[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: The RADIUS attribute space: an assessment
- To: "Alan DeKok" <aland@nitros9.org>, "Greg Weber \(gdweber\)" <gdweber@cisco.com>
- Subject: RE: The RADIUS attribute space: an assessment
- From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
- Date: Wed, 28 Jun 2006 19:33:10 -0700
- Authentication-results: sj-dkim-2.cisco.com; header.From=gwz@cisco.com; dkim=pass ( sig from cisco.com verified; );
- Cc: <radiusext@ops.ietf.org>
- Dkim-signature: a=rsa-sha1; q=dns; l=2930; t=1151548391; x=1152412391; c=relaxed/simple; s=sjdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=gwz@cisco.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<gwz@cisco.com> |Subject:RE=3A=20The=20RADIUS=20attribute=20space=3A=20an=20assessment=20; X=v=3Dcisco.com=3B=20h=3DGGNvRrkAIyMZEjEaTCFmDtHuSu4=3D; b=JruH/qisPcBniLxMzbvhdXFBT71hOKFmDQ2c4Rtn1Ieq0PTvMV7Op5UpQHO8TWJv/g0HWlzQ N2nKObvtesKdIa/9eBhOf/N7GEN38aczVPWPXjgDOMj+KUEVJOCHZmFR;
Alan DeKok <> supposedly scribbled:
> "Greg Weber \(gdweber\)" <gdweber@cisco.com> wrote:
>> Do you have any more info about what makes Diameter difficult to
>> deploy? Is it security setup? config changes?
>> Or just that any change at all is difficult?
>
> A large part is that any change is difficult.
>
> A similar part is the comment about Open Source servers. Let's not
> underestimate the number of AAA server deployments that happen
> because someone had a spare whitebox, and a few hours to play around.
>
> Also, capital costs show up in budgets, and incur pushback from
> accounting types. Time spent on salaries is less problematic,
> because the perception is that those costs are already accounted for.
>
>> Is Diameter more difficult to deploy than IPsec protected RADIUS?
>
> Absolutely. Diameter involves an upgrade of your existing RADIUS
> server to, what exactly? Something without LDAP/SQL/foo support,
> that include your custom batch files or Perl scripts?
>
> That doesn't sell well.
>
> In constrast, RADIUS + IPSec is an incremental approach over what
> people have now. If people already have both systems separately
> deployed, it's simply integration, which is fairly simple.
>
>> More difficult than RADIUS with CoA?
>
> A lot of people don't use CoA, so that isn't a problem. And for
> the people who do, most don't proxy CoA packets around the Internet.
> Instead, they run a script with a dumb RADIUS client that sends
> packets to the NAS, on the local network.
>
> RADIUS server upgrade for CoA? Who needs that?
You are making an excellent argument for _not_ extending RADIUS.
>
> Oh... the large telecom providers, who *do* send CoA packets
> backwards across the net, through chains of proxies. But there's a
> better way: Diameter.
>
> So once again, they deploy Diameter, and no one else does.
That's just fine: I happen to think that RADIUS is a great protocol within its limitations & I certainly wouldn't suggest that everyone on Earth rip out RADIUS & replace it w/Diameter. However, saying that (which seems to be about what you are saying, too) hardly implies that we need to continue to patch, stretch & mutilate _standard_ RADIUS into some twisted simalcrum of Diameter. There are doubtless many applications for which RADIUS _as it is_ is & always will be the best choice; all I'm saying is let's leave it at that & move on. Maybe it's "self-congratulatory", maybe even self-aggrandizing, but I'd just like to note that the problem under discussion (the exhaustion of the RADIUS attribute space, if you'll recall) has already been solved.
>
> Alan DeKok.
Hope this helps,
~gwz
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>