[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "practical deployments"
David B. Nelson wrote:
> I'm surprised to hear that (IPsec usage). Is this in selected topologies or
> deployment scenarios? If IPsec were really used for most RADIUS
> transmissions, wouldn't we have already solved the Crypto-Agility problem?
Most roaming providers and large companies do AAA interchange via IPSec.
IPSec doesn't solve Crypto-Agility because there's no way for the
RADIUS server to discover, or enforce, authentication and encryption
policies. The only security relationships between the two are
maintained in administrators heads, or in scripts tying the two systems
together. Neither method is scalable, maintainable, or standardizable.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>