CURRENT_MEETING_REPORT_
Reported by John Vollbrecht/Merit Network and Allan Rubens/Merit Network
Minutes of the Network Access Server Requirements Working Group
(NASREQ)
The NASREQ Working Group met on Tuesday, November 2. There was a brief
review of the rationale for NAS/helper separation and Steve Willens
walked through the proposed RADIUS protocol document that could be used
to support this separation.
Steve provided copies of the document which will be updated and
submitted as an Internet-Draft. There was a lot of discussion about the
document. The general consensus was that it was a good idea to have
such a protocol, that the protocol met a number of needs, and it should
eventually be submitted for consideration as an RFC. Some of the issues
raised were:
o Security:
An MD5 hashing algorithm is used to hide the password. It was
suggested that this might not be a good mechanism, and that it
might not be exportable. It is not known where to get answers to
these issues.
Secrets shared between NAS and RADIUS server are configured rather
than obtained from a authentication server. It was suggested was
that this could be done either way, depending on whether the NAS is
able to do Kerberos.
o Extensibility:
A lot of discussion concerned whether parameters should be
identified with ASCII strings or numeric IDs. This discussion will
presumably continue on the mailing list.
o TCP versus UDP:
A suggestion was made that the protocol should be built on TCP
rather than UDP. This will be considered more on the mailing list,
but consensus seemed to favor TCP.
o Downloadable filters:
Filters should be dynamically settable.
o Other:
The text of the document needs to clarify which attributes belong
together, which are sent by the NAS, and which are returned by the
RADIUS server.
May want to be able to send an arbitrary string to be interpreted
by the command interpreter in the NAS.
A very brief presentation of distributed authentication was presented as
a possible future subject for the working group to consider. This was
discussed further in the Security Area Advisory Group (SAAG) meeting on
Thursday and we agreed to have this discussion at the first SAAG meeting
in Seattle.
We discussed changing the charter of the group and the following
elements were described as a possible direction:
o Finish the NAS Requirements document and submit it for
consideration as an Informational RFC following the Seattle IETF.
We need volunteers to work on pieces of the document.
o Revise the RADIUS protocol definition and submit it for
consideration as an RFC after review at the Seattle IETF.
o Move KAP/PKAP to the Point-to-Point Protocol Extensions Working
Group (PPPEXT) and/or to a working group in the Security Area. The
group that it might go to in the Security Area is under discussion.
o Focus the attention of the group on distributed authentication in
support of shared dialin between organizations. This will likely
have other implications and should have significant support from
security area folks to be successful.
Attendees
Nick Alfano alfano@mpr.ca
Jim Barnes barnes@xylogics.com
Larry Blunk ljb@merit.edu
Cheng Chen chen@accessworks.com
Blair Copland copland@unt.edu
Robert Downs bdowns@combinet.com
Antonio Fernandez afa@thumper.bellcore.com
Jisoo Geiter geiter@mitre.org
Mei-Jean Goh goh@mpr.ca
Chris Gorsuch chrisg@lobby.ti.com
Marco Hernandez marco@cren.net
Matt Hood hood@nsipo.nasa.gov
John Linn linn@security.ov.com
Brian Lloyd brian@lloyd.com
Glenn McGregor ghm@lloyd.com
Piers McMahon p.v.mcmahon@rea0803.wins.icl.co.uk
Michael Michnikov mbmg@mitre.org
Bob Morgan morgan@networking.stanford.edu
Michael O'Dell mo@uunet.uu.net
Rakesh Patel rapatel@pilot.njin.net
Allan Rubens acr@merit.edu
William Simpson Bill.Simpson@um.cc.umich.edu
Dave Solo solo@bbn.com
Don Stephenson don.stephenson@sun.com
Theodore Ts'o tytso@mit.edu
Raymond Vega rvega@cicese.mx
John Vollbrecht jrv@merit.edu
Steve Willens steve@livingston.com