[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: REMINDER: Call for adoption of "RADIUS over TCP" as a RADEXT WG Work Item

To: Alan DeKok <aland@deployingradius.com>
Subject: RE: REMINDER: Call for adoption of "RADIUS over TCP" as a RADEXT WG Work Item
From: Bernard Aboba <bernard_aboba@hotmail.com>
Date: Thu, 17 Sep 2009 08:45:07 -0700
Cc: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
In-reply-to: <4AB204BE.3090305@deployingradius.com>
References: <BLU137-W28BBF2D01BD9D7AD950B2993EF0@phx.gbl> <4AA6C0B2.8040404@venaas.com> <BLU137-W1232F06D3A0E1193FC41C793E20@phx.gbl> <4AB204BE.3090305@deployingradius.com>

> Deployment experience with RADIUS over TLS indicates that is useful
> for inter-server communication, such as inter-domain proxying across
> the Internet. The large amounts of traffic, and long-lived
> connections are a good fit for TCP transport. These situations
> commonly also require complete data privacy that can be supplied by
> TLS.
>
> The use of "bare" TCP has fewer use-cases. Using TCP for NAS to
> server communication is a bad fit, as there is usually insufficient
> traffic to warrant the use of TCP. Using "bare" TCP for inter-server
> communication is a bad fit, as it provides for no data privacy. The
> only valid use-case for "bare" TCP, therefore, is on private, secured
> networks where there is simultaneously a large amount of traffic, and
> no need for data integrity or privacy.

How about this?

"Deployment experience with RADIUS over TLS indicates that it is
most useful for inter-server communication, such as inter-domain
communication between proxies. These situations benefit from
the confidentiality and ciphersuite negotiation that can be provided
by TLS. Since TLS is already widely available within the operating
systems used by proxies, implementation barriers are low.

RADIUS over TCP has a similar set of use cases. Use of TCP as
a transport between a NAS and RADIUS server is a poor fit,
since as noted in [RFC3539], there is likely to be insufficient traffic for
the congestion window to remain above the minimum value on a
long-term basis. The result is an increase in packets due to ACKs
as compared to UDP, without a corresponding set of benefits.

In server-server communications the traffic levels in both
directions are typically high enough to support a larger
congestion window as well as ACK piggy-backing.
Through use of an application-layer watchdog as described
in [RFC3539], it is possible to address the objections
to reliable transport described in [RFC2865] Section 2.4.
However, in these scenarios "bare" TCP does not provide for
confidentiality or enable negotiation of stronger ciphersuites
than are available in RADIUS.

As a result of these considerations, use of RADIUS over
TCP SHOULD be restricted to situations where RADIUS over
TLS is employed. RADIUS over "bare" TCP is NOT RECOMMENDED."

Follow-Ups:
- Re: REMINDER: Call for adoption of "RADIUS over TCP" as a RADEXT WG Work Item
  - From: Alan DeKok <aland@deployingradius.com>

References:
- REMINDER: Call for adoption of "DTLS as a Transport Layer for RADIUS" as a RADEXT WG Work Item
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- REMINDER: Call for adoption of "DTLS as a Transport Layer for RADIUS" as a RADEXT WG Work Item
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: REMINDER: Call for adoption of "RADIUS over TCP" as a RADEXT WG Work Item
  - From: Alan DeKok <aland@deployingradius.com>

Prev by Date: Re: Jari's DISCUSS on draft-ietf-radext-design-07.txt
Next by Date: RE: Jari's DISCUSS on draft-ietf-radext-design-07.txt
Previous by thread: Re: REMINDER: Call for adoption of "RADIUS over TCP" as a RADEXT WG Work Item
Next by thread: Re: REMINDER: Call for adoption of "RADIUS over TCP" as a RADEXT WG Work Item
Index(es):
- Date
- Thread