Hi Sam: El 19/10/2011, a las 17:21, Sam Hartman escribió:
> > Rafa> Hi again: I have been thinking again about the situation > Rafa> created with sending an EAP response/id without the > Rafa> authenticator sending EAP request/id and I realized that it > Rafa> may be even worse in the authenticator side. Basically, the > Rafa> authenticator will see an EAP response message which does not > Rafa> answer to any EAP request sent. > > OK. point taken. > I've been steadily leaning towards subtoken, but I think the above > argument is convincing enough to push me firmly into the subtoken camp. Definitely, designing a subtoken seems the most standard way of defining this optimization. Nevertheless, we may need to think about something I just realized. It may happen that when the acceptor sends the EAP-Start in the RADIUS Access-Request that the RADIUS EAP/AAA server decides to start the EAP request/identity instead the first EAP request of the chosen EAP method. The reason is the text about that RFC 3579 I pasted in my previous e-mail where it is said: "The RADIUS server will typically respond with an Access-Challenge containing EAP-Message attribute(s) encapsulating an EAP-Request/Identity (Type 1). However, an EAP-Request for an authentication method (Type 4 or greater) can also be sent by the server." It means that RADIUS EAP/AAA server implementation is not obligated (there is no MUST in the text) to start an EAP method instead of sending an EAP request/identity. This means that RADIUS EAP/AAA should be correctly configured to allow this optimization. Otherwise, the RADIUS EAP/AAA server will send the EAP request/identity that has to travel all the way to the authenticator. Although the solution does not violate any standard, in certain cases it may not help to achieve the optimization if the home EAP/AAA is not configured to select directly the EAP method for that peer. Even I would say that it is more problematic than sending the EAP request/identity from the authenticator (The EAP request/identity sent from the home EAP/AAA will add more latency and the same number of messages than the current not optimized case). So the question would be : can we be sure that all home EAP/AAA servers will act to allow the optimization? > > Thanks for walking through this with me! Thank you. These conversations are always interesting and I am willing to participate as far as I can. > > So, I formally propose that we require initiators to send an identity > subtoken either in their first token or in the response to the acceptor > name. > > Can I get comments on this? ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] ------------------------------------------------------- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
