Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

["Diego R. Lopez" <diego@tid.es>]

Hi,

On 3 Sep 2013, at 04:18 , Alan DeKok wrote:
> Peter Deacon wrote:
>> In this case lack of knowledge is NOT the problem.  The problem is
>> proxies KNOWING something is WRONG and being expected to look the other
>> way and forward the information on anyway.
>
>  Yes.  That's EXACTLY what proxies should be doing.  Anything else
> causes a disaster.
>
>  I explained why I have my opinion, using real-world examples.  Your
> counter-argument is to re-state that this is a problem.
>
>  You don't dispute my examples, and you don't offer a counter-argument
> to them.  I can only conclude that you're disagreeing because of some
> un-named fear.


As I see it, there is a clear rule for proxy behavior with respect to this: Proxies have to behave in the most transparent possible way because they are simply relays for the communication. Validations (for security, semantics or whatever else) should occur only E2E. If you want to have a middlebox that breaks E2E validation for whatever the reason (as much legitimate as it can be) don't claim it to be a proxy.

In brief: Hop-by-hop security MUST be checked at each proxy, of course. But E2E security MUST NOT be checked at a proxy.

Be goode,

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/

e-mail: diego@tid.es
Tel:    +34 913 129 041
Mobile: +34 682 051 091
-----------------------------------------


________________________________

Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at:
http://www.tid.es/ES/PAGINAS/disclaimer.aspx