[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: issues about Keyreq/keywrap drafts



Ashwin Palekar <mailto:ashwinp@windows.microsoft.com> writes:

> Some issues/questions about these drafts:
> 
> http://www.ietf.org/internet-drafts/draft-zorn-radius-keyreq-01.txt
> 
> http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-00.txt
> <http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-00.txt>
> 
> 1. How is support for the "applications" signaled between the peer
> and NAS and between the NAS and AAA server?  Without specifying the
> signaling mechanisms, the end result is breaking interoperability
> both in EAP and in AAA as well.  For example, even if the NAS
> Requests an application specific key via the Naming AVP 

Do you mean the EAP-Key-Name AVP?

> in Diameter
> or an equivalent in RADIUS, what happens if the server doesn't
> support the particular naming scheme in use? As far as I can tell,
> the Diameter EAP name request can only be used interoperably with a
> standardized key naming mechanism, not with this "extension"
> mechanism.   

The application ID may be specified in the Key attribute.  It's format
has been left unspecified both in the hope of sparking discussion and
because it's not completely clear (to me, anyway) that binding the Key
attribute to EAP is a good idea (there are currently no standard EAP
methods that generate keys of any kind).  

> 
> 2. Why create new RADIUS codes - can't we use existing radius codes
> (Access-request) with new service type? 

We're not requesting access (presumably access has already been
granted).  It just seems cleaner to me.
 
> 
> Thanks, Ashwin

Hope this helps,

~gwz

"They that can give up essential liberty to obtain a little temporary
safety deserve neither..." 
-- Benjamin Franklin, 1759

"It is forbidden to kill; therefore all murderers are punished unless
they kill in large numbers and to the sound of trumpets." 
-- Voltaire


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>