[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Last Look" at the RADIUS Design Guidelines document

To: Alan DeKok <aland@deployingradius.com>
Subject: Re: "Last Look" at the RADIUS Design Guidelines document
From: Avi Lior <avi@bridgewatersystems.com>
Date: Wed, 6 Jan 2010 14:28:51 -0500
Accept-language: en-US
Acceptlanguage: en-US
Cc: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, Bernard Aboba <bernard_aboba@hotmail.com>, "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
In-reply-to: <4B44A4E9.4040103@deployingradius.com>
References: <BLU137-DS775603F234B606AC3D29393930@phx.gbl> <AC1CFD94F59A264488DC2BEC3E890DE50951354E@xmb-sjc-225.amer.cisco.com> <4B2C8571.8020800@deployingradius.com> <AC1CFD94F59A264488DC2BEC3E890DE50951362C@xmb-sjc-225.amer.cisco.com> <03F83471-5AA6-4B7F-ABF9-EC2723601ACC@bridgewatersystems.com> <4B444BF2.5060908@deployingradius.com> <27FD2D38-1F47-46B9-B27D-73D6D4C2E4FF@bridgewatersystems.com> <4B44A4E9.4040103@deployingradius.com>

Sorry i have more to say......

Section 2.1.4 makes the following assertion. Exchanging information as a complex type has potential for introducing more security vulnerabilities.

What?

You mean if i have to send the following information element a b c to the client or the server; if i send them concatenated in one attribute as say a String foobar containing a+b+c or that will pose more of a security risk the sending them as three separate attributes.

Help me understand this.....

=====

I think it would be worth while to define the RADIUS model first. Not the old RADIUS model but rather the one that we are all living with today. That model is not really different then Diameter.

Where:

we have an Application layer and a Base layer.

Then define the roles of each.

Where is parsing done and what type of parsing is done.
Which layer is responsible for security and to what extent. It seems that security is the responsibility for both layers but not to the same extent.

The role of the dictionary...

The document intermixes these topics .... and I am telling you this will create confusion

I want a more formal definition.

BTW on that note....in section 1.1 You define RADIUS proxy but the term is never used anywhere!!!! I find that hard to believe - cause I am sure we would have to say something about Proxies.

I think if we did talk about RADIUS as an APplication layer and transport layer etc then we would have to say something about Proxies.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Alan DeKok <aland@deployingradius.com>

References:
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Avi Lior <avi@bridgewatersystems.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Alan DeKok <aland@deployingradius.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Avi Lior <avi@bridgewatersystems.com>
- Re: "Last Look" at the RADIUS Design Guidelines document
  - From: Alan DeKok <aland@deployingradius.com>

Prev by Date: Re: "Last Look" at the RADIUS Design Guidelines document
Next by Date: Re: "Last Look" at the RADIUS Design Guidelines document
Previous by thread: Re: "Last Look" at the RADIUS Design Guidelines document
Next by thread: Re: "Last Look" at the RADIUS Design Guidelines document
Index(es):
- Date
- Thread