Re: Review of draft-lior-radius-bandwidth-capability-00.txt

["Alan DeKok" <aland@ox.org>]

Bernard Aboba <aboba@internaut.com> wrote:
> [BA] One thing to keep in mind is that bandwidth increases an order of
> magnitude every 3 years.  10 terrabits might seem like a lot, but we are
> at 10 Gbps now, and increasing by 3 orders of magnitude will only take a
> decade.  So my recommendation is to look at a 64-bit attribute.

  I'm not opposed to 64-bit attributes, but introducing them is a
major change to RADIUS.  Not all platforms support 64-bit operations,
making 8full* implementation of 64-bit attributes problematic.

  That being said, hardware is cheap enough & compilers are smart
enough that 64-bit support shouldn't be too problematic.

> [BA] Are you saying that Message-Authenticator is required in an
> Access-Request including bandwidth attributes?  Today we require
> Message-Authenticator for use with EAP & Digest, but not with legacy
> mechanisms (PAP, CHAP).  I guess this draft won't be used along with
> legacy mechanisms, so perhaps this would be ok.

  My preference for the "issues & fixes" draft is to STRONGLY suggest
that all new implementations always add Message-Authenticator to the
packet.  This avoids a number of attack vectors.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>