Re: COMMENT: draft-ietf-radext-tcp-transport

[Alan DeKok <aland@deployingradius.com>]

Adrian Farrel wrote:
> Comment:
> 
> To follow up on Tim Polk's Discuss point 2
> I appreciate the sentiment of the paragraph, but "NOT RECOMMENDED" is not RFC 2119 language (as idnits would tell you). You have to flip the sense of the sentence and use "RECOMMENDED".
> But Tim is also right, please consider "MUST NOT" since the following paragraph...

  It can be changed to "MUST NOT".

>    "Bare" TCP transport MAY, however, be used when another method such
>    as IPSec [RFC4301] is used to provide additional confidentiality and
>    security.  Should experience show that such deployments are useful,
>    this specification could be moved to standards track.
> 
> ...is really confusing. It implies that the purpose of this document *is* to define the use of bare TCP transport

   ... when used in conjunction with IPSec.

  The worry is insecure uses of RADIUS over TCP.  I'm not really sure
why, as RADIUS over UDP has no more security than RADIUS over TCP.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>