| Re: comments on draft-ietf-eap-netsel-problem-06.txt | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Thu, 10 May 2007 09:25:27 -0700 (PDT) | |
Joe Salowey said:
"Sorry, the section should be 2.3. Just because you have a trusted root certificate and can authenticate the identity of a AAA server does not mean that the AAA server should be authorized to be part of the AAA chain. The same goes for source routing, just because a client specifies a particular path it should be allowed."
Section 2.3.3 says:
Since the AAA
proxies on the roaming relationship path are constrained by existing
relationships, NAI-based source routing is not source routing in the
classic sense; it merely suggests preferences among already
established realm routes. If a realm route does not exist or is not
feasible, then NAI-based source routing cannot establish it.
I suggest changing this to:
"Since the AAA proxies on the roaming relationship path are
constrained by existing relationships, NAI-based source routing
is not source routing in the classic sense; it merely suggests
preferences which the AAA proxy can choose not to accomodate.
Where realm routes are set up as the result of pre-configuration
and dynamic route establishment is not supported, if a realm route
does not exist, then NAI-based source routing cannot establish it.
Even where dynamic route establishment is possible, such as where
the AAA client and server support certificate-based authentication,
and AAA servers are discoverable (such as via the mechanisms
described in [RFC3588]), a AAA proxy may choose not to establish
a realm route by initiating the discovery process based on a
suggestion in an NAI-based source route.
Even where the realm route does exist, or the AAA proxy is capable of
establishing it dynamically, the AAA proxy may choose not to
authorize the client to use it."
"Sorry, the section should be 2.3. Just because you have a trusted root certificate and can authenticate the identity of a AAA server does not mean that the AAA server should be authorized to be part of the AAA chain. The same goes for source routing, just because a client specifies a particular path it should be allowed."
Section 2.3.3 says:
Since the AAA
proxies on the roaming relationship path are constrained by existing
relationships, NAI-based source routing is not source routing in the
classic sense; it merely suggests preferences among already
established realm routes. If a realm route does not exist or is not
feasible, then NAI-based source routing cannot establish it.
I suggest changing this to:
"Since the AAA proxies on the roaming relationship path are
constrained by existing relationships, NAI-based source routing
is not source routing in the classic sense; it merely suggests
preferences which the AAA proxy can choose not to accomodate.
Where realm routes are set up as the result of pre-configuration
and dynamic route establishment is not supported, if a realm route
does not exist, then NAI-based source routing cannot establish it.
Even where dynamic route establishment is possible, such as where
the AAA client and server support certificate-based authentication,
and AAA servers are discoverable (such as via the mechanisms
described in [RFC3588]), a AAA proxy may choose not to establish
a realm route by initiating the discovery process based on a
suggestion in an NAI-based source route.
Even where the realm route does exist, or the AAA proxy is capable of
establishing it dynamically, the AAA proxy may choose not to
authorize the client to use it."
- Re: Comments on draft-ietf-eap-netsel-problem-06.txt, (continued)
- Re: Comments on draft-ietf-eap-netsel-problem-06.txt Joseph Salowey (jsalowey), April 25 2007
- Re: Comments on draft-ietf-eap-netsel-problem-06.txt Joseph Salowey (jsalowey), April 25 2007
-
Re: Comments on draft-ietf-eap-netsel-problem-06.txt Joseph Salowey (jsalowey), April 30 2007
- Re: Comments on draft-ietf-eap-netsel-problem-06.txt Bari, Farooq, April 30 2007
- Re: comments on draft-ietf-eap-netsel-problem-06.txt Bernard Aboba, May 10 2007
- Re: comments on draft-ietf-eap-netsel-problem-06.txt Joseph Salowey (jsalowey), May 17 2007
Results generated by Tiger Technologies using MHonArc.