[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RADIUS keywrap attributes

To: "Glen Zorn \(gwz\)" <gwz@cisco.com>, "Bernard Aboba" <aboba@internaut.com>, <radiusext@ops.ietf.org>
Subject: RE: RADIUS keywrap attributes
From: "Nelson, David" <dnelson@enterasys.com>
Date: Mon, 22 Aug 2005 14:44:54 -0400
Cc: "Zhang, Tiebing" <TZhang@3eti.com>, "Russ Housley" <housley@vigilsec.com>

Glen Zorn writes...

> Hmm.  Since RADIUS clients and servers are required to ignore unknown
> packet types (by specification, not tradition), I don't really
understand
> why this same logic would not apply to the protocol in general.

I would suggest that one level of forwards and backwards compatibility
is obtained by ignoring individual attributes that are not understood,
while a very different (IMHO much lower) level of compatibility might be
obtained by ignoring entire protocol PDUs.

This discussion side-steps the whole issue of whether new attributes (or
indeed new commands) may safely be ignored by either clients or servers,
if the subject matter of said protocol elements is important or
"security sensitive".  We have the Mandatory header bit in Diameter to
address this issue.  I don't see any good solution to this problem,
short of adding a Mandatory bit in RADIUS attributes, which raises a
whole other backwards compatibility issue. 


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: RADIUS keywrap attributes
  - From: Jari Arkko <jari.arkko@piuha.net>

Prev by Date: RE: RADIUS keywrap attributes
Next by Date: Draft RADEXT WG Minutes from IETF-63
Previous by thread: RE: RADIUS keywrap attributes
Next by thread: Re: RADIUS keywrap attributes
Index(es):
- Date
- Thread