RE: [AAA-DOCTORS] [Dime] FEDAUTH BOF request
"Bernard Aboba" <bernard_aboba@hotmail.com> Mon, 07 June 2010 15:44 UTC
Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F8BE28C3C4 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Mon, 7 Jun 2010 08:44:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.053
X-Spam-Level: *
X-Spam-Status: No, score=1.053 tagged_above=-999 required=5 tests=[AWL=-1.052, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hR8jALt21JI2 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Mon, 7 Jun 2010 08:43:59 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 42F7E3A86D3 for <radext-archive-IeZ9sae2@lists.ietf.org>; Sun, 6 Jun 2010 09:18:27 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1OLITW-000IDU-KX for radiusext-data0@psg.com; Sun, 06 Jun 2010 16:13:26 +0000
Received: from [65.55.111.99] (helo=blu0-omc2-s24.blu0.hotmail.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <bernard_aboba@hotmail.com>) id 1OLITR-000ICq-CV for radiusext@ops.ietf.org; Sun, 06 Jun 2010 16:13:21 +0000
Received: from BLU137-DS5 ([65.55.111.73]) by blu0-omc2-s24.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 6 Jun 2010 09:13:18 -0700
X-Originating-IP: [24.19.160.219]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU137-DS5162535EAE6642C60FB4893D40@phx.gbl>
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: 'Alper Yegin' <alper.yegin@yegin.org>, tena@huawei.com, aaa-doctors@ietf.org, radiusext@ops.ietf.org, dime@ietf.org, dromasca@avaya.com
References: <EDC652A26FB23C4EB6384A4584434A04022444EC@307622ANEX5.global.avaya.com>, <F3CA54ABFDD5489FAFE036ECB6EE0011@china.huawei.com> <BLU137-W24E56D43201C0B9EEB3A4A93D10@phx.gbl> <019f01cb03b7$e63fcaf0$b2bf60d0$@yegin@yegin.org>
In-Reply-To: <019f01cb03b7$e63fcaf0$b2bf60d0$@yegin@yegin.org>
Subject: RE: [AAA-DOCTORS] [Dime] FEDAUTH BOF request
Date: Sun, 06 Jun 2010 09:13:19 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_001C_01CB0558.818885A0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcsC3Vu3xwQsiPtKT8+vfB1gbF+XiAA2UOhgAHbjbHA=
Content-Language: en-us
X-OriginalArrivalTime: 06 Jun 2010 16:13:18.0263 (UTC) FILETIME=[2CF2C470:01CB0593]
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk
List-ID: <radiusext.ops.ietf.org>
Previous tests have shown problems with use of RADIUS/EAP over UDP in federated scenarios: http://www.cesnet.cz/doc/techzpravy/2008/eduroam-authentication-over-jammed- network/ As noted in the above paper, once packet loss is introduced, completing the multiple roundtrips of EAP authentication becomes increasingly difficult. RADIUS over TCP holds up much better until a threshold is reached, and then authentication success fractions fall dramatically. Due to the transport issues and RADIUS packet size limitation of 4096 (which may impact the ability to transport SAML assertions), it seems like Diameter would be more suitable. From: aaa-doctors-bounces@ietf.org [mailto:aaa-doctors-bounces@ietf.org] On Behalf Of Alper Yegin Sent: Friday, June 04, 2010 12:31 AM To: 'Bernard Aboba'; tena@huawei.com; aaa-doctors@ietf.org; radiusext@ops.ietf.org; dime@ietf.org; dromasca@avaya.com Subject: Re: [AAA-DOCTORS] [Dime] FEDAUTH BOF request In particular, the problems of EAP auth (e.g. multiple round-trips, general fragility in federated uses) become highly toxic when applied to Realtime applications such as XMPP and SIP. As we have learned, Digest auth (RFC 5090) has not been widely deployed, in part because of concern about the additional latency added by a AAA exchange. For users of real-time applications, additional latency is a basic, non-negotiable goal. If the relatively modest number of exchanges implied by RFC 5090 were intolerable in realtime applications, how can we expect EAP exchanges (which can involve 4-5 times the number of roundtrips of RFC 5090) to be deployed? The answer unfortunately, is that there is no chance at all. So in summary, I believe that some aspects of the problem statement make sense, but that a solution has been chosen prematurely. The right way to move forward in a situation like this is to begin with a problem statement, which should include carefully validating the uses cases. Alper> I agree. Alper> Anyone who was around the ICOS BoF in IETF 62 would remember that the community was convinced(!) that using EAP for anything other than network access was a no-no. Now before we embark on marching in 180-degree opposite direction, I'd say the community needs to be "unconvinced" first. I'm not saying this is not doable, but something we need to go through first. Alper > ----- Original Message ----- > From: "Romascanu, Dan (Dan)" <dromasca@avaya.com> > To: <dime@ietf.org>; "radext mailing list" <radiusext@ops.ietf.org>; > <aaa-doctors@ietf.org> > Sent: Wednesday, June 02, 2010 10:56 PM > Subject: FEDAUTH BOF request > > > Diameter and RADIUS experts should pay attention to the request to hold > a Federated Authentication (FEDAUTH) BOF which will be discussed this > morning by the IAB and the IESG. > > The Draft Charter is available at > http://www.project-moonshot.org/bof/charter/, and more information about > this BOF or other BOF requests can be examined at > http://trac.tools.ietf.org/bof/trac/ > > Dan > > -- > to unsubscribe send a message to radiusext-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: <http://psg.com/lists/radiusext/> > > > > -- > to unsubscribe send a message to radiusext-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: <http://psg.com/lists/radiusext/>
- FEDAUTH BOF request Romascanu, Dan (Dan)
- Re: FEDAUTH BOF request Tina TSOU
- RE: FEDAUTH BOF request Bernard Aboba
- RE: FEDAUTH BOF request Bernard Aboba
- Re: FEDAUTH BOF request Tina TSOU
- Re: [Dime] FEDAUTH BOF request Tina TSOU
- RE: [Dime] FEDAUTH BOF request Alper Yegin
- RE: [Dime] FEDAUTH BOF request Joseph Salowey (jsalowey)
- RE: [AAA-DOCTORS] [Dime] FEDAUTH BOF request Bernard Aboba
- RE: [AAA-DOCTORS] [Dime] FEDAUTH BOF request Peter Deacon