[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RADIUS keywrap attributes

To: "Bernard Aboba" <aboba@internaut.com>, <radiusext@ops.ietf.org>
Subject: RE: RADIUS keywrap attributes
From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
Date: Sun, 21 Aug 2005 18:17:46 -0700
Cc: "Zhang, Tiebing" <TZhang@3eti.com>, "Russ Housley" <housley@vigilsec.com>

Bernard Aboba <> supposedly scribbled:

>>> I was under the impression that this was outside the scope of the WG
>>> charter.  Has this changed recently?
> 
> The RADEXT WG charter was written based on liaison requests from SDOs
> including IEEE 802.11.  The IEEE 802 attribute draft, developed to
> respond to those requests, included keying attributes from the
> beginning.   

The keying attribute you mention was such in name only; it provided no security for the encapsulated key, since it was assumed that security would be supplied by running RADIUS over IPsec.

> So yes, keying attributes are within the RADEXT WG charter.

I suppose that, as David mentioned, this is a matter that is open to interpretation.  However, the current charter states that "No new security mechanisms will be defined for protecting RADIUS."  Taking the position (which I think reasonable) that RADIUS includes attributes and their allowable contents, it would seem to me that an attribute that cryptographically protects its contents is, in fact, a new security mechanism.

> 
> While keying attributes are within the scope of the RADEXT WG
> charter, I am not clear what the criteria are for IESG approval.
> Satisfying the requirements in "AAA Key Management" (draft-housley)
> could prove quite difficult.  One of the requirements of
> draft-housley is to avoid disclosure of keying material to
> unauthorized parties.  This hurdle was overcome in RFC 4072 using
> Diameter redirect.    

It's not at all clear that the redirect technique actually solves any problem; for example, the keying problem is basically ignored, although there are probably ways to solve it.
  
> 
> However, it is not clear to me that it would be possible to retrofit
> a redirect mechanism within RADIUS.  Since CMS failed to gain
> traction within Diameter, I see no reason why that would be viable
> for RADIUS, either.  The presentation at IETF 63 discussed a number
> of other alternatives, some of which are subjects of current research
> (the DNSSEC approach under development within Terena).     

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: RADIUS keywrap attributes
Next by Date: Re: Issue: Radius Digest, both modes of operation should be mandatory
Previous by thread: RE: RADIUS keywrap attributes
Next by thread: RE: RADIUS keywrap attributes
Index(es):
- Date
- Thread