrated > in rfc2580. When the discussion began on adding tlstm notifications, > there may have been some consideration of not making implementers use > them if they did not have a need for it and was wondering > what the final > decision was. > > - Andy > _______________________________________________ > Isms mailing list > Isms@ietf.org > https://www.ietf.org/mailman/listinfo/isms > From wjhns1@hardakers.net Fri Oct 30 09:06:29 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3F743A69D3 for ; Fri, 30 Oct 2009 09:06:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4ZlW7XfR8FC for ; Fri, 30 Oct 2009 09:06:29 -0700 (PDT) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id D738428C0E0 for ; Fri, 30 Oct 2009 09:06:28 -0700 (PDT) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 5B57C98360; Fri, 30 Oct 2009 09:06:44 -0700 (PDT) From: Wes Hardaker To: "Donati Andrew-MGIA0477" Organization: Sparta References: Date: Fri, 30 Oct 2009 09:06:44 -0700 In-Reply-To: (Donati Andrew-MGIA's message of "Fri, 30 Oct 2009 11:18:43 -0400") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review - Group compliance statements for notifications X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 16:06:29 -0000 >>>>> On Fri, 30 Oct 2009 11:18:43 -0400, "Donati Andrew-MGIA0477" said: DA> Yes. They are indeed listed in the in the 'MANDATORY-GROUPs' clause, DA> but was looking for additional 'GROUP' and 'DESCRIPTION' clauses for DA> each group. The 'DESCRIPTION' clause can contain information on whether DA> or not the group is mandatory or optional to implement, as illustrated DA> in rfc2580. Ah, so you're not asking for clarification. You want the notifications to be removed from the mandatory clause. If you read 5.4.1 of RFC2580 carefully you'll see that as-is the MIB describes conformance requirements perfectly: the notifications are required. We'll see what the results of the discussion are with respect to whether others agree with you that they should be optional and removed from the MANDATORY-GROUPS list. (David, eg, seems to think they should stay). -- Wes Hardaker Cobham Analytic Solutions From adonati@motorola.com Fri Oct 30 09:35:47 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0336B3A68C4 for ; Fri, 30 Oct 2009 09:35:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hd-gV0-hQR69 for ; Fri, 30 Oct 2009 09:35:46 -0700 (PDT) Received: from mail128.messagelabs.com (mail128.messagelabs.com [216.82.250.131]) by core3.amsl.com (Postfix) with ESMTP id 24C123A685B for ; Fri, 30 Oct 2009 09:35:46 -0700 (PDT) X-VirusChecked: Checked X-Env-Sender: adonati@motorola.com X-Msg-Ref: server-3.tower-128.messagelabs.com!1256920561!9544774!1 X-StarScan-Version: 6.1.3; banners=-,-,- X-Originating-IP: [129.188.136.8] Received: (qmail 12015 invoked from network); 30 Oct 2009 16:36:02 -0000 Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-3.tower-128.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 30 Oct 2009 16:36:02 -0000 Received: from il06exr03.mot.com (il06exr03.mot.com [129.188.137.133]) by motgate8.mot.com (8.14.3/8.14.3) with ESMTP id n9UGa1jF027584 for ; Fri, 30 Oct 2009 09:36:01 -0700 (MST) Received: from il06vts02.mot.com (il06vts02.mot.com [129.188.137.142]) by il06exr03.mot.com (8.13.1/Vontu) with SMTP id n9UGa1rO018258 for ; Fri, 30 Oct 2009 11:36:01 -0500 (CDT) Received: from de01exm63.ds.mot.com (de01exm63.am.mot.com [10.176.8.108]) by il06exr03.mot.com (8.13.1/8.13.0) with ESMTP id n9UGa074018255 for ; Fri, 30 Oct 2009 11:36:00 -0500 (CDT) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 30 Oct 2009 12:35:39 -0400 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SNMP over (D)TLS draft available for review - Group compliance statements for notifications Thread-Index: AcpZev8PaSiWzwW3TCuFnfAaSz86qgAALLlg References: From: "Donati Andrew-MGIA0477" To: "Wes Hardaker" X-CFilter-Loop: Reflected Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review - Group compliance statements for notifications X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 16:35:47 -0000 Wes, I see what you are saying and actually vote for them to stay mandatory as I believe that they are important to all network administrators. I wanted to clarify where it stood because there was some discussion on making it an optional implementation when the topic was initially brought up. - Andy=20 -----Original Message----- From: Wes Hardaker [mailto:wjhns1@hardakers.net]=20 Sent: Friday, October 30, 2009 12:07 PM To: Donati Andrew-MGIA0477 Cc: Wes Hardaker; isms@ietf.org Subject: Re: SNMP over (D)TLS draft available for review - Group compliance statements for notifications >>>>> On Fri, 30 Oct 2009 11:18:43 -0400, "Donati Andrew-MGIA0477" said: DA> Yes. They are indeed listed in the in the 'MANDATORY-GROUPs'=20 DA> clause, but was looking for additional 'GROUP' and 'DESCRIPTION'=20 DA> clauses for each group. The 'DESCRIPTION' clause can contain=20 DA> information on whether or not the group is mandatory or optional to=20 DA> implement, as illustrated in rfc2580. Ah, so you're not asking for clarification. You want the notifications to be removed from the mandatory clause. If you read 5.4.1 of RFC2580 carefully you'll see that as-is the MIB describes conformance requirements perfectly: the notifications are required. We'll see what the results of the discussion are with respect to whether others agree with you that they should be optional and removed from the MANDATORY-GROUPS list. (David, eg, seems to think they should stay). -- Wes Hardaker Cobham Analytic Solutions From wjhns1@hardakers.net Fri Oct 30 09:45:32 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B12F3A684E for ; Fri, 30 Oct 2009 09:45:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8KnQCls0jG3 for ; Fri, 30 Oct 2009 09:45:31 -0700 (PDT) Received: from mail.hardakers.net (hardaker-pt.tunnel.tserv1.fmt.ipv6.he.net [IPv6:2001:470:1f00:ffff::af]) by core3.amsl.com (Postfix) with ESMTP id 636D23A67AB for ; Fri, 30 Oct 2009 09:45:31 -0700 (PDT) Received: from localhost (wjh.hardakers.net [10.0.0.2]) by mail.hardakers.net (Postfix) with ESMTPSA id 22760983A2; Fri, 30 Oct 2009 09:45:48 -0700 (PDT) From: Wes Hardaker To: "Donati Andrew-MGIA0477" Organization: Sparta References: Date: Fri, 30 Oct 2009 09:45:47 -0700 In-Reply-To: (Donati Andrew-MGIA's message of "Fri, 30 Oct 2009 12:35:39 -0400") Message-ID: User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.22 (linux, no MULE) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: isms@ietf.org Subject: Re: [Isms] SNMP over (D)TLS draft available for review - Group compliance statements for notifications X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 16:45:32 -0000 >>>>> On Fri, 30 Oct 2009 12:35:39 -0400, "Donati Andrew-MGIA0477" said: DA> I see what you are saying and actually vote for them to stay mandatory DA> as I believe that they are important to all network administrators. Ah, ok. Then I think there is no longer a problem to resolve, correct? As we now have no one vying for making them optional and the current objects definitely mark them as mandatory. -- Wes Hardaker Cobham Analytic Solutions From adonati@motorola.com Fri Oct 30 09:47:26 2009 Return-Path: X-Original-To: isms@core3.amsl.com Delivered-To: isms@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C379428C102 for ; Fri, 30 Oct 2009 09:47:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nGrUn8lwXcue for ; Fri, 30 Oct 2009 09:47:25 -0700 (PDT) Received: from mail128.messagelabs.com (mail128.messagelabs.com [216.82.250.131]) by core3.amsl.com (Postfix) with ESMTP id DB00F3A67AB for ; Fri, 30 Oct 2009 09:47:25 -0700 (PDT) X-VirusChecked: Checked X-Env-Sender: adonati@motorola.com X-Msg-Ref: server-3.tower-128.messagelabs.com!1256921262!9545239!1 X-StarScan-Version: 6.1.3; banners=-,-,- X-Originating-IP: [129.188.136.8] Received: (qmail 19429 invoked from network); 30 Oct 2009 16:47:42 -0000 Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-3.tower-128.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 30 Oct 2009 16:47:42 -0000 Received: from il06exr03.mot.com (il06exr03.mot.com [129.188.137.133]) by motgate8.mot.com (8.14.3/8.14.3) with ESMTP id n9UGlfq1029267 for ; Fri, 30 Oct 2009 09:47:41 -0700 (MST) Received: from il06vts02.mot.com (il06vts02.mot.com [129.188.137.142]) by il06exr03.mot.com (8.13.1/Vontu) with SMTP id n9UGlfBT022345 for ; Fri, 30 Oct 2009 11:47:41 -0500 (CDT) Received: from de01exm63.ds.mot.com (de01exm63.am.mot.com [10.176.8.108]) by il06exr03.mot.com (8.13.1/8.13.0) with ESMTP id n9UGlfjY022340 for ; Fri, 30 Oct 2009 11:47:41 -0500 (CDT) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 30 Oct 2009 12:47:19 -0400 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Isms] SNMP over (D)TLS draft available for review - tlstmServerAuthFailure and notification Thread-Index: AcpXWdMOMCTu5lDeT6WBAj4rdpFefQCFKP2Q References: From: "Donati Andrew-MGIA0477" To: "Wes Hardaker" , X-CFilter-Loop: Reflected Subject: Re: [Isms] SNMP over (D)TLS draft available for review - tlstmServerAuthFailure and notification X-BeenThere: isms@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailing list for the ISMS working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2009 16:47:26 -0000 Wes, Just a few more questions on notifications ...=20 1. tlstmServerAuthFailure notification. Will it be helpful for network administrators to know the current count of how many times the presented server certificate is invalid in each tlstmServerAuthFailure notification? If so, it may be helpful to have tlstmSessionInvalidServerCertificates as an additional binding especially if this object is the trigger. 2. Standard authentication failure notification. There might have been some previous discussions about possibly using the standard authenticationFailure trap for tlstm authentication failures. Will this be used or will there be no autonomous messages for these events? 3. tlstmServerCertNotFound Should there be scalar object that serves as a counter for this event?=20 If implemented, this object can be added to this notification. - Andy Donati=20 -----Original Message----- From: isms-bounces@ietf.org [mailto:isms-bounces@ietf.org] On Behalf Of Wes Hardaker Sent: Tuesday, October 27, 2009 7:04 PM To: isms@ietf.org Subject: [Isms] SNMP over (D)TLS draft available for review As you probably saw from the official draft announcement, a new copy of the SNMP over (D)TLS draft is available from: http://tools.ietf.org/html/draft-ietf-isms-dtls-tm-01 A diff from the previous version can be found here: =20 http://tools.ietf.org/rfcdiff?difftype=3D--hwdiff&url2=3Ddraft-ietf-isms-= dtl s-tm-01.txt The -01 version reflects all outstanding issues that I'm aware of. It would be good if WG participants could review the document and/or changes prior to the WG meeting in Hiroshima and list any issues you have with the draft so we can use the meeting time to discuss any of them that require a face-to-face meeting. -- Wes Hardaker Cobham Analytic Solutions _______________________________________________ Isms mailing list Isms@ietf.org https://www.ietf.org/mailman/listinfo/isms