List Info

Thread: Re: comments on draft-ietf-eap-netsel-problem-06.txt
Re: comments on draft-ietf-eap-netsel-problem-06.txt
country flaguser name
United States		 2007-05-10 11:24:11 

  


  

    
 

"Sorry, the section should be 2.3.   Just because you have a trusted root certificate and can authenticate the identity of a AAA server does not mean that the AAA server should be authorized to be part of the AAA chain.   The same goes for source routing, just because a client specifies a particular path it should be allowed."

 

Section 2.3.3 says: 

 


   Since the AAA
   proxies on the roaming relationship path are constrained by existing
   relationships, NAI-based source routing is not source routing in the
   classic sense; it merely suggests preferences among already
   established realm routes.  If a realm route does not exist or is not
   feasible, then NAI-based source routing cannot establish it.

 

I suggest changing this to: 

 


"Since the AAA proxies on the roaming relationship path are 

constrained by existing relationships, NAI-based source routing

is not source routing in the classic sense; it merely suggests

preferences which the AAA proxy can choose not to accomodate. 

 


Where ;realm routes are set up as the result of pre-configuration


and dynamic route establishment is not supported, if a realm route

does not exist, then NAI-based source routing cannot establish it. 

 


Even where dynamic route establishment is possible, such as where

the AAA client and server support certificate-based authentication,

and AAA servers are discoverable (such as via the mechanisms

described in [RFC3588]), a AAA proxy may choose not to establish

a realm route by initiating the discovery process based on a 

suggestion in an NAI-based source route.  

 


Even where the realm route does exist, or the AAA proxy is capable of

establishing it dynamically, the AAA proxy may choose not to 

authorize the client to use it."




 

 

  

  
  
   
     
    

  

    Re:  comments on
draft-ietf-eap-netsel-problem-06.txt
  


  

     country flaguser name
United States		
     2007-05-17 15:56:01
  


  

    
This resolves my comment.

Thanks,

Joe 

> -----Original Message-----
> From: Bernard Aboba [mailto:bernard_abobahotmail.com] 
> Sent: Thursday, May 10, 2007 9:24 AM
> To: eapfrascone.com
> Subject: Re: [eap] comments on
draft-ietf-eap-netsel-problem-06.txt
> 
> Joe Salowey said: 
>  
> "Sorry, the section should be 2.3.   Just because
you have a 
> trusted root certificate and can authenticate the
identity of 
> a AAA server does not mean that the AAA server should
be 
> authorized to be part of the AAA chain.   The same goes
for 
> source routing, just because a client specifies a
particular 
> path it should be allowed."
>  
> Section 2.3.3 says: 
>  
>    Since the AAA
>    proxies on the roaming relationship path are
constrained 
> by existing
>    relationships, NAI-based source routing is not
source 
> routing in the
>    classic sense; it merely suggests preferences among
already
>    established realm routes.  If a realm route does not
exist 
> or is not
>    feasible, then NAI-based source routing cannot
establish it.
>  
> I suggest changing this to: 
>  
> "Since the AAA proxies on the roaming relationship
path are 
> constrained by existing relationships, NAI-based source

> routing is not source routing in the classic sense; it
merely 
> suggests preferences which the AAA proxy can choose not
to 
> accomodate. 
>  
> Where realm routes are set up as the result of 
> pre-configuration and dynamic route establishment is
not 
> supported, if a realm route does not exist, then
NAI-based 
> source routing cannot establish it. 
>  
> Even where dynamic route establishment is possible,
such as 
> where the AAA client and server support
certificate-based 
> authentication, and AAA servers are discoverable (such
as via 
> the mechanisms described in [RFC3588]), a AAA proxy may

> choose not to establish a realm route by initiating the

> discovery process based on a suggestion in an NAI-based

> source route.  
>  
> Even where the realm route does exist, or the AAA proxy
is 
> capable of establishing it dynamically, the AAA proxy
may 
> choose not to authorize the client to use it."
> 
> 
>  
>  
> 
> 
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap



  


  

    
  

  
  
   
     
    






 [1-2]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )