Hi Alan, >> An interesting usecase for EAP-SASL with all this would be WiFi and LAN >> authentication (EAPOL or 802.1x) passed over Diameter to *any* domain on >> the Internet, and receiving back tunnel information. > > Or RADIUS....
That's what everyone is thinking ;-) The reason for Diameter is that it scales up to the Internet (in terms of connection pooling / efficiency and in terms of security). RADIUS is really useful for internal networks, but becomes rather clumsy when crossing the Internet -- it is not suited for worldwide public service. > TBH, I can't recall seeing many WiFi deployments which use Diameter. None > of the access points support it. Similarly, EAP over LAN is implemented in > most switches, but they definitely don't do Diameter. Catch-22 -- no use case, no software. That's why I'm describing the use case here. We'll probably package our kit for OpenWRT, so everyone can benefit / derive from it. A patchy solution is possible for closed routers; RADIUS and Diameter can crossover, so a local node doing that is possible. > Is there a specific reason why Diameter was chosen? Certainly, - It enforces mutually authenticated TLS for peer-validation - It does not silently assume a profile but negotiates at startup - It can pool validated TLS connections for reuse - It runs over SCTP for realiability without head-of-line blocing These are hardly a concern for internal networking, and very much concerns for dynamic realm crossover. >> Clients would be >> tunneled to their own network/IP/routing and it would be easier for >> public access providers to offer full networking without worry about the >> behaviour it outputs over their IP range. > > I think that's a separate step from EAP, or SASL over EAP. It may be > difficult to in practice to define that tunneling. Yes it is separate, and just here to give you some context. There are several AVP sets for tunneling in RADIUS / Diameter, and making a choice would probably help the crossover to work in general. >> Before this group existed I wrote a spec for EAP-SASL, is it worthwhile >> to continue, and how/what do you advise? >> https://www.ietf.org/archive/id/draft-vanrein-eap-sasl-00.txt > > That draft looks reasonably clear. Thanks for taking the time to judge that. I'll wait a little more to hear others respond on what to do here. I agree with your take that it's not an exact fit here but that it has no other place either. >> The other work is progressing in >> https://tools.ietf.org/html/draft-vanrein-diameter-sasl-03 > > I have no opinions on that draft. ....as it merely provides context, yes of course. Thanks, -Rick _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
