Re: Windows 2000 and Cicsco router interoperability

[Paul Krumviede <paul@mci.net>]

--On Wednesday, 17 May, 2000 02:26 -0400 "Steven M. Bellovin" 
<smb@research.att.com> wrote:

> In message
> <Pine.SOL.3.96.1000516215040.29630A-100000@jvilhube-ss20.cisco.com>, Jan
>  Vilhuber writes:
>> On Tue, 16 May 2000, Stephen Kent wrote:
>>> The "features that AAA provides?"  AAA is a WG but there are no AAA
>>> standards yet. In fact, the WG drafts so far focusing only on
>>> requirements for the protocols that will be standardized, in the
>>> future. So  a reference to what "AAA provides"  or to "customers who
>>> are so fond of their AAA infrastructure" appears to be in the future,
>>> optimistic tense.
>>>
>> That's patently false, I fear. What chinna is referring to is the
>> interaction (well defined) of Radius Authentication, Authorization and
>> accounting (generally referred to as AAA) and PPP (and I expect you
>> knew all that).
>>
>> That the AAA group is back to the drawing board is not the issue. The
>> "customers who are so fond of their AAA infrastructure" obviously
>> refers to the radius infrastructure. While chinna could have been more
>> precise, I always equate them in my mind as well.
>>
>> I can tell you from personal experience that people want to shoehorn
>> EVERYTHING into radius. They'll want this here as well (I've already
>> gotten multiple requests about this). I guarantee it'll happen (or your
>> money back).
>
> "Back" to the drawing board?  By intent of the IESG, they haven't left
> it yet.  Up until now, AAA has been focused on requirements.  The
> charter is at http://www.ietf.org/html.charters/aaa-charter.html; to
> save you the trouble, the actions for this group are to generate
> requirements, solicit candidate protocols, compare the candidates to
> the requirements, and then decide if a new working group is needed to
> finish development of the selected candidate.  The primary requirements
> drafts were only published in late April (i.e.,
> draft-irtf-aaaarch-generic-01.txt and
> draft-irtf-aaaarch-authorization-reqs-01.txt).

Please don't confuse the IRTF group, which produced the drafts
Steve mentioned, and the IETF working group, which has a different
set of drafts. Given that there was little input into the requirements 
process
for things other than network access (e.g. dial-up and mobileIP), the scope
of the evaluation is limited.

> Yes, RADIUS -- or, more precisely, DIAMETER, which is a next-generation
> version of RADIUS, in some ways -- is a strong contender.  RADIUS per
> se just doesn't cut it.  It's also an architectural nightmare, and the
> myriad requirements for new features are one reason that it's taken AAA
> this long to reach even this point.
>
> RADIUS as it exists today is inadequate.  A new protocol is needed, but
> at a guess it's a year until it reaches Proposed Standard.  And we have
> yet to figure out precisely how it will deal with IPsec, IPSRA, L2TP,
> etc.

Suggestions on all of this would be welcomed. But the various working
groups and the IESG would have to figure out where this fits.

But we seem to be a long way away from IPsec itself in such discussions of
AAA (whether the WG, the current infrastructure, or combinations of them).

-paul