Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attrib-06.txt
Ralph Droms <rdroms.ietf@gmail.com> Tue, 02 October 2012 20:24 UTC
Return-Path: <rdroms.ietf@gmail.com>
X-Original-To: aaa-doctors@ietfa.amsl.com
Delivered-To: aaa-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94A9B21F85BB for <aaa-doctors@ietfa.amsl.com>; Tue, 2 Oct 2012 13:24:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.999
X-Spam-Level:
X-Spam-Status: No, score=-102.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7uM8d3Ueef8 for <aaa-doctors@ietfa.amsl.com>; Tue, 2 Oct 2012 13:24:34 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id BB82221F849D for <aaa-doctors@ietf.org>; Tue, 2 Oct 2012 13:24:34 -0700 (PDT)
Received: by mail-qa0-f44.google.com with SMTP id 25so1055972qao.10 for <aaa-doctors@ietf.org>; Tue, 02 Oct 2012 13:24:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=3rJDO5vFmrq0NzHUl7E02FDdzdMeBhp0JGE4XsR8Tz0=; b=uM4Oj6/ratNOYlEDoa0bygXvt4OOL6ozE2hoKIeHGaH691edEI7yA3/ywlI4+MrfYN PHQZTJ4CTT/kZ/ztPj+EhphFAUyMRGOOCrNH8CmmzedZ+olKhutdWJQ9NIHupS6OQLrC 3ytTREON7gikVvje7r0BZx3s8jQVGvbTT9fCNvUJQBUj5S8D5vbWxeLjgzCTV3bSEhrN zTgFugeVe1HXz+Ji3DKtSqLeWATNDWDuqocETp8jQ5Qwl6nJNbvxgcAXU3jrUYOWg+Xn nbw0t+gd9Y6SWP9+KjI8hwdi0TnxTo9er6RGw8VrZMvAJ2Bhaf4hfY2IpLHu3w2sHxkd nFrA==
Received: by 10.49.71.77 with SMTP id s13mr7545976qeu.17.1349209474208; Tue, 02 Oct 2012 13:24:34 -0700 (PDT)
Received: from rtp-rdroms-8919.cisco.com (rtp-isp-nat1.cisco.com. [64.102.254.33]) by mx.google.com with ESMTPS id ca8sm2307425qab.20.2012.10.02.13.24.31 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 02 Oct 2012 13:24:33 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="iso-8859-1"
From: Ralph Droms <rdroms.ietf@gmail.com>
In-Reply-To: <506B3687.9050803@deployingradius.com>
Date: Tue, 02 Oct 2012 16:24:29 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <B09C0D9F-5FCA-4732-9F5A-2E8DE2B78556@gmail.com>
References: <EAEA2FB5-3078-486D-9ECE-BEF8BFE70078@gmail.com> <BLU002-W224D3128D06805C30F22D4993860@phx.gbl> <506B3687.9050803@deployingradius.com>
To: draft-ietf-softwire-6rd-radius-attrib@tools.ietf.org
X-Mailer: Apple Mail (2.1283)
Cc: aaa-doctors@ietf.org, Softwire Chairs <softwire-chairs@tools.ietf.org>, Alan DeKok <aland@deployingradius.com>
Subject: Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attrib-06.txt
X-BeenThere: aaa-doctors@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: AAA Doctors E-mail List <aaa-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/aaa-doctors>
List-Post: <mailto:aaa-doctors@ietf.org>
List-Help: <mailto:aaa-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2012 20:24:35 -0000
Bernard, Alan - thanks for your feedback on draft-ietf-softwire-6rd-radius-attrib-06 Authors - please review this feedback and revise your document appropriately. Once the aaa-doctors are satisfied with the revisions, I'll proceed with IETF last call and IESG review. - Ralph On Oct 2, 2012, at 2:46 PM 10/2/12, Alan DeKok wrote: > Bernard Aboba wrote: >> I have some questions about this document. >> >> RFC 5080 Section 2.1.1 lays out the requirements for use of a State >> attribute: > ... >> This requirement exists to ensure that a State attribute ties back to an >> authenticated RADIUS session. > > The document references RFC 5080, and says: > > In the abovementioned scenario, the Access-Request packet contains a > Service-Type attribute with the value Authorize Only (17), thus > according to [RFC5080] the Access-Request packet MUST contain a State > attribute. > > They seem to have missed the paragraph you quoted. It is immediately > above the paragraph requiring State for Authorize Only. > >> This diagram neither indicates that the RADIUS Access-Request/Accept >> sequence is authenticated, nor does it show any previous previous >> authenticated RADIUS interaction. It therefore appears to violate the >> RFC 5080 requirement. > > The document repeatedly refers to "authentication", where no > authentication is taking place: > > ... A 6rd configuration request may > also be sent in the same message. If the user authentication is > approved by the AAA server, > > There is no "user", and no credentials supplied for authentication. > > My reading is that State was added solely to satisfy portions of RFC > 5080. I think it, and all references to 5080 should be removed from the > draft. > > Since no user authentication is taking place, perhaps a better > suggestion would be to allocate a new Service-Type, of > IPv6-6rd-Configuration. The Access-Request could contain: > > Service-Type = IPv6-6rd-Configuration > IPv6-6rd-Configuration = ... data ... > > RADIUS servers should be able to key off of the Service-Type to > distinguish 6rd requests from all other RADIUS requests. They can then > respond correctly, even though no user credentials are in the request. > > The draft should also replace the four references to "authentication" > on page 4 with "authorization". > > The format of the IPv6-6rf-Configuration attribute is not ideal. This > is OK, as the RADIUS extensions document has not been published. The > only suggestions I would have are: > > - make the IPv4MaskLen field 32 bits long. RFC 6158 Section A.2.1 has > this text forbidding 8-bit fields: > > * Unsigned integers of size other than 32 bits. > SHOULD be replaced by an unsigned integer of 32 bits. There is > insufficient justification to define a new size of integer. > > - make it clear that since the subtypes have values, they can appear in > any order. e.g. subtype 1,2,3 is OK, but so is subtype order 2,3,1 and > 3,2,1. > > - if new subtypes are envisioned, then an IANA registry for subtypes > should be allocated, subject to expert review, or IETF consensus > > Alan DeKok.
- [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attr… Ralph Droms
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Bernard Aboba
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Alan DeKok
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Ralph Droms
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Sheng Jiang
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Leaf yeh
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Alan DeKok
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Benoit Claise
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Bernard Aboba
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Alan DeKok
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Dave Nelson
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Benoit Claise
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Bernard Aboba
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Joseph Salowey (jsalowey)
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Glen Zorn