Re: [proxies] [IETF Proxy] Next Steps

"Dan Harkins" <> Fri, 02 May 2008 23:06 UTC

Return-Path: <>
Received: from (localhost []) by (Postfix) with ESMTP id D73313A6D1B; Fri, 2 May 2008 16:06:50 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF9253A6D1B for <>; Fri, 2 May 2008 16:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.861
X-Spam-Status: No, score=-1.861 tagged_above=-999 required=5 tests=[AWL=0.404, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i4b+jIVicIdD for <>; Fri, 2 May 2008 16:06:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 040113A6CEE for <>; Fri, 2 May 2008 16:06:49 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id DE38AA8882BA; Fri, 2 May 2008 16:06:50 -0700 (PDT)
Received: from (SquirrelMail authenticated user by with HTTP; Fri, 2 May 2008 16:06:51 -0700 (PDT)
Message-ID: <>
In-Reply-To: <>
References: <> <>
Date: Fri, 2 May 2008 16:06:51 -0700 (PDT)
From: "Dan Harkins" <>
To: "Stefan Winter" <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

  Hi Stefan,

On Thu, April 17, 2008 6:50 am, Stefan Winter wrote:
> To me, the above model seems to have two role models of proxies:
> - the "technical" proxy - to aggregate or channelize traffic for
> managability
> reasons
> - the "political" proxy - due to the requirement or wish to inspect,
> control
> or modify traffic while in flight
> The first kind might go away with dynamic discovery between service
> provider
> and home server; the second might most certainly not. So my answer to the
> proxy problem in general is: we will have to live with them.

  This political proxy thing concerns me. The only traffic that a AAA proxy
could inspect, control or modify is AAA traffic. So what this entity would
do is glean information about who is using what network where and, in
some cases, prevent some people somewhere from using some network.

  These are not things that I think we _have_ to deal with especially in
a technical forum. These are issues that a customer will require a vendor
of AAA product to support, in much the same way that "lawful intercept"
is a political add-on to a technical solution-- e.g. the IPsec WG did not
architect "lawful intercept" into RFC2401 but people that have implemented
IPsec have added backdoors into their products to allow for it. I'm sure
that some RFP somewhere will mandate, if it doesn't already, that
evesdropping and controlling entities be required in between AAA client
and AAA server but that isn't really the problemspace we're dealing with.

  I have heard many other reasons why AAA proxies must exist. If a magic
wand made all those reasons disappear I really hope this political
justification would not keep them around. (Note: I'm not entertaining the
notion of getting rid of proxies, just theorizing, so don't attack me).

  This does highlight threats though. It's not just that proxies can
listen to AAA exchanges, they can glean information out of AAA exchanges,
and they can constrain or deny service that should otherwise be
unconstrained or allowed.


Proxies mailing list