Comments on draft-ietf-radext-digest-auth-06.txt (fwd)
"Bernard Aboba" <bernard_aboba@hotmail.com> Thu, 17 November 2005 00:22 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 17 Nov 2005 00:23:41 +0000
Message-ID: <BAY106-F250ECA2C3198B2F8A5A6A1935F0@phx.gbl>
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: radiusext@ops.ietf.org
Bcc:
Subject: Comments on draft-ietf-radext-digest-auth-06.txt (fwd)
Date: Wed, 16 Nov 2005 16:22:45 -0800
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"
RFC 3072 Section 1.1 talks about the requirements for RADIUS Digest Authentication: Nevertheless, a few limited RADIUS [5] extensions may meet some of the requirements in this document (for instance, some of the authentication requirements). We expect that while RADIUS with these limited extensions will meet particular functional requirements, it will not meet other important requirements. The following are some requirements that are not expected to be met by RADIUS: 1. Section 2.1.3: RADIUS does not support a discovery feature. 2. Section 2.1.7: RADIUS does not support reliable message delivery. The following list contains the requirements that can be met by RADIUS or RADIUS extensions. 1. Section 2.1.2: Communication between domains does not scale well in RADIUS. As a result, inter-domain communications are typically handled using a proxy architecture [6]. 2. Section 2.1.5: RADIUS clients would need to support Dynamic Authorization [7]. 3. Section 2.1.9: RADIUS clients would need to rely on a lower- layer security protocol, such as IPSec, to perform mutual authentication. 4. Section 2.3.3: RADIUS clients would need to support Dynamic Authorization [7]. 5. Section 2.3.4: RADIUS clients would need to support Dynamic Authorization [7]. ---------- Forwarded message ---------- Date: Wed, 16 Nov 2005 15:43:09 -0500 From: Lou Berger <lberger@movaz.com> To: Bernard Aboba <aboba@internaut.com> Cc: beckw@t-systems.com, lberger@labn.net Subject: Comments on draft-ietf-radext-digest-auth-06.txt Bernard, (Wolfgang), Per our discussion in Vancouver, I've re-read draft-ietf-radext-digest-auth-06.txt from the perspective of SIP authorization and also comparing it to draft-ietf-aaa-diameter-sip-app-10.txt. I think you were correct (and I wasn't) in the observation that the former does the job, but I still have a small number of comments: 1. It seems to me that both the SIP and Diameter drafts don't fully support the requirements laid out in RFC 3702. Also, neither draft references this RFC. I found this really surprising. What is the relationship of the drafts to the RFC? Is there any intention/desire to have the drafts fully support it? I'm sure I'm missing something, so what's the "big picture here"? 2. Here are some specific mismatches between the draft and RFC3702, please let me know if I missed something. Support for RFC 3702, section: a) 2.1.5. Updating SIP Server Entries (and missing reference to RFC 3576) b) 2.3.2. Information Transfer [I think this implies passing via & route information on the authorization request as well as handling the response.] c) 2.4.5. Support for Accounting on Different Media 3. While not covered in the AAA requirements I think that authorization based on requested media is also needed. I think this is the complement of the (media related) policy extensions being discussed within the SIPPING WG. Please let me know what you think. Much thanks, Lou -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- Comments on draft-ietf-radext-digest-auth-06.txt … Bernard Aboba