A new IETF working group has been proposed in the Security Area. The IESG has not made any determination as yet. The following description was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by September 15. Integrated Security Model for SNMP (isms) ========================================= Current Status: Proposed Working Group Description of Working Group: Version 3 of the Simple Network Management Protocol (SNMPv3) was elevated to Internet Standard in late 2002 and added security to the previous versions of the protocol. Although the enhanced protocol is secure, operators and administrators find that deploying it can be problematic in large distributions. This is due primarily to two synchronization problems. The first is the addition of yet another authentication system specific to SNMPv3 that needs to be maintained across all networking devices. Most of these devices already contain local accounts and/or the ability to negotiate with authentication servers (e.g. RADIUS servers). However, SNMPv3 does not make use of these authentication mechanisms, and this causes additional synchronization burdens. The second issue found with deploying SNMPv3 is that distributing and maintaining View-based Access Control Model (VACM) rules is also difficult in large-scale environments. The ISMS working group will focus on finding and identifying a solution for the first of the two above mentioned problems: creating a security model for SNMPv3 that will meet the security and operational needs of network administrators. The solution should maximize useability in operational environments to achieve high deployment success and at the same time minimize implementation and deployment costs to minimize the time until deployment is possible. The work will include the ability to make use of existing and commonly deployed security infrastructure. The following security infrastructures will be considered by the working group as potential existing authentication infrastructures to make use of within the new security model. The solution will hopefully be able to be integrated with multiple of these user databases although it is expected that one will be mandatory. - Local accounts - SSH identities - Radius - TACACS+ - X.509 Certificates - Kerberos - LDAP - Diameter A solution must not modify the other aspects of SNMPv3 protocol as defined in STD 62 (EG, it must not create new PDU types). It should also be compliant with the security model architectural block of SNMPv3, as outlined in RFC 3411. And if at all possible, it should also not change any other protocols either. The working group will begin focusing on initial proposals, which must be submitted for consideration by the Internet-Draft cut-off date for the 61st IETF (Oct 19th, 2004). Documents submitted for consideration need not be well-polished but are expected to adequately describe the proposed model enough that working group participants can adequately understand them to make an informed decision when considering it along with the other candidates. The working group will select one forward path from all the proposals submitted by the cut-off date. If no such selection is made by the end of March, 2004 then the working group will be closed down. Work Items - Choose a technical direction for the working group to focus on. _______________________________________________ IETF-Announce@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce
