Re: draft-ietf-radext-digest-auth-06
Emile van Bergen <openradius-radextwg@e-advies.nl> Mon, 17 October 2005 10:30 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 17 Oct 2005 10:31:18 +0000
Date: Mon, 17 Oct 2005 12:30:56 +0200
From: Emile van Bergen <openradius-radextwg@e-advies.nl>
To: "wolfgang.beck01@t-online.de" <wolfgang.beck01@t-online.de>
Cc: radiusext@ops.ietf.org, aboba@internaut.com, miguel.an.garcia@nokia.com
Subject: Re: draft-ietf-radext-digest-auth-06
Message-ID: <20051017103056.GB3858@note.evbergen.xs4all.nl>
Mail-Followup-To: "wolfgang.beck01@t-online.de" <wolfgang.beck01@t-online.de>, radiusext@ops.ietf.org, aboba@internaut.com, miguel.an.garcia@nokia.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Hi, On Mon, Oct 17, 2005 at 12:07:09PM +0200, wolfgang.beck01@t-online.de wrote: > The latest version of the draft does no longer contain a link between > sips/https and > RADIUS. However, the Security Considerations section names refusing > sips/https request as one non-normative option to avoid the security > level mismatch of sips/https and unencrypted RADIUS: > > "To prevent RADIUS from representing the weak link, a RADIUS > client receiving an HTTP-style request via TLS or IPsec could use an > equally secure connection to the RADIUS server. There are several > ways to achieve this, for example: > o the RADIUS client may reject HTTP-style requests received over TLS > or IPsec > o the RADIUS client require that traffic be sent and received over > IPsec. > RADIUS over IPsec, if used, MUST conform to the requirements > described in [RFC3579] section 4.2." s/weak/weakest, I guess? and I suggest another option: o the RADIUS traffic only passes networks secured by other means, eg. networks that are separated from the internet on the IP layer or below. Cheers, Emile -- E-Advies - Emile van Bergen emile@e-advies.nl tel. +31 (0)78 6136282 http://www.e-advies.nl -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- Re: draft-ietf-radext-digest-auth-06 Miguel Garcia
- RE: draft-ietf-radext-digest-auth-06 Nelson, David
- Re: draft-ietf-radext-digest-auth-06 Emile van Bergen
- draft-ietf-radext-digest-auth-06 wolfgang.beck01@t-online.de