[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-chiba-radius-dynamic-authorization-18

To: iesg-secretary@ietf.org
Subject: draft-chiba-radius-dynamic-authorization-18
From: Russ Housley <housley@vigilsec.com>
Date: Wed, 14 May 2003 09:57:10 -0400
Cc: iesg@ietf.org

Section 5.3 says:

When IPsec ESP is used with RADIUS, DES-CBC SHOULD NOT be used as the
encryption transform, and per-packet authentication, integrity and
replay protection MUST be used. A typical IPsec policy for an IPsec-
capable RADIUS client is "Initiate IPsec, from me to any destination
port UDP 1812".

This causes an IPsec SA to be set up by the RADIUS client prior to
sending RADIUS traffic. If some RADIUS servers contacted by the client
do not support IPsec, then a more granular policy will be required:
"Initiate IPsec, from me to IPsec-Capable-RADIUS-Server, destination
port UDP 1812".

I agree that DES-CBC should not be used; however, we ought to tell the implementors what algorithm ought to be used for interoperability. Further, the text requires integrity protection, but no integrity mechanisms are discussed. Also, the discussion of IPsec policy should not be split between these two paragraphs.

I propose the following:

When IPsec ESP is used with RADIUS, per-packet authentication,
integrity and replay protection MUST be used. AES-CBC SHOULD be
used as the encryption transform, and HMAC-SHA1-96 SHOULD be used
as the authentication function. DES-CBC SHOULD NOT be used as the
encryption transform.

A typical IPsec policy for an IPsec-capable RADIUS client is
"Initiate IPsec, from me to any destination port UDP 1812". This
IPsec policy causes an IPsec SA to be set up by the RADIUS client
prior to sending RADIUS traffic. If some RADIUS servers contacted
by the client do not support IPsec, then a more granular policy
will be required: "Initiate IPsec, from me to
IPsec-Capable-RADIUS-Server, destination port UDP 1812".

Later in section 5.3, the text says: "... it is important that trust be demonstrated ..." In this context, "trust" is very ambiguous. Please reword. I think that the paragraph should discuss "authentication" and "authorization."

Later in section 5.3, change "Certificate Authority (CA)" to "Certification Authority (CA)."

Prev by Date: UPDATED: Draft IESG Telechat Agenda and Package for May 15, 2003
Next by Date: Re: **New IESG Internal Web Page**
Previous by thread: Topics for WG Chairs Training
Next by thread: Re: draft-chiba-radius-dynamic-authorization-18
Index(es):
- Date
- Thread