> Of course, what was I thinking? Setting up a CA, issuing client and server|
> certs and configuring secure DNS is _so_ much simpler than laboriously
> typing an IP address. This simplicity must explain the amazing popularity
> (indeed, true ubiquity) of the PKI today.
One of the concerns that Pasi Eronen raised in Issue 303 was credential support.
I'd suggest that this issue needs to be thought through both with respect to
proxies/servers as well as for NASes.
While my understanding is that certificates have been used in RADSEC
deployments, deploying certificates on NASes for use with RADIUS/DTLS
could be considerably more difficult.
This raises the question of what TLS ciphersuites should be recommended/required
(e.g. PSK for DTLS).
Also, typically NASes are configured with the address of the proxy or server, and
therefore don't need to dynamically discover it. The situation is a bit like default
route configuration with IPv4.
So I'm wondering whether this is primarily a concern for proxies running RADSEC,
since those seem the most likely to have a certificate as well as to be in need of
dynamic discovery capability.
With respect to standardization of dynamic discovery, experience with SIP (e.g. RFC 3263)
has been that supporting multiple transports can be the source of interoperability problems,
and that if not carefully specified, dynamic DNS discovery can actually make things worse.
For example, I'd suggest that a RADIUS server should probably not use dynamic discovery
to decide how to answer an incoming Request. This could result in an incoming RADSEC
packet being answered with a RADIUS over DTLS packet. The logical thing to do is for a
responder (either a RADIUS server or a DAS) to respond with the same transport that was
used in the Request.
I'm also not sure whether a DAC should use dynamic discovery to decide how to speak
to a DAS. In this situation, there is presumably information available on the transport used
by the RADIUS client in the Access-Request. Wouldn't it make more sense for the DAC
to use that same transport in speaking to the DAS?