Re: [radext] Gathering opinions on draft-xue-radext-key-management
Alan DeKok <aland@deployingradius.com> Tue, 08 July 2014 02:31 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDA211B2A01 for <radext@ietfa.amsl.com>; Mon, 7 Jul 2014 19:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aewx4qHZrQDz for <radext@ietfa.amsl.com>; Mon, 7 Jul 2014 19:31:57 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id EAD0F1B29FB for <radext@ietf.org>; Mon, 7 Jul 2014 19:31:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id C8C122240499; Tue, 8 Jul 2014 04:31:55 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id awJJ7ZibIwuM; Tue, 8 Jul 2014 04:31:51 +0200 (CEST)
Received: from Thor.local (unknown [184.151.111.42]) by power.freeradius.org (Postfix) with ESMTPSA id 1B82B224006C; Tue, 8 Jul 2014 04:31:50 +0200 (CEST)
Message-ID: <53BB5816.90704@deployingradius.com>
Date: Mon, 07 Jul 2014 22:31:50 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Xueli <xueli@huawei.com>
References: <01FE63842C181246BBE4CF183BD159B448FD2EA1@nkgeml504-mbx.china.huawei.com>
In-Reply-To: <01FE63842C181246BBE4CF183BD159B448FD2EA1@nkgeml504-mbx.china.huawei.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/l_XXC2cpdO-biWv86jSK_qSMiaY
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Gathering opinions on draft-xue-radext-key-management
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 02:32:00 -0000
Xueli wrote: > As you know, we presented the draft-xue-radext-key-management (new version http://tools.ietf.org/id/draft-xue-radext-key-management-03.txt ) > Which defines the Radius extensions for key delivery between BNG and AC in some specific scenario. I think the general consensus was that this was outside of the scope of RADIUS. > Now the argument is that whether this item is the genuine Radius/RADEXT problem? RADIUS is usually about end-users. Authenticating them, authorizing them, and performing accounting for them. If you want a general purpose "remote API" protocol, see Diameter. > Radius packet is proposed to resolve this issue because of following reasons: > 1 transmit session authorization attributes > (Key, which is produced during authentication and delivered by Radius from Server to NAS) If the key is transmitted between a RADIUS client and server, then the transmission can be done as part of a normal RADIUS conversation. If the key is transmitted somewhere else, then that's a *huge* security problem. And it doesn't fit the standard RADIUS model. > 2 unsolicited messages > 3 It is not the issue of Radius, it may be the issue of EAP over Radius.. > > At this stage, the authors appreciate your opinions very much for the next step of this draft. > Can it be solved in RADEXT? If not, which WG could be the place? I think this proposal would have a hard time finding traction anywhere in the IETF. The security problems with sharing keys are very serious. Alan DeKok.
- [radext] Gathering opinions on draft-xue-radext-k… Xueli
- Re: [radext] Gathering opinions on draft-xue-rade… Alan DeKok
- Re: [radext] Gathering opinions on draft-xue-rade… Bernard Aboba
- Re: [radext] Gathering opinions on draft-xue-rade… Sam Hartman
- Re: [radext] Gathering opinions on draft-xue-rade… Xueli
- Re: [radext] Gathering opinions on draft-xue-rade… Xueli
- Re: [radext] Gathering opinions on draft-xue-rade… Xueli