A proposal for addressing this would be to state explicitly that solutions are only required to address hop-by-hop security. If more explanation is required, one or more of the following points might be included:|
a. RADIUS currently does not support the Redirect facilities of Diameter, which allows a NAS to directly talk to a Diameter server assuming that appropriate credentials are available.
b. End-to-end protection requires that the NAS and RADIUS server can authenticate directly. Where pre-shared keys are used for authentication, this creates a scaling problem. Where certificates are available *and* re-direct (or automatic discovery) is available, the NAS can talk directly to the RADIUS server. However, this is an ongoing area of research/experimentation, which is not yet mature enough for standardization.
Subject: Crypto-agility requirements: Hop-by-hop vs. end-to-end (from Issue 303)
Date: Sun, 28 Jun 2009 14:01:41 -0700