[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [HOKEY] a transparent proposal

To: "Bernard Aboba" <bernard_aboba@hotmail.com>, "Alan DeKok" <aland@deployingradius.com>
Subject: RE: [HOKEY] a transparent proposal
From: "Narayanan, Vidya" <vidyan@qualcomm.com>
Date: Wed, 9 Jan 2008 12:13:20 -0800
Cc: "Hannes Tschofenig" <hannes.tschofenig@gmx.net>, <barney@databus.com>, <hokey@ietf.org>, <radiusext@ops.ietf.org>
Domainkey-signature: s=qcdkim; d=qualcomm.com; c=nofws; q=dns; h=X-IronPort-AV:Received:Received:Received:Received: X-MimeOLE:Content-class:MIME-Version:Content-Type: Content-Transfer-Encoding:Subject:Date:Message-ID: In-Reply-To:X-MS-Has-Attach:X-MS-TNEF-Correlator: Thread-Topic:Thread-Index:References:From:To:Cc: X-OriginalArrivalTime; b=IC1HtR8oK+DGmq0baI91Ga3q1Ac6ti9vHQudC4Wt43xSAYjHt9b5iQax X9x/YnE7uWkuKsZSeCZAi/OImTaFttQj9lz+cLb49NBaDJrX/I6aFDE+l Kbd39MzfQCTKhfnj48jdBCMBO7eCDfAkla/mJTuvxORAV9n9T2evX5NYW c=;
In-reply-to: <BAY117-W14C882A2BB15DAF8804E2793490@phx.gbl>
References: <20080106233208.GA81848@pit.databus.com> <4781E8AA.4040200@gmx.net> <BAY117-W291C9A12DCFF6CB96EB49E934F0@phx.gbl> <4784773C.4020404@deployingradius.com> <BAY117-W14C882A2BB15DAF8804E2793490@phx.gbl>

> -----Original Message-----
> From: owner-radiusext@ops.ietf.org 
> [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Bernard Aboba
> Sent: Wednesday, January 09, 2008 12:18 AM
> To: Alan DeKok
> Cc: Hannes Tschofenig; barney@databus.com; hokey@ietf.org; 
> radiusext@ops.ietf.org
> Subject: RE: [HOKEY] a transparent proposal
> 
> 
> >   It is up to that domain to ensure all of it's AAA servers 
> have the 
> > same policy.  This includes managing state for multiple login 
> > detection, and potentially re-auth keys.
> 
> Doesn't this imply a significant degree of complexity?  For 
> example, one argument for the RFC 4507 PAC is that avoiding 
> server-side state enables better scaling and authentication 
> performance, because RADIUS servers don't replicate TLS key 
> state.  It's hard to reconcile that argument with the idea of 
> having the domain keeping track of server side state. 
> 
> If there is a way to push that state on the peer, things 
> would be much simpler.  For example, if the ERX exchange were 
> to leave the peer with an NAI identifying the "local server" 
> and corresponding key state, then the peer could use that 
> "re-auth" NAI in subsequent requests. 
> 

That is what is done.  The peer performs the ERP exchange with
"rIKName@localdomain", where the "rIKName" is the name of the
reauthentication integrity key that is used to authenticate the ERP
exchange and "localdomain" identifies the domain name of the local ER
server.  For local domains that replicate key material, this domain name
may actually route to one of the multiple local ER servers; for local
domains that strictly have one server, they have the burden of providing
local domain names that are server-specific.   

The peer learns the local domain name at the time of ERX bootstrapping
and uses that, along with the corresponding rIKName as the username part
of its NAI at the time of reauthentication.  

Vidya

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- [HOKEY] a transparent proposal
  - From: Barney Wolff <barney@databus.com>
- Re: [HOKEY] a transparent proposal
  - From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
- RE: [HOKEY] a transparent proposal
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: [HOKEY] a transparent proposal
  - From: Alan DeKok <aland@deployingradius.com>
- RE: [HOKEY] a transparent proposal
  - From: Bernard Aboba <bernard_aboba@hotmail.com>

Prev by Date: RE: Questions on modified Extended Attribute format?
Next by Date: RE: Questions on modified Extended Attribute format?
Previous by thread: Re: [HOKEY] a transparent proposal
Next by thread: Re: [HOKEY] a transparent proposal
Index(es):
- Date
- Thread