Re: The RADIUS attribute space: an assessment

["Alan DeKok" <aland@nitros9.org>]

"Greg Weber \(gdweber\)" <gdweber@cisco.com> wrote:
> Do you have any more info about what makes Diameter
> difficult to deploy?  Is it security setup? config changes?
> Or just that any change at all is difficult?

  A large part is that any change is difficult.

  A similar part is the comment about Open Source servers.  Let's not
underestimate the number of AAA server deployments that happen because
someone had a spare whitebox, and a few hours to play around.

  Also, capital costs show up in budgets, and incur pushback from
accounting types.  Time spent on salaries is less problematic, because
the perception is that those costs are already accounted for.

> Is Diameter more difficult to deploy than IPsec protected
> RADIUS?

  Absolutely.  Diameter involves an upgrade of your existing RADIUS
server to, what exactly?  Something without LDAP/SQL/foo support, that
include your custom batch files or Perl scripts?

  That doesn't sell well.

  In constrast, RADIUS + IPSec is an incremental approach over what
people have now.  If people already have both systems separately
deployed, it's simply integration, which is fairly simple.

>  More difficult than RADIUS with CoA?

  A lot of people don't use CoA, so that isn't a problem.  And for the
people who do, most don't proxy CoA packets around the Internet.
Instead, they run a script with a dumb RADIUS client that sends
packets to the NAS, on the local network.

  RADIUS server upgrade for CoA?  Who needs that?

  Oh... the large telecom providers, who *do* send CoA packets
backwards across the net, through chains of proxies.  But there's a
better way: Diameter.

  So once again, they deploy Diameter, and no one else does.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>