RADIUS Extension for Digest Authentication
draft-ietf-radext-rfc4590bis-02

id-nits shows the following warnings that may need to be clarified in a note to the RFC editor:

idnits 2.04.10

tmp/draft-ietf-radext-rfc4590bis-02.txt(1267): Found possible IPv4 address '192.168.2.38' in position 24; this doesn't match RFC3330's suggested 192.0.2.0/24 address range.
tmp/draft-ietf-radext-rfc4590bis-02.txt(1324): Found possible IPv4 address '192.168.2.38' in position 24; this doesn't match RFC3330's suggested 192.0.2.0/24 address range.
tmp/draft-ietf-radext-rfc4590bis-02.txt(1382): Found possible IPv4 address '192.168.2.38' in position 24; this doesn't match RFC3330's suggested 192.0.2.0/24 address range.
tmp/draft-ietf-radext-rfc4590bis-02.txt(1430): Found possible IPv4 address '192.168.2.38' in position 24; this doesn't match RFC3330's suggested 192.0.2.0/24 address range.


  Checking nits according to http://www.ietf.org/ID-Checklist.html:
  ----------------------------------------------------------------------------

  == There are 4 instances of lines with private range IPv4 addresses in the
    document.  If these are generic example addresses, they should be changed
    to use the 192.0.2.x range defined in RFC 3330.

id-nits shows the following warnings:

idnits 2.04.10

tmp/draft-ietf-radext-rfc4590bis-02.txt(1267): Found possible IPv4 address '192.168.2.38' in position 24; this doesn't match RFC3330's suggested 192.0.2.0/24 address range.
tmp/draft-ietf-radext-rfc4590bis-02.txt(1324): Found possible IPv4 address '192.168.2.38' in position 24; this doesn't match RFC3330's suggested 192.0.2.0/24 address range.
tmp/draft-ietf-radext-rfc4590bis-02.txt(1382): Found possible IPv4 address '192.168.2.38' in position 24; this doesn't match RFC3330's suggested 192.0.2.0/24 address range.
tmp/draft-ietf-radext-rfc4590bis-02.txt(1430): Found possible IPv4 address '192.168.2.38' in position 24; this doesn't match RFC3330's suggested 192.0.2.0/24 address range.


  Checking nits according to http://www.ietf.org/ID-Checklist.html:
  ----------------------------------------------------------------------------

  == There are 4 instances of lines with private range IPv4 addresses in the
    document.  If these are generic example addresses, they should be changed
    to use the 192.0.2.x range defined in RFC 3330.

[Ballot discuss]
This is a discuss discuss.

This document has basically only very trivial changes since the previous version. I would like to talk about the expense of doing errata this way and if we as the IESG are willing to have errata run though as complete revisions of the document.

I would prefer to see the changes in this document published as an errata.

[Ballot comment]
Might want to make sure IANA knows to update the RADIUS registry entries
for these parameters to refer to the new RFC when it's published.  The
IANA considerations section didn't say that explicitly.

I question whether RADIUS over IPsec will deploy as widely as HTTPS/SIPS
has.  This makes me wonder if IPsec is an adequate answer to protect
these exchanges, especially given a simple passive eavesdrop of H(A1)
leaves that user's account completely compromised in that realm.

[Note]: 'A revised version of non-normative Section 6 (Examples) will be provided in order to fix problems detected during the Last Call.' added by Dan Romascanu

IANA Lasst Call Comments:

This document asks IANA to make assignments that were
already made in RFC4590. Are there any changes requested
by this document?

PROTO Write-up

(1.a) Who is the Document Shepherd for this document? Has the Document
Shepherd personally reviewed this version of the document and, in
particular,
does he or she believe this version is ready for forwarding to the IESG for
publication?

Document Shepherd: Bernard Aboba
I have personally reviewed the document.

(1.b) Has the document had adequate review from both key WG members and
key non-WG members? Does the Document Shepherd have any concerns
about the depth or breadth of the reviews that have been performed?

Yes. This document has been through a WG last call.

(1.c) Does the Document Shepherd have concerns that the document needs
more review from a particular or broader perspective e.g., security,
operational
complexity, someone familiar with AAA, internationalization or XML?

This document includes some fixes to RFC 4590, which was discovered to
contain
IANA errors after publication. These problems were fixed along with a
few other errata. So this document has already received extensive review in
the relatively recent past.

(1.d) Does the Document Shepherd have any specific concerns or issues with
this document that the Responsible Area Director and/or the IESG should be
aware of?

For example, perhaps he or she is uncomfortable with certain parts of the
document, or has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated that it still
wishes to advance the document, detail those concerns here. Has an IPR
disclosure related to this document been filed? If so, please include a
reference to the disclosure and summarize the WG discussion and conclusion
on this issue.

No concerns.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with
it?

There is solid consensus behind this document, as there was behind
RFC 4590.

The issues raised and the resolutions are available for inspection at
http://www.drizzle.com/~aboba/RADEXT/

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate email
messages to the

Responsible Area Director. (It should be in a separate email because this
questionnaire is entered into the ID Tracker.)

No.

(1.g) Has the Document Shepherd personally verified that the document
satisfies
all ID nits? (See http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough;
this check needs to be thorough. Has the document met all formal review
criteria it needs to, such as the MIB Doctor, media type and URI type
reviews?

Yes. An output of the run on this revision of the ID by the online nits
checker:

idnits 2.04.05

tmp/draft-ietf-radext-rfc4590bis-01.txt:
tmp/draft-ietf-radext-rfc4590bis-01.txt(1132): Found possible

IPv4 address '3.2.2.2' in position 64; this doesn't match RFC3330's
suggested

192.0.2.0/24 address range.

[BA] 3.2.2.2 is a section header, not an address.

Checking boilerplate required by RFC 3978 and 3979, updated by RFC 4748:

----------------------------------------------------------------------------

No issues found here.

Checking nits according to http://www.ietf.org/ietf/1id-guidelines.txt:

----------------------------------------------------------------------------

** Missing expiration date. The document expiration date should appear on
the first and last page.

Checking nits according to http://www.ietf.org/ID-Checklist.html:

----------------------------------------------------------------------------

** There are 1 instance of lines with non-RFC3330-compliant IPv4 addresses
in the document. If these are example addresses, they should be changed.

[BA] They are not example addresses.

Miscellaneous warnings:

----------------------------------------------------------------------------

No issues found here.

Checking references for intended status: Proposed Standard

----------------------------------------------------------------------------

-- Looks like a reference, but probably isn't: '4' on line 1008
'0-1 0 0 1 0 24 State [4]...'

-- Looks like a reference, but probably isn't: '1' on line 1028
'0 0-1 0 0 0 121 Digest-HA1 [1][2]...'

-- Looks like a reference, but probably isn't: '2' on line 1028
'0 0-1 0 0 0 121 Digest-HA1 [1][2]...'

-- Looks like a reference, but probably isn't: '3' on line 1018
'0-1 0 0 0-1 0-1 111 Digest-Algorithm [3]...'

== Missing Reference: 'Note 1' is mentioned on line 1039, but not
defined
'[Note 1] Digest-HA1 MUST be used instead of Digest-Response-Auth...'

-- Possible downref: Undefined Non-RFC (?) reference : ref. 'Note 1'

== Missing Reference: 'Note 2' is mentioned on line 1042, but not
defined
'[Note 2] Digest-Response-Auth MUST be used instead of Digest-HA1...'

-- Possible downref: Undefined Non-RFC (?) reference : ref. 'Note 2'

== Missing Reference: 'Note 3' is mentioned on line 1045, but not
defined
'[Note 3] If Digest-Algorithm is missing, 'MD5' is assumed....'

-- Possible downref: Undefined Non-RFC (?) reference : ref. 'Note 3'

== Missing Reference: 'Note 4' is mentioned on line 1047, but not
defined
'[Note 4] An Access-Challenge MUST contain a State attribute, whic...'

-- Possible downref: Undefined Non-RFC (?) reference : ref. 'Note 4'

** Downref: Normative reference to an Informational RFC: RFC 3579

-- Obsolete informational reference (is this intentional?): RFC 2069
(Obsoleted by RFC 2617)

[BA] This is intentional.

Summary: 3 errors (**), 4 warnings (==), 9 comments (--).

(1.h) Has the document split its references into normative and informative?

Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the strategy for their completion? Are there
normative references that are

downward references, as described in [RFC3967]? If so, list these downward
references to support the Area Director in the Last Call procedure for them
[RFC3967].

The document splits normative and informative references.
There are no normative references to IDs.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body of the
document? If the document specifies protocol extensions, are reservations
requested in appropriate IANA registries? Are the IANA registries clearly
identified? If the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation procedure for
future registrations? Does it suggest a reasonable name for the new
registry? See [RFC2434]. If the document describes an Expert

Review process has Shepherd conferred with the Responsible Area Director so
that the IESG can appoint the needed Expert during the IESG Evaluation?

I have verified that the IANA consideration exists and is consistent with
the
body of the document. The inconsistency in RFC 4590 was the reason why this
document needed to be produced.

(1.j) Has the Document Shepherd verified that sections of the document that
are written in a formal language, such as XML code, BNF rules, MIB
definitions,
etc., validate correctly in an automated checker?

This document does not contain sections written in a formal language.

(1.k) The IESG approval announcement includes a Document Announcement
Write-Up.

Please provide such a Document Announcement Write-Up? Recent examples can be
found in the "Action" announcements for approved documents. The approval
announcement contains the following sections:

- Technical Summary

This document defines an extension to the Remote Authentication Dial-
In User Service (RADIUS) protocol to enable support of Digest
Authentication, for use with HTTP-style protocols like the Session
Initiation Protocol (SIP) and HTTP.

- Working Group Summary

Working Group discussion largely centered on whether the issues
identified in RFC 4590 could be fixed via an errata or whether
a new RFC was required. Due to conflicts between the RFC 4590 text
and the parameters allocated by IANA, it was decided that a new
RFC would be needed, so as to avoid potential interoperability
problems.

- Document Quality

This document is needed to address a problem in the IANA allocations for
Digest Authentication as well as several errata that were found after the
publication of RFC 4590. At this point, we believe that RFC 4590bis
addresses
all issues raised since the publication of RFC 4590.

- Personnel

Bernard Aboba is the document shepherd. The responsible Area Director is
Dan Romascanu. No IANA expert is needed.