Re: [proxies] [IETF Proxy] Next Steps

Alan DeKok <> Sat, 03 May 2008 05:47 UTC

Return-Path: <>
Received: from (localhost []) by (Postfix) with ESMTP id 3CCDB3A6BA3; Fri, 2 May 2008 22:47:37 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id ADF903A6B59 for <>; Fri, 2 May 2008 22:47:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tkaFc6jpaoaU for <>; Fri, 2 May 2008 22:47:35 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BF12A3A68FF for <>; Fri, 2 May 2008 22:47:34 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTP id 9CD56A7052; Fri, 2 May 2008 22:47:25 -0700 (PDT)
Message-ID: <>
Date: Sat, 03 May 2008 07:43:19 +0200
From: Alan DeKok <>
User-Agent: Thunderbird (X11/20080227)
MIME-Version: 1.0
To: Dan Harkins <>
References: <> <> <>
In-Reply-To: <>
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dan Harkins wrote:
>   This political proxy thing concerns me. The only traffic that a AAA proxy
> could inspect, control or modify is AAA traffic.

  I think that's what Stefan meant.

  In the commercial world, proxies do this, too.  A visited network may
not supply information in a form needed by the home network, and vice
versa.  The intermediary proxies are responsible for "fixing" the AAA
information inbound and outbound, so that everyone else doesn't have to
change their systems.

> So what this entity would
> do is glean information about who is using what network where and, in
> some cases, prevent some people somewhere from using some network.

  In Stefan's case, yes.  Some countries have their educational networks
run or coordinated from a central body.  In those countries, the body
*is* responsible, and *can* control the network.  They simply want to
use existing powers on new systems, such as AAA proxies.

  In the commercial world, proxies are contractually forbidden from
interfering with the status of the user.  They can change the contents
of the packets, but not the accept/deny status of the user.

>   These are not things that I think we _have_ to deal with especially in
> a technical forum. These are issues that a customer will require a vendor
> of AAA product to support, in much the same way that "lawful intercept"
> is a political add-on to a technical solution--

  I'd like to see a document making this distinction clear for everyone.

>   I have heard many other reasons why AAA proxies must exist. If a magic
> wand made all those reasons disappear I really hope this political
> justification would not keep them around. (Note: I'm not entertaining the
> notion of getting rid of proxies, just theorizing, so don't attack me).

  Proxies won't be disappearing.  Business politics and efficiencies
mean that it's often easier && cheaper to outsource to a dedicated AAA

>   This does highlight threats though. It's not just that proxies can
> listen to AAA exchanges, they can glean information out of AAA exchanges,
> and they can constrain or deny service that should otherwise be
> unconstrained or allowed.


  Alan DeKok.
Proxies mailing list