Re: draft-ietf-radext-digest-auth-06

[Emile van Bergen <openradius-radextwg@e-advies.nl>]

Hi,

On Mon, Oct 17, 2005 at 12:07:09PM +0200, wolfgang.beck01@t-online.de wrote:

> The latest version of the draft does no longer contain a link between
> sips/https and
> RADIUS. However, the Security Considerations section names refusing
> sips/https request as one non-normative option to avoid the security
> level mismatch of sips/https and unencrypted RADIUS:
> 
> "To prevent RADIUS from representing the weak link, a RADIUS
> client receiving an HTTP-style request via TLS or IPsec could use an
> equally secure connection to the RADIUS server.  There are several
> ways to achieve this, for example:
>    o  the RADIUS client may reject HTTP-style requests received over TLS
>       or IPsec
>    o  the RADIUS client require that traffic be sent and received over
>       IPsec.
> RADIUS over IPsec, if used, MUST conform to the requirements
> described in [RFC3579] section 4.2."

s/weak/weakest, I guess?

and I suggest another option:

  o the RADIUS traffic only passes networks secured by other means,
    eg. networks that are separated from the internet on the IP layer or
    below.

Cheers,


Emile

-- 
E-Advies - Emile van Bergen           emile@e-advies.nl      
tel. +31 (0)78 6136282           http://www.e-advies.nl    

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>