Re: [proxies] [IETF Proxy] Next Steps
Alan DeKok <aland@nitros9.org> Sat, 03 May 2008 05:47 UTC
Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CCDB3A6BA3; Fri, 2 May 2008 22:47:37 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADF903A6B59 for <proxies@core3.amsl.com>; Fri, 2 May 2008 22:47:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tkaFc6jpaoaU for <proxies@core3.amsl.com>; Fri, 2 May 2008 22:47:35 -0700 (PDT)
Received: from deployingradius.com (www.deployingradius.com [216.240.42.17]) by core3.amsl.com (Postfix) with ESMTP id BF12A3A68FF for <proxies@ietf.org>; Fri, 2 May 2008 22:47:34 -0700 (PDT)
Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 9CD56A7052; Fri, 2 May 2008 22:47:25 -0700 (PDT)
Message-ID: <481BFB77.4050203@nitros9.org>
Date: Sat, 03 May 2008 07:43:19 +0200
From: Alan DeKok <aland@nitros9.org>
User-Agent: Thunderbird 2.0.0.12 (X11/20080227)
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <7.0.1.0.2.20080416172531.02401228@nist.gov> <200804171550.48931.stefan.winter@restena.lu> <273c5c8bff26c3c057519da2b038e1ba.squirrel@www.trepanning.net>
In-Reply-To: <273c5c8bff26c3c057519da2b038e1ba.squirrel@www.trepanning.net>
Cc: proxies@ietf.org
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org
Dan Harkins wrote: > This political proxy thing concerns me. The only traffic that a AAA proxy > could inspect, control or modify is AAA traffic. I think that's what Stefan meant. In the commercial world, proxies do this, too. A visited network may not supply information in a form needed by the home network, and vice versa. The intermediary proxies are responsible for "fixing" the AAA information inbound and outbound, so that everyone else doesn't have to change their systems. > So what this entity would > do is glean information about who is using what network where and, in > some cases, prevent some people somewhere from using some network. In Stefan's case, yes. Some countries have their educational networks run or coordinated from a central body. In those countries, the body *is* responsible, and *can* control the network. They simply want to use existing powers on new systems, such as AAA proxies. In the commercial world, proxies are contractually forbidden from interfering with the status of the user. They can change the contents of the packets, but not the accept/deny status of the user. > These are not things that I think we _have_ to deal with especially in > a technical forum. These are issues that a customer will require a vendor > of AAA product to support, in much the same way that "lawful intercept" > is a political add-on to a technical solution-- I'd like to see a document making this distinction clear for everyone. > I have heard many other reasons why AAA proxies must exist. If a magic > wand made all those reasons disappear I really hope this political > justification would not keep them around. (Note: I'm not entertaining the > notion of getting rid of proxies, just theorizing, so don't attack me). Proxies won't be disappearing. Business politics and efficiencies mean that it's often easier && cheaper to outsource to a dedicated AAA proxy. > This does highlight threats though. It's not just that proxies can > listen to AAA exchanges, they can glean information out of AAA exchanges, > and they can constrain or deny service that should otherwise be > unconstrained or allowed. Absolutely. Alan DeKok. _______________________________________________ Proxies mailing list Proxies@ietf.org https://www.ietf.org/mailman/listinfo/proxies
- [proxies] [IETF Proxy] Next Steps Katrin Hoeper
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Alan DeKok
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Katrin Hoeper
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Bernard Aboba
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Alan DeKok
- Re: [proxies] [IETF Proxy] Next Steps Bernard_Aboba
- Re: [proxies] [IETF Proxy] Next Steps Bernard_Aboba
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga