[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue: NAS identity

To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Subject: Re: Issue: NAS identity
From: Stefan Winter <stefan.winter@restena.lu>
Date: Thu, 26 Mar 2009 20:37:04 +0100
Cc: radiusext@ops.ietf.org
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE507B33336@xmb-sjc-225.amer.cisco.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE507B33336@xmb-sjc-225.amer.cisco.com>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Hi,

Discuss in the document that the NAS can be identified by something

other than source IP address.

Sure, that's possible. FOr X.509 cert operation, I guess this is anon-issue, since there are numerous ways to identify a peer withoutusing its IP address.For PSK, the PSK Identifier Field can be used to identify the peer. Thiscan be used to create arbitrary identifiers, independent of the IPaddress of the NAS.

This works both ways: if one has configured many tuples of (IP,sh-sec),it might be desirable to keep that configuration - in which case theIdentifier field can be set to the IP address.

In none of these cases it is necessary to use layer 3 packet inspectionto identify the peer - the Identifier field is always sufficient. Isthat what you menat? Then I'll update the text accordingly.


Greetings,

Stefan Winter

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Issue: NAS identity
  - From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>

Prev by Date: Issue: NAS identity
Next by Date: Re: Issue: RADSEC and DTLS docs
Previous by thread: Issue: NAS identity
Index(es):
- Date
- Thread