>>>>> "Klaas" == Klaas Wierenga (kwiereng) <[email protected]> writes:
Klaas> I think Stephen raises a valid point. Just pointing to the
Klaas> RADIUS hop-by-hop protection is a bit weak, after all there
Klaas> is potentially a lot more authorization data going over the
Klaas> wire compared to the simple network access case. I think it
Klaas> is fine to call out the hop-by-hop behaviour and, as you
Klaas> mention above, state that if you want direct peer to peer
Klaas> connections you'll have to do RadSec. Don't you think that
Klaas> that would decrease the likelihood of ill thought through
Klaas> deployments? I have seen a couple of weird uses of the
Klaas> eduroam trust fabric (not looking at you Josh ;-), so a bit
Klaas> of discussion around this topic would help.
I'm all for security considerations text.
Heck, I'm all for MTI RADSEC if we could find a process way to do it.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
