[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Radius authentication and client configuration
> At 06:07 AM 4/15/98 -0700, pcalhoun@eng.sun.com wrote:
>
> >Not that I mean to be difficult here, but since the RADIUS WG has
> shutdown, it
> >may be more appropriate to add new functionality to the RADIUS replacement.
> >There is work in progress on a protocol called DIAMETER. I hope to have a
> BOF >at the Chicago IETF.
>
> Nor I. The IPsecers have learned that key negotiations need to be done in
> a totally secure method. Roy's proposals are in this light. Also, next
> week I and Ted will get started on the charter and the new work. Vendors
> need a solution by end of summer.
>
> But Ted and I are not ruling out work elsewhere. Either the Radius or
> Mobile stuff....
Robert,
I am not quite sure what you meant here so I will simply expand to state that
DIAMETER fixes many of the inherent problems that RADIUS has which would be
critical in this application (i.e. AVP length, AVP address space allocation,
etc).
A DIAMETER server implementation will be made available for personal use from
Merit Networks very soon. Actually, it has had support for an older version of
the DIAMETER drafts for well over a year and I am in the process of cleaning
it up to conform to the latest specs.
I am not stating that it should be used for key negotiation, but if Policy
Server support is required (which I can imagine it would for scalability
purposes) I would like to propose DIAMETER. I would be happy to have someone
write whatever extensions are required for the IPSEC WG and can help in this
area if need be.
PatC
References: