| Re: comments on draft-ietf-eap-netsel-problem-06.txt | <– Date –> <– Thread –> |
From: Joseph Salowey (jsalowey) (jsalowey cisco.com)
|
|
| Date: Thu, 17 May 2007 13:56:14 -0700 (PDT) | |
This resolves my comment. Thanks, Joe > -----Original Message----- > From: Bernard Aboba [mailto:bernard_aboba [at] hotmail.com] > Sent: Thursday, May 10, 2007 9:24 AM > To: eap [at] frascone.com > Subject: Re: [eap] comments on draft-ietf-eap-netsel-problem-06.txt > > Joe Salowey said: > > "Sorry, the section should be 2.3. Just because you have a > trusted root certificate and can authenticate the identity of > a AAA server does not mean that the AAA server should be > authorized to be part of the AAA chain. The same goes for > source routing, just because a client specifies a particular > path it should be allowed." > > Section 2.3.3 says: > > Since the AAA > proxies on the roaming relationship path are constrained > by existing > relationships, NAI-based source routing is not source > routing in the > classic sense; it merely suggests preferences among already > established realm routes. If a realm route does not exist > or is not > feasible, then NAI-based source routing cannot establish it. > > I suggest changing this to: > > "Since the AAA proxies on the roaming relationship path are > constrained by existing relationships, NAI-based source > routing is not source routing in the classic sense; it merely > suggests preferences which the AAA proxy can choose not to > accomodate. > > Where realm routes are set up as the result of > pre-configuration and dynamic route establishment is not > supported, if a realm route does not exist, then NAI-based > source routing cannot establish it. > > Even where dynamic route establishment is possible, such as > where the AAA client and server support certificate-based > authentication, and AAA servers are discoverable (such as via > the mechanisms described in [RFC3588]), a AAA proxy may > choose not to establish a realm route by initiating the > discovery process based on a suggestion in an NAI-based > source route. > > Even where the realm route does exist, or the AAA proxy is > capable of establishing it dynamically, the AAA proxy may > choose not to authorize the client to use it." > > > > > >
- Re: Comments on draft-ietf-eap-netsel-problem-06.txt, (continued)
- Re: Comments on draft-ietf-eap-netsel-problem-06.txt Joseph Salowey (jsalowey), April 25 2007
-
Re: Comments on draft-ietf-eap-netsel-problem-06.txt Joseph Salowey (jsalowey), April 30 2007
- Re: Comments on draft-ietf-eap-netsel-problem-06.txt Bari, Farooq, April 30 2007
-
Re: comments on draft-ietf-eap-netsel-problem-06.txt Bernard Aboba, May 10 2007
- Re: comments on draft-ietf-eap-netsel-problem-06.txt Joseph Salowey (jsalowey), May 17 2007
Results generated by Tiger Technologies using MHonArc.