Hi, >> Either TLS or IPSEC for RADIUS will thwart pervasive monitoring.
As an author of RFC6614 on RADIUS/TLS, I try to keep an ear on the ground when it comes to deployment in real life. One of the things I hear occasionally is that people read the tag "Experimental" and conclude that this is something they don't want to do. That's a real shame. In eduroam, we are now using RADIUS/TLS on numerous international aggregation links. It has some usability issues (PKI much more complex to deploy than "good old" shared secrets) and some spurious transmission issues (reported by some people on busy links - I suspect head-of-line blocking at play) - but overall this is perfectly usable in real life. Maybe the time to move it from Experimental to Standards Track has come. > If someone gains access to the backend database of the RADIUS server > then you are unfortunately in trouble. It is also worth noting that both > RADIUS and Diameter deployments have lots of intermediaries (as noted in > this privacy reviews: > http://www.iab.org/wp-content/IAB-uploads/2011/07/ABFAB-privacy-review.txt > http://www.iab.org/wp-content/IAB-uploads/2011/07/AAA-privacy-review.txt > > What you can then see is probably very similar to this: > http://www.zeit.de/datenschutz/malte-spitz-data-retention While that's totally true - this isn't perpass is it? Yes, there are proxies, and there are EAP home servers; if you break into them then you can do lots of fancy things. But you are not a pervasive *passive* attacker any more. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
0x8A39DC66.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
