|
Abstract
The current text is a bit wordy. How about
this?
This document describes Remote Authentication Dial-In User
Service
(RADIUS) attributes for the authorization and service provisioning of Network Access Servers (NASes). Both local and remote management are supported, with granular access rights and management
privileges.
Specific provisions are made for remote management via framed management protocols, and for specification of a protected transport protocol. Section 7.1
I don't think you need to repeat much of Section
5.6 of RFC 2865. Why
not just reference it instead? Here is some
recommended text for this
section:
7.1. Service-Type
The Service-Type attribute is defined in Section 5.6 of RFC 2865 [RFC2865]. This document defines a new value of the Service-Type Attribute:
(TBA) Framed-Management The semantics of the Framed-Management service are as follows: Framed-Management A framed management protocol session should be started on the NAS. Section 8.1
The Framed-Management-Protocol attribute
indicates the application-
layer management protocol to be used for framed management access. It MAY be used in both Access-Request and Access-Accept packets. [BA] Please add a sentence explaining the semantics in
this usage. For
example, in the Access-Request I assume that this
Attribute describes the
protocol that the client is using for remote
administration. What does it mean
in an Access-Accept? For example, what does the NAS
do if the value in the
Access-Accept is different from the protocol that is being
used? Does it
disconnect?
The acronyms used in the above table expand as
follows:
o SNMP: Simple Network Management Protocol. [BA] Please add a reference.
o Web-based: Use of an embedded web server in the NAS for management via a generic web browser client. The interface presented to the administrator may be graphical, tabular or textual. The protocol is HTML over HTTP. The protocol may optionally be HTML over HTTPS, i.e. using HTTP over TLS. [BA] Please add a reference to the HTTP and HTTPS
specifications.
o NETCONF: Management via the NETCONF protocol using XML over supported transports (e.g. HTTP, BEEP, SOAP). As secure transport profiles are defined for NETCONF, the list of transport options may expand. [BA] Please add a reference to
NETCONF specification.
o FTP: File Transfer Protocol, used to transfer configuration files to and from the NAS. [BA] Please add a reference to the
FTP specification.
o TFTP: Trivial File Transfer Protocol, used to transfer configuration files to and from the NAS. [BA] Please add a reference to TFTP specification. o CP: CP (file copy) protocol, used to transfer configuration files to and from the NAS. [BA] What is the CP protocol? Do you mean RCP? Please add a reference. Section 8.2
[BA] What packets can this attribute be included
in? Access-Request & Access-Accept?
What are the semantics in each case? For
example, in an Access-Request is this the
level of protection that is being used? What
if the value in an Access-Accept is different
(e.g. higher) than that in use? For example,
if confidentiality & integrity is being requested,
but the session is protected with TLS and an
integrity-only ciphersuite? Is the session
dropped?
o Confidentiality-Protection: The management session
requires
protection in a secure or protected transport, that is supported by the management access protocol and implementation. The secure transport MUST provide Confidentiality Protection. Does this option really make sense? When would you want Confidentiality but not integrity? Isn't this dangerous?
Section 8.3
Therefore, two or more occurrences of this attribute
SHOULD NOT be included in a single service provisioning message, such as Access-Accept or CoA. [BA] I think you mean Change-of-Authorization
Request (CoA-Request) here.
Section 8.4
It MAY be used in both Access-Request and
Access-Accept packets.
[BA] The table indicates that it can only be
included in Access-Accept packets.
Section 9
The examples use the Transport-Protocol Attribute,
which is not defined in this
document any more. Also, please include the value of NAS-Port-Type in the examples.
Section 11
I'd recommend moving this to a sub-section under
Security Considerations.
Section 13
This section needs to be rewritten to list the new
attribute for which numbers being
requested, as well as the new value for Service-Type.
|