Re: [BEHAVE] protocols without need for ALG ?

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 31 July 2015 20:31 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 220FC1ACE93; Fri, 31 Jul 2015 13:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jEga1Mp4SalP; Fri, 31 Jul 2015 13:31:46 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92F9A1ACE81; Fri, 31 Jul 2015 13:31:46 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 493DBE1BF; Fri, 31 Jul 2015 16:49:02 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id BE02563AEC; Fri, 31 Jul 2015 16:31:44 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id A2A0463751; Fri, 31 Jul 2015 16:31:44 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <eckert@cisco.com>
In-Reply-To: <20150730205806.GI1667@cisco.com>
References: <20150730205806.GI1667@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.3-dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Fri, 31 Jul 2015 16:31:44 -0400
Message-ID: <15959.1438374704@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: <http://mailarchive.ietf.org/arch/msg/behave/45wmKSTNF_UhetJN-0iLN5k6t3I>
Cc: v6ops@ietf.org, behave@ietf.org
Subject: Re: [BEHAVE] protocols without need for ALG ?
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2015 20:31:48 -0000

Toerless Eckert <eckert@cisco.com> wrote:
    > radius - OK ?

Classic RADIUS has an MD5 based authenticator which depends upon the IP address.
It can sometimes be made to work through NAPTs, but in general it doesn't.
Newer mechanisms get rid of this, replacing it all with DTLS, which doesn't
care, but the classic stuff is pretty widespread.
On the other hand, it is easily proxied from IPv6 to IPv4 should the
radius server be unable to speak IPv6.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-