[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP + TLS on the same port

To: Bernard Aboba <bernard_aboba@hotmail.com>
Subject: Re: TCP + TLS on the same port
From: Alan DeKok <aland@deployingradius.com>
Date: Sun, 29 Aug 2010 09:52:27 +0200
Cc: stig@venaas.com, Stefan Winter <stefan.winter@restena.lu>, "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
In-reply-to: <BLU137-W11C5D9E5242533B05BDC7893880@phx.gbl>
References: <4C52D817.4040009@deployingradius.com> <4C5683CC.3070602@restena.lu> <4C569852.8050206@deployingradius.com> <4C5BBFCE.9010504@restena.lu> <4C5BD12B.5040506@deployingradius.com> <4C60EF01.7060601@restena.lu> <4C61B50B.2080607@deployingradius.com> <4C63ECB6.5020207@restena.lu> <4C63F6C7.2010409@deployingradius.com> <4C6B9CE9.6010803@restena.lu> <4C6BA9FA.8010504@deployingradius.com> <4C750B99.9090601@restena.lu> <BLU137-DS10F2ECF06BF8CE429CBC4893840@phx.gbl> <4C760ABA.6070505@restena.lu>,<4C782B1B.2000104@venaas.com> <BLU137-W11C5D9E5242533B05BDC7893880@phx.gbl>
User-agent: Thunderbird 2.0.0.24 (Macintosh/20100228)

Bernard Aboba wrote:
> Let us presume that there is a NAT (perhaps a carrier grade NAT) located
> between
> a RADIUS over TLS client and server.   Bringing up a TLS connection to
> the RTLS
> server and using this for traffic in both directions has several
> advantages, it seems
> to me:
...
> Does this make sense?

  Yes.

  Should we have a separate document saying that multiple packet types
can go over the same port?

  I think the issue of CoA support can be handled.  i.e. if the NAS
doesn't support CoA, how is it supposed to tell the server that?

  The answer, I think, is the same as for accounting packets.  If the
NAS sends an Accounting-Request and the server never responds, the NAS
simple has to deal with it.  The server may not accept accounting
packets, or it may be proxying to an unresponsive home server, etc.

  It's largely up to the administrator to notice that large amounts of
"request" packets are never receiving "responses".  And then to
configure the client to stop sending those requests to the server.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: TCP + TLS on the same port
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Re: TCP + TLS on the same port
  - From: Stefan Winter <stefan.winter@restena.lu>
- Re: TCP + TLS on the same port
  - From: Stig Venaas <stig@venaas.com>
- RE: TCP + TLS on the same port
  - From: Bernard Aboba <bernard_aboba@hotmail.com>

Prev by Date: RE: TCP + TLS on the same port
Next by Date: RFC 5997 on Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol
Previous by thread: RE: TCP + TLS on the same port
Next by thread: RFC 5997 on Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol
Index(es):
- Date
- Thread