[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on "practical deployments"

To: "David B. Nelson" <dnelson@elbrysnetworks.com>
Subject: Re: Comments on "practical deployments"
From: Alan DeKok <aland@nitros9.org>
Date: Thu, 27 Dec 2007 19:38:00 +0100
Cc: radiusext@ops.ietf.org
In-reply-to: <002d01c848a4$aae0ba30$5d1216ac@xpsuperdvd2>
References: <tslabo4d851.fsf@mit.edu> <BAY117-W1792E6240C29062FF9B6F2935F0@phx.gbl> <47729414.9070608@nitros9.org> <BAY117-DS2531749CE88B51BFA1941935B0@phx.gbl> <4772AC0D.1000401@nitros9.org> <BAY117-W3433D8E315C9DE7FCAE78C935B0@phx.gbl> <BAY117-W3758C09D67E3325B1B40B2935B0@phx.gbl> <47732F83.1000907@nitros9.org> <002d01c848a4$aae0ba30$5d1216ac@xpsuperdvd2>
User-agent: Thunderbird 2.0.0.6 (X11/20071022)

David B. Nelson wrote:
> I'm surprised to hear that (IPsec usage).  Is this in selected topologies or
> deployment scenarios?  If IPsec were really used for most RADIUS
> transmissions, wouldn't we have already solved the Crypto-Agility problem?

  Most roaming providers and large companies do AAA interchange via IPSec.

  IPSec doesn't solve Crypto-Agility because there's no way for the
RADIUS server to discover, or enforce, authentication and encryption
policies.  The only security relationships between the two are
maintained in administrators heads, or in scripts tying the two systems
together.  Neither method is scalable, maintainable, or standardizable.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: [ Comments on automated key management and crypto agility
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: [ Comments on automated key management and crypto agility
  - From: Alan DeKok <aland@nitros9.org>
- Re: Comments on "practical deployments"
  - From: <Bernard_Aboba@hotmail.com>
- Re: Comments on "practical deployments"
  - From: Alan DeKok <aland@nitros9.org>
- RE: Comments on "practical deployments"
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- RE: Comments on "practical deployments"
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: Comments on "practical deployments"
  - From: Alan DeKok <aland@nitros9.org>
- RE: Comments on "practical deployments"
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

Prev by Date: Re: Comments on "practical deployments"
Next by Date: Re: RADEXT WG last call on RADIUS Design Guidelines Document
Previous by thread: RE: Comments on "practical deployments"
Next by thread: RE: Comments on "practical deployments"
Index(es):
- Date
- Thread