--- Begin Message ---
Tim Polk wrote:
> (1) The document is inconsistent regarding the applicability of this protocol.
>
>>From the Abstract, where "It" refers to this document:
>
> It is not intended
> to define TCP as a transport protocol for RADIUS in the absence of
> TLS.
>
> but the last paragraph in the Introduction states:
>
> "Bare" TCP transport MAY, however, be used when another method such
> as IPSec [RFC4301] is used to provide additional confidentiality and
> security. Should experience show that such deployments are useful,
> this specification could be moved to standards track.
The abstract should be updated to say "in the absence of a secure
transport layer", instead of referencing TLS directly.
> (2) In a related point, the next to last paragraph in the Introduction states:
>
> Since "bare" TCP does not provide for confidentiality or enable
> negotiation of credible ciphersuites, its use is not appropriate for
> inter-server communications where strong security is required. As a
> result the use of "bare" TCP transport (i.e., without additional
> confidentiality and security) is NOT RECOMMENDED, as there has been
> little or no operational experience with it.
>
> Why isn't this a "MUST NOT be used without TLS, IPsec, or other secure
> upper layer"?
Because it would require stronger security for RADIUS over TCP than
for UDP. That's not a bad idea, but a little odd.
I'll change it for the next rev.
> (3) The security considerations should include a statement along the same lines
> as discussed in (2) - e.g., MUST NOT be used unless TLS or IPsec is used in conjunction.
Added.
Alan DeKok.
--- End Message ---