[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments on draft-ietf-radext-digest-auth-06.txt (fwd)

To: radiusext@ops.ietf.org
Subject: Comments on draft-ietf-radext-digest-auth-06.txt (fwd)
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Wed, 16 Nov 2005 16:22:45 -0800
Bcc:

RFC 3072 Section 1.1 talks about the requirements for RADIUS DigestAuthentication:


  Nevertheless, a few limited RADIUS [5]
  extensions may meet some of the requirements in this document (for
  instance, some of the authentication requirements).  We expect that
  while RADIUS with these limited extensions will meet particular
  functional requirements, it will not meet other important
  requirements.  The following are some requirements that are not
  expected to be met by RADIUS:

     1. Section 2.1.3: RADIUS does not support a discovery feature.

     2. Section 2.1.7: RADIUS does not support reliable message
        delivery.

  The following list contains the requirements that can be met by
  RADIUS or RADIUS extensions.

     1. Section 2.1.2: Communication between domains does not scale
        well in RADIUS.  As a result, inter-domain communications are
        typically handled using a proxy architecture [6].

     2. Section 2.1.5: RADIUS clients would need to support Dynamic
        Authorization [7].

     3. Section 2.1.9: RADIUS clients would need to rely on a lower-
        layer security protocol, such as IPSec, to perform mutual
        authentication.

     4. Section 2.3.3: RADIUS clients would need to support Dynamic
        Authorization [7].

     5. Section 2.3.4: RADIUS clients would need to support Dynamic
        Authorization [7].



---------- Forwarded message ----------
Date: Wed, 16 Nov 2005 15:43:09 -0500
From: Lou Berger <lberger@movaz.com>
To: Bernard Aboba <aboba@internaut.com>
Cc: beckw@t-systems.com, lberger@labn.net
Subject: Comments on draft-ietf-radext-digest-auth-06.txt

Bernard, (Wolfgang),

	Per our discussion in Vancouver, I've re-read

draft-ietf-radext-digest-auth-06.txt from the perspective of SIPauthorizationand also comparing it to draft-ietf-aaa-diameter-sip-app-10.txt. I thinkyouwere correct (and I wasn't) in the observation that the former does the job,but

I still have a small number of comments:

1. It seems to me that both the SIP and Diameter drafts don't fully supporttherequirements laid out in RFC 3702. Also, neither draft references this RFC.I

found this really surprising.  What is the relationship of the drafts to the

RFC? Is there any intention/desire to have the drafts fully support it?I'm

sure I'm missing something, so what's the "big picture here"?

2. Here are some specific mismatches between the draft and RFC3702, pleaselet

me know if I missed something.  Support for RFC 3702, section:
a) 2.1.5.  Updating SIP Server Entries (and missing reference to RFC 3576)
b) 2.3.2.  Information Transfer
	[I think this implies passing via & route information on the
authorization request as well as handling the response.]
c) 2.4.5.  Support for Accounting on Different Media

3. While not covered in the AAA requirements I think that authorizationbased onrequested media is also needed. I think this is the complement of the(media

related) policy extensions being discussed within the SIPPING WG.

Please let me know what you think.

Much thanks,
Lou



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: Misspelling (was RE:)
Next by Date: AW: Comments on draft-ietf-radext-digest-auth-06.txt (fwd)
Previous by thread: Misspelling (was RE:)
Next by thread: AW: Comments on draft-ietf-radext-digest-auth-06.txt (fwd)
Index(es):
- Date
- Thread