[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Pls review/comment on: draft-ietf-dhc-agentopt-radius-06.txt
- To: bwijnen@lucent.com ("Wijnen, Bert (Bert)")
- Subject: Re: Pls review/comment on: draft-ietf-dhc-agentopt-radius-06.txt
- From: Greg Weber <gdweber@cisco.com>
- Date: Wed, 28 Apr 2004 21:23:03 -0400 (EDT)
- Cc: aaa-doctors@ops.ietf.org
- In-reply-to: <no.id> from "Wijnen, Bert (Bert)" at Apr 28, 2004 06:13:20 PM
Some additional comments,
The table in Section 4 lists RADIUS attributes which MAY be
returned by the server to the NAS, but most of these are
precluded from inclusion in Access-Accepts by RFC 2865 Section
5.44. E.g. Calling-Session-Id (attr.30) is not returned by
the server- it is sent to the server. If the intent is that
the NAS supplies these directly to the DHCP relay, that
conflicts with Section 5 of the draft:
"The RADIUS Attributes sub-option MUST only contain the
attributes provided in the RADIUS Access/Accept message."
Guidance is needed on the lifetime of the authorization
data. DHCP is independent of 802.1x; there is no guarantee
that any DHCP packets will immediately (or ever) follow
the authentication process. How long is the NAS supposed to
hang on to this authorziation data hoping to insert it into
DHCP requests? Are the data inserted into all subsequent
DHCP requests- until what point?
Guidance may be needed on how the NAS is supposed to correlate
DHCP requests with the previous RADIUS requests. Is this based
on MAC address? Does that pose a spoofing threat specific to
the proposed functionality which should be covered in the
Security Considerations section?
Greg
>
> I am very sorry to be so late.
>
> But this doc is on tomorrows (Thursday 29th) IESG agenda.
> So if you can review and comment.. PLEASE DO.
>
> If you do a quick scan and see a need to take a closer look,
> pls let me know. I can take a DEFER in that case which gives
> us some extra time.
>
> Thanks,
> Bert
>
>