Using Authentication, Authorization, and Accounting Services to Dynamically Provision View-Based Access Control Model User-to-Group Mappings
draft-ietf-isms-radius-vacm-11
Yes
No Objection
Note: This ballot was opened for revision 11 and is now closed.
Lars Eggert No Objection
(Dan Romascanu; former steering group member) (was Discuss) Yes
(David Harrington; former steering group member) Yes
(Sean Turner; former steering group member) Yes
(Adrian Farrel; former steering group member) No Objection
Thanks for this I-D. I have no objection to its publication as an RFC. Section 4.1 I found the following sentence somewhat tricky. An implementation-specific identifier is needed for each AAA- authorized "session", corresponding to a communication channel, such as a transport session, for which a principal has been AAA- authenticated and which is authorized to offer SNMP service. The problem is around "implementation-specific" which implies that there is a single identifier for all communication channels from any Company-X Product-Y device. Not what you mean! If you have time to tweak this a little, that would be good. --- Section 4.2 Not sure that the two uses of "MAY" in this section really need to be upper case, but it is not very important. --- Section 5.1 Would be nice to give a reference for the TCs mentioned.
(Alexey Melnikov; former steering group member) No Objection
(Jari Arkko; former steering group member) (was Discuss) No Objection
(Ralph Droms; former steering group member) No Objection
(Robert Sparks; former steering group member) No Objection
(Ron Bonica; former steering group member) No Objection
(Russ Housley; former steering group member) No Objection
Please consider the editorial comments in the Gen-ART Review from
Francis Dupont. The review can be found at:
http://www.softarmor.com/rai/temp-gen-art/
draft-ietf-isms-radius-vacm-09-dupont.txt
(Stewart Bryant; former steering group member) No Objection
(Tim Polk; former steering group member) No Objection
Magnus Nystrom noted some confusion in the current section 7.2. After reviewing the text, I think he has a point. I would suggest deleting "or equivalent" from the second and fourth bullets and appending something along the following lines at the end of the section: As noted in section 4.2, the above text refers specifically to RADIUS attributes. Other AAA services can be substituted, but the requirements imposed on User-Name and Management-Policy-Id-Attribute MUST be satisfied using the equivalent fields for that service.