>>>>> "Jim" == Jim Schaad <[email protected]> writes:
Jim> I have been reading more documents (always a bad idea) and I
Jim> think that the architecture document probably needs to cover
Jim> some requirements on the host protocol to be used with ABFAB.
Jim> At this point in time I have the following issues that I think
Jim> need to be checked: 1. What is the assumption that EAP uses
Jim> when being transported over RADIUS/DIAMETER. Specifically does
Jim> it make assumption that the transport is reliable and thus no
Jim> retries ever need to be made. If this is the case then the
Jim> same assumption would need to either be placed on the host
Jim> protocol or on the service provider.
No, the RADIUS server would retransmit.
GSS does need to reliably transport context tokens.
IF 2743 doesn't say that we need to say that here.
If 2743 does say that adding a reference seems fine.
Jim> 2. What are the trade-offs when running the server as an EAP
Jim> pass-through service verses as a tunnel. Specifically what are
Jim> the security and functionality requirements that are imposed.
Jim> Two issues that I can think of are 1) is the EAP data masked
Jim> from the server and 2) if the host protocol is not reliable,
Jim> does the pass-through service need to provide the retry
Jim> service.
Jim> 3. It would do well to re-state the requirements from GSSAPI
Jim> in the document - specifically that it is required the host
Jim> protocol provide a reliable service that will deliver items to
Jim> GSSAP in order. This means that an underlying protocol that
Jim> wants to use UDP for some reason will have additional
Jim> requirements placed on it that are not there for a TCP based
Jim> service.
Context tokens must be delivered in order.
Per-message tokens need not be delivered in order.
s Jim> 4. Can a host protocol be writing as a pure query/response
Jim> system or does it need to support full bi-directional, full
Jim> duplex functionality. Specifically are there any requirements
Jim> from ABFAB itself (say from EAP) that make it impossible to run
Jim> as a query/response system. For example, if an EAP server
Jim> needs to do a re-try and generates a message to be sent down,
Jim> can this occur? Is this going to be allowed by
Jim> Radius/Diameter? Is it an issue for the host protocol to
Jim> understand. These are issues that can be lost if one is
Jim> looking just at the requirements of the host protocol. (I do
Jim> not currently know if this is an issue for creating of a
Jim> GSS-API context or not.)
The GSS-API context protocol is query-response.
Per-message protocols can be whatever they like.
Jim> Jim
Jim> _______________________________________________ abfab mailing
Jim> list [email protected] https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
