[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-chiba-radius-dynamic-authorization-18

To: iesg@ietf.org
Subject: Re: draft-chiba-radius-dynamic-authorization-18
From: Bernard Aboba <aboba@internaut.com>
Date: Thu, 15 May 2003 06:15:47 -0700 (PDT)
In-reply-to: <E19GDg9-0000lW-1g@roam.psg.com>
References: <E19GDg9-0000lW-1g@roam.psg.com>

A version of the draft addressing these comments (as well as more recent
comments from the AAA WG) is available here:

http://www.drizzle.com/~aboba/IEEE/draft-chiba-radius-dynamic-authorization-20.txt

Note that the AAA WG comments relating to Diameter compatibility have
required some significant changes relating to use of the Service-Type
attribute; these are described in Notes 6 and 7 in Section 3.2.



On Thu, 15 May 2003, Randy Bush wrote:

> ------- start of forwarded message -------
> From: Russ Housley <housley@vigilsec.com>
> To: iesg-secretary@ietf.org
> Cc: iesg@ietf.org
> Subject: draft-chiba-radius-dynamic-authorization-18
> Date: Wed, 14 May 2003 09:57:10 -0400
>
>
>    Section 5.3 says:
>
>      When IPsec ESP is used with RADIUS, DES-CBC SHOULD NOT be used as the
>      encryption transform, and per-packet authentication, integrity and
>      replay protection MUST be used.  A typical IPsec policy for an IPsec-
>      capable RADIUS client is "Initiate IPsec, from me to any destination
>      port UDP 1812".
>
>      This causes an IPsec SA to be set up by the RADIUS client prior to
>      sending RADIUS traffic.  If some RADIUS servers contacted by the client
>      do not support IPsec, then a more granular policy will be required:
>      "Initiate IPsec, from me to IPsec-Capable-RADIUS-Server, destination
>      port UDP 1812".
>
>    I agree that DES-CBC should not be used; however, we ought to tell the
> implementors what algorithm ought to be used for
> interoperability.  Further, the text requires integrity protection, but no
> integrity mechanisms are discussed.  Also, the discussion of IPsec policy
> should not be split between these two paragraphs.
>
>    I propose the following:
>
>      When IPsec ESP is used with RADIUS, per-packet authentication,
>      integrity and replay protection MUST be used.  AES-CBC SHOULD be
>      used as the encryption transform, and HMAC-SHA1-96 SHOULD be used
>      as the authentication function.  DES-CBC SHOULD NOT be used as the
>      encryption transform.
>
>      A typical IPsec policy for an IPsec-capable RADIUS client is
>      "Initiate IPsec, from me to any destination port UDP 1812".  This
>      IPsec policy causes an IPsec SA to be set up by the RADIUS client
>      prior to sending RADIUS traffic.  If some RADIUS servers contacted
>      by the client do not support IPsec, then a more granular policy
>      will be required: "Initiate IPsec, from me to
>      IPsec-Capable-RADIUS-Server, destination port UDP 1812".
>
>    Later in section 5.3, the text says: "... it is important that trust be
> demonstrated ..."  In this context, "trust" is very ambiguous.  Please
> reword.  I think that the paragraph should discuss "authentication" and
> "authorization."
>
>    Later in section 5.3, change "Certificate Authority (CA)" to
> "Certification Authority (CA)."
>
>
> ------- end of forwarded message -------
>

Follow-Ups:
- Re: draft-chiba-radius-dynamic-authorization-18
  - From: Russ Housley <housley@vigilsec.com>

Prev by Date: FW: your comments on draft-ietf-ppvpn-framework-08.txt
Next by Date: FINAL: IESG Telechat for May 15, 2003
Previous by thread: draft-chiba-radius-dynamic-authorization-18
Next by thread: Re: draft-chiba-radius-dynamic-authorization-18
Index(es):
- Date
- Thread