Hi Sam,
El 06/07/11 22:21, Sam Hartman escribió:
>
> It plays the role of SAML metadata in our system.
ok, although it runs federation routing and topology information, and
forwards eap authentications. It plays a lot of roles :)
> However it is not required that every institution needs to deploy a trust router.
>
ok
> Gabriel> - Does the term Trust Path refer to the AAA path/TRs path/mixed?
>
> Your AAA message goes from something near the RP to the radsec server
> near or at the IDP assuming you're actually using RADSEC.
> However other realms help set up the technical and policy trust required
> to send that message.
I can understand the AAA path in this case, but l think this mixed path
is very complicated. If every realm implements this functionality like a
AAA server it would be more interesting.
>
> Gabriel> Section 4:
>
> Gabriel> - The list of security properties required by the Trust Routers
> Gabriel> would help to a better understanding of the protocol :)
>
> * hop-by-hop integrity
> * peer entity authentication
> * for some deployments confidentiality
The last comments clarifies this point
>
> OK, let's take the example from Margaret's draft.
> I'm going to try and enumerate all the traffic .
>
> 1) Trust routers exchange and flood routes. I don't know what the order
> of messages of this exchange is, but I'm sure people familiar with
> routing protocols do. This is amortized across all uses of the trust
> infrastructure. Messages are generated when routes change.
This is an important point that may required another important number of
exchanges, in order to build and exchange the federation topology (I'm
thinking here in something like eduroam) and to query that path by the
RP (although I suppose here only 2 messages are needed)
>
>
Have you analysed how this process (I count 18 messages for 4 realms
without routing and attribute request exchanges) could affect specific
services like SIP?
Thanks a lot for your comments Sam, I think this explanation (completed
with the routing part) should appear in the next version.
Best regards, Gabi.
--
----------------------------------------------------------------
Gabriel López Millán
Departamento de Ingeniería de la Información y las Comunicaciones
University of Murcia
Spain
Tel: +34 868888504
Fax: +34 868884151
email: [log in to unmask]
|
