Re: [secdir] Review of draft-ietf-isms-radius-usage-05
Eric Rescorla <ekr@networkresonance.com> Wed, 06 May 2009 13:22 UTC
Return-Path: <ekr@networkresonance.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F3303A6F21; Wed, 6 May 2009 06:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.017
X-Spam-Level:
X-Spam-Status: No, score=-1.017 tagged_above=-999 required=5 tests=[AWL=-1.035, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ya5sLhUHnQE7; Wed, 6 May 2009 06:22:35 -0700 (PDT)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 250683A6F1C; Wed, 6 May 2009 06:17:39 -0700 (PDT)
Received: from kilo.local (unknown [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 614751995AF; Wed, 6 May 2009 06:22:44 -0700 (PDT)
Date: Wed, 06 May 2009 06:22:44 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Dave Nelson <d.b.nelson@comcast.net>
In-Reply-To: <28137ED4FBEF49BBB99BCFF561806165@NEWTON603>
References: <20090505171306.8D40E50822@romeo.rtfm.com> <28137ED4FBEF49BBB99BCFF561806165@NEWTON603>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090506132244.614751995AF@kilo.networkresonance.com>
Cc: iesg@ietf.org, isms-chairs@tools.ietf.org, draft-ietf-isms-radius-usage@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-ietf-isms-radius-usage-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2009 13:22:36 -0000
At Tue, 5 May 2009 23:44:50 -0400, Dave Nelson wrote: > > Eric Rescorla writes... > > > Subject: Review of draft-ietf-isms-radius-usage-05 > > Thanks for your review and comments. > > > IMO, this document would benefit from a rewrite that makes it a > > lot clearer to someone not enmeshed in the WG. > > Umm. OK. That's a bit disheartening to hear, but useful feedback. > > > As far as I can tell, the idea is to explain how to outsource > > some of the authorization decisions to RADIUS. > > Correct. > > > I found this document extremely difficult to read. I realize that > > My big question is how the user authentication decisions are > > expected to be split between (e.g., SSH), and RADIUS. For > > example: > > > > - If the user has a password, who checks it the RADIUS server > > or the NAS? RADIUS certainly can do this. > > The RADIUS server makes the authentication decision. If the credential is a > password, as is the typical use case, the password is sent (hidden) in a > RADIUS Access-Request message. > > > - If the user is authenticating with SSH pubkey auth, who > > checks that? > > The SSH server, i.e. the NAS. SSH is used to create a protected transport > session (a tunnel, if you will) and the RADIUS credentials are obtained from > the SSH server implementation in the NAS and used by the RADIUS client in > the NAS to authenticate the user with the RADIUS server. Of course, it has > to be an authentication method that RADIUS supports, and SSH public key is > not one of those. so, this is what concerns me: architecturally these are pretty different--and challenge-response may be different yet. That seems like it deserves some analysis. -Ekr
- [secdir] Review of draft-ietf-isms-radius-usage-05 Eric Rescorla
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Dave Nelson
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Eric Rescorla
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Juergen Schoenwaelder
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Dave Nelson
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Sam Hartman
- Re: [secdir] Review of draft-ietf-isms-radius-usa… Dave Nelson