[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AD review of draft-zorn-radius-pkmv1-04.txt

To: Glen Zorn <gwz@net-zen.net>
Subject: Re: AD review of draft-zorn-radius-pkmv1-04.txt
From: Alan DeKok <aland@deployingradius.com>
Date: Thu, 23 Jul 2009 17:01:52 +0200
Cc: 'radext mailing list' <radiusext@ops.ietf.org>, ops-dir@ietf.org, ietf@ietf.org
In-reply-to: <00e201ca0b92$58196330$084c2990$@net>
References: <EDC652A26FB23C4EB6384A4584434A0401892FD6@307622ANEX5.global.avaya.com> <4A6830A9.4080002@deployingradius.com> <00e201ca0b92$58196330$084c2990$@net>
User-agent: Thunderbird 2.0.0.22 (Macintosh/20090605)

Glen Zorn wrote:
> No.  There _are_ implementations as I rather clearly stated at the meeting
> in SF, using the Experimental attribute space.

  So the implementations have to be updated to use the IANA code points,
independent of them possibly using the extended attributes format.

> Given that there are already multiple interoperable implementations and all
> of the attributes are security related, I see no pressing need to make
> people change running code to satisfy your personal preferences.

 The contents of the design guidelines document reflect the WG consensus
after years of effort and review.  It by *no* means reflects solely my
personal preference, as seems to be implied here.

>  Sorry if
> these attributes were designed to be easy to implement for people writing
> PKM code, rather than RADIUS code.

  There's no need to follow the RADIUS design guidelines, because the
attributes refer to data that interacts with non-RADIUS systems...

  What value, then, is in the design guidelines, WG consensus, or IETF
review?  Can we just over-ride them willy-nilly because a vendor has an
implementation of a spec?

>>   In Section 3.4.  PKM-Cryptosuite-List, can the attribute be longer
>> than 253 bytes?    
> 
> No.  There are exactly 

  This response seems to have been cut off.

>>   Would it be sufficient to require that the Access-Accept contains a
>> Message-Authenticator for integrity protection?
> 
> If you consider MD5 to be "strong integrity protection".

  It appears to be good enough for the rest of RADIUS, at least until
the TLS-based methods are standardized.

> MPPE-Send-Key is broken; I don't see the value in requiring the use of
> broken technology.  There are much better ways to encrypt attributes for
> transmission, in which (once again) the radext WG has shown near zero
> interest.  Maybe it should be a cisco VSA?

  If it's documented, sure.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- AD review of draft-zorn-radius-pkmv1-04.txt
  - From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
- AD review of draft-zorn-radius-pkmv1-04.txt
  - From: Alan DeKok <aland@deployingradius.com>

Prev by Date: AD review of draft-zorn-radius-pkmv1-04.txt
Next by Date: Re: AD review of draft-zorn-radius-pkmv1-04.txt
Previous by thread: AD review of draft-zorn-radius-pkmv1-04.txt
Next by thread: Re: AD review of draft-zorn-radius-pkmv1-04.txt
Index(es):
- Date
- Thread