Re: [proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)

Alan DeKok <> Mon, 17 November 2008 14:45 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 041CB3A688B; Mon, 17 Nov 2008 06:45:21 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 81D063A68EB for <>; Mon, 17 Nov 2008 04:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RwL+D0mBnMNh for <>; Mon, 17 Nov 2008 04:44:08 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A4FD73A688B for <>; Mon, 17 Nov 2008 04:44:08 -0800 (PST)
Received: from Thor.local (unknown []) by (Postfix) with ESMTPSA id C66521234251; Mon, 17 Nov 2008 13:44:05 +0100 (CET)
Message-ID: <>
Date: Mon, 17 Nov 2008 13:44:08 +0100
From: Alan DeKok <>
User-Agent: Thunderbird (Macintosh/20080914)
MIME-Version: 1.0
To: Bernard Aboba <>
References: <> <> <BLU137-W54E3AB48E6D604B591851E931F0@phx.gbl> <> <> <BLU137-W184088AF25C88B75E1D78593110@phx.gbl>
In-Reply-To: <BLU137-W184088AF25C88B75E1D78593110@phx.gbl>
X-Enigmail-Version: 0.95.7
X-Mailman-Approved-At: Mon, 17 Nov 2008 06:45:19 -0800
Subject: Re: [proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Bernard Aboba wrote:
> Similarly, I believe that understanding how proxies are actually deployed
> and used is critical.  For example, at present inter-domain
> key transport via proxies is very rarely deployed (EDUROAM is the only
> major deployment I am aware of).  This is because 802.11i has not caught
> on in hospitality, hotspots or carriers, where web portals are
> overwhelmingly popular.

  There are, as always, discussions about rolling out world-wide roaming
for 802.1X.  Trials are occurring now, but I think widespread deployment
is 2-3 years out.

> My takeaway from all this is that real world deployments appear to have a
> very low complexity tolerance.  Even technologies which are frequently
> assumed to be well established (e.g. EAP, 802.1X) frequently exceed that
> tolerance level.

  Even standard RADIUS has significant complexities when used for
world-wide roaming.  The people building the equipment often don't
understand the specs (and therefore don't follow them), the people
deploying the equipment often don't understand networking, and the
people managing the businesses often don't understand their market.

  The result is a world-wide network which is composed of the lowest
common denominator.  Usernames/passwords go one way, ACKs/NAKs go the
other, and generally you see an accounting Start.

  I think there's a need for a document that covers *more* than the bits
& bytes in the protocols.  e.g. Both recommended and not recommended
network design, practices, etc.  Such a document could be used as a
reference for global roaming implementations.  It could also
significantly increase network reliability, and shorten deployment
times, by educating the people who build and maintain those networks.

  Alan DeKok.

Proxies mailing list