RE: [Dime] FEDAUTH BOF request

"Alper Yegin" <alper.yegin@yegin.org> Fri, 04 June 2010 07:35 UTC

Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE42E3A657C for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Fri, 4 Jun 2010 00:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.532
X-Spam-Level: **
X-Spam-Status: No, score=2.532 tagged_above=-999 required=5 tests=[AWL=-1.081, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, HTML_MESSAGE=0.001, MSGID_MULTIPLE_AT=1.449, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTO09IcWqSgl for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Fri, 4 Jun 2010 00:35:20 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E209F3A67DB for <radext-archive-IeZ9sae2@lists.ietf.org>; Fri, 4 Jun 2010 00:35:18 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1OKRNV-000LoA-0p for radiusext-data0@psg.com; Fri, 04 Jun 2010 07:31:41 +0000
Received: from [74.208.4.195] (helo=mout.perfora.net) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <alper.yegin@yegin.org>) id 1OKRNQ-000LnR-OL for radiusext@ops.ietf.org; Fri, 04 Jun 2010 07:31:36 +0000
Received: from ibm (dsl88-247-34762.ttnet.net.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0MY7Qm-1OpI2f3O8u-00VID5; Fri, 04 Jun 2010 03:31:26 -0400
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Bernard Aboba' <bernard_aboba@hotmail.com>, tena@huawei.com, aaa-doctors@ietf.org, radiusext@ops.ietf.org, dime@ietf.org, dromasca@avaya.com
References: <EDC652A26FB23C4EB6384A4584434A04022444EC@307622ANEX5.global.avaya.com>, <F3CA54ABFDD5489FAFE036ECB6EE0011@china.huawei.com> <BLU137-W24E56D43201C0B9EEB3A4A93D10@phx.gbl>
In-Reply-To: <BLU137-W24E56D43201C0B9EEB3A4A93D10@phx.gbl>
Subject: RE: [Dime] FEDAUTH BOF request
Date: Fri, 04 Jun 2010 10:30:58 +0300
Message-ID: <019f01cb03b7$e63fcaf0$b2bf60d0$@yegin>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_01A0_01CB03D1.0B8D02F0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcsC3Vu3xwQsiPtKT8+vfB1gbF+XiAA2UOhg
Content-Language: en-us
X-Provags-ID: V01U2FsdGVkX18y1cDDDbHwzc0rK+re1041lchS1Dg/3U9B3ek zrDOUvkjOhWErTfZBgfmWbJCOxwOu3DJT47CFQbCimRLqJVL6u OOecGjtXfoBXG9HHEBhW97gRdtYxZyP
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk
List-ID: <radiusext.ops.ietf.org>

In particular, the problems of EAP auth (e.g. multiple round-trips, general
fragility in federated uses) become highly toxic when applied to Realtime
applications such as XMPP and SIP.  As we have learned, Digest auth (RFC
5090) has not been widely deployed, in part because of concern about the
additional latency added by a AAA exchange.  For users of real-time
applications, additional latency is a basic, non-negotiable goal.  If the
relatively modest number of exchanges implied by RFC 5090 were intolerable
in realtime applications,  how can we expect EAP exchanges (which can
involve 4-5 times the number of roundtrips of RFC 5090) to be deployed?  The
answer unfortunately, is that there is no chance at all.  

So in summary, I believe that some aspects of the problem statement make
sense, but that a solution has been chosen prematurely.  The right way to
move forward in a situation like this is to begin with a problem statement,
which should include carefully validating the uses cases.  



 

 

Alper> I agree. 

 

Alper> Anyone who was around the ICOS BoF in IETF 62 would remember that the
community was convinced(!) that using EAP for anything other than network
access was a no-no. Now before we embark on marching in  180-degree opposite
direction, I'd say the community needs to be "unconvinced" first. I'm not
saying this is not doable, but something we need to go through first.

 

Alper

 

 

  

> ----- Original Message ----- 
> From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
> To: <dime@ietf.org>; "radext mailing list" <radiusext@ops.ietf.org>; 
> <aaa-doctors@ietf.org>
> Sent: Wednesday, June 02, 2010 10:56 PM
> Subject: FEDAUTH BOF request
> 
> 
> Diameter and RADIUS experts should pay attention to the request to hold
> a Federated Authentication (FEDAUTH) BOF which will be discussed this
> morning by the IAB and the IESG.
> 
> The Draft Charter is available at
> http://www.project-moonshot.org/bof/charter/, and more information about
> this BOF or other BOF requests can be examined at
> http://trac.tools.ietf.org/bof/trac/
> 
> Dan
> 
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
> 
> 
> 
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>