[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-chiba-radius-dynamic-authorization-18
- To: iesg@ietf.org
- Subject: Re: draft-chiba-radius-dynamic-authorization-18
- From: Bernard Aboba <aboba@internaut.com>
- Date: Thu, 15 May 2003 06:15:47 -0700 (PDT)
- In-reply-to: <E19GDg9-0000lW-1g@roam.psg.com>
- References: <E19GDg9-0000lW-1g@roam.psg.com>
A version of the draft addressing these comments (as well as more recent
comments from the AAA WG) is available here:
http://www.drizzle.com/~aboba/IEEE/draft-chiba-radius-dynamic-authorization-20.txt
Note that the AAA WG comments relating to Diameter compatibility have
required some significant changes relating to use of the Service-Type
attribute; these are described in Notes 6 and 7 in Section 3.2.
On Thu, 15 May 2003, Randy Bush wrote:
> ------- start of forwarded message -------
> From: Russ Housley <housley@vigilsec.com>
> To: iesg-secretary@ietf.org
> Cc: iesg@ietf.org
> Subject: draft-chiba-radius-dynamic-authorization-18
> Date: Wed, 14 May 2003 09:57:10 -0400
>
>
> Section 5.3 says:
>
> When IPsec ESP is used with RADIUS, DES-CBC SHOULD NOT be used as the
> encryption transform, and per-packet authentication, integrity and
> replay protection MUST be used. A typical IPsec policy for an IPsec-
> capable RADIUS client is "Initiate IPsec, from me to any destination
> port UDP 1812".
>
> This causes an IPsec SA to be set up by the RADIUS client prior to
> sending RADIUS traffic. If some RADIUS servers contacted by the client
> do not support IPsec, then a more granular policy will be required:
> "Initiate IPsec, from me to IPsec-Capable-RADIUS-Server, destination
> port UDP 1812".
>
> I agree that DES-CBC should not be used; however, we ought to tell the
> implementors what algorithm ought to be used for
> interoperability. Further, the text requires integrity protection, but no
> integrity mechanisms are discussed. Also, the discussion of IPsec policy
> should not be split between these two paragraphs.
>
> I propose the following:
>
> When IPsec ESP is used with RADIUS, per-packet authentication,
> integrity and replay protection MUST be used. AES-CBC SHOULD be
> used as the encryption transform, and HMAC-SHA1-96 SHOULD be used
> as the authentication function. DES-CBC SHOULD NOT be used as the
> encryption transform.
>
> A typical IPsec policy for an IPsec-capable RADIUS client is
> "Initiate IPsec, from me to any destination port UDP 1812". This
> IPsec policy causes an IPsec SA to be set up by the RADIUS client
> prior to sending RADIUS traffic. If some RADIUS servers contacted
> by the client do not support IPsec, then a more granular policy
> will be required: "Initiate IPsec, from me to
> IPsec-Capable-RADIUS-Server, destination port UDP 1812".
>
> Later in section 5.3, the text says: "... it is important that trust be
> demonstrated ..." In this context, "trust" is very ambiguous. Please
> reword. I think that the paragraph should discuss "authentication" and
> "authorization."
>
> Later in section 5.3, change "Certificate Authority (CA)" to
> "Certification Authority (CA)."
>
>
> ------- end of forwarded message -------
>