Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attrib-06.txt
Leaf yeh <leaf.y.yeh@huawei.com> Mon, 08 October 2012 11:48 UTC
Return-Path: <leaf.y.yeh@huawei.com>
X-Original-To: aaa-doctors@ietfa.amsl.com
Delivered-To: aaa-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84BF121F8625 for <aaa-doctors@ietfa.amsl.com>; Mon, 8 Oct 2012 04:48:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.181
X-Spam-Level:
X-Spam-Status: No, score=-6.181 tagged_above=-999 required=5 tests=[AWL=-0.182, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YUXk1sGa1W6q for <aaa-doctors@ietfa.amsl.com>; Mon, 8 Oct 2012 04:48:42 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id BF13721F8620 for <aaa-doctors@ietf.org>; Mon, 8 Oct 2012 04:48:40 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml203-edg.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.5-GA FastPath queued) with ESMTP id ALK75288; Mon, 08 Oct 2012 11:48:40 +0000 (GMT)
Received: from LHREML403-HUB.china.huawei.com (10.201.5.217) by lhreml203-edg.huawei.com (172.18.7.221) with Microsoft SMTP Server (TLS) id 14.1.323.3; Mon, 8 Oct 2012 12:48:10 +0100
Received: from SZXEML405-HUB.china.huawei.com (10.82.67.60) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.1.323.3; Mon, 8 Oct 2012 12:48:34 +0100
Received: from SZXEML546-MBX.china.huawei.com ([169.254.3.192]) by szxeml405-hub.china.huawei.com ([::1]) with mapi id 14.01.0323.003; Mon, 8 Oct 2012 19:48:28 +0800
From: Leaf yeh <leaf.y.yeh@huawei.com>
To: Alan DeKok <aland@deployingradius.com>, Bernard Aboba <bernard_aboba@hotmail.com>
Thread-Topic: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attrib-06.txt
Thread-Index: AQHNoLPLuS2Ult0dNUCV/uJZ6N/lWJels/UAgAAhAYCACVYWYA==
Date: Mon, 08 Oct 2012 11:48:28 +0000
Message-ID: <E1CE3E6E6D4E1C438B0ADC9FFFA345EA3CE3703F@szxeml546-mbx.china.huawei.com>
References: <EAEA2FB5-3078-486D-9ECE-BEF8BFE70078@gmail.com> <BLU002-W224D3128D06805C30F22D4993860@phx.gbl> <506B3687.9050803@deployingradius.com>
In-Reply-To: <506B3687.9050803@deployingradius.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.66.83.152]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Cc: "aaa-doctors@ietf.org" <aaa-doctors@ietf.org>, "draft-ietf-softwire-6rd-radius-attrib@tools.ietf.org" <draft-ietf-softwire-6rd-radius-attrib@tools.ietf.org>, Ralph Droms <rdroms.ietf@gmail.com>
Subject: Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attrib-06.txt
X-BeenThere: aaa-doctors@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: AAA Doctors E-mail List <aaa-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/aaa-doctors>
List-Post: <mailto:aaa-doctors@ietf.org>
List-Help: <mailto:aaa-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Oct 2012 11:48:43 -0000
a. Alan - <quote>The format of the IPv6-6rf-Configuration attribute is not ideal. This is OK, as the RADIUS extensions document has not been published... - make it clear that since the subtypes have values, they can appear in any order. e.g. subtype 1,2,3 is OK, but so is subtype order 2,3,1 and 3,2,1.</quote> I tend to suggest draft-ietf-softwire-6rd-radius-attrib-06 to adopt the data type of TLV newly defined in draft-ietf-radext-radius-extensions. b. draft-ietf-softwire-6rd-radius-attrib-06 - <quote> ... the Access-Request packet contains a Service-Type attribute with the value Authorize Only (17), thus according to [RFC5080] the Access-Request packet MUST contain a State attribute. </quote> Alan - <quote> There is no "user", and no credentials supplied for authentication. My reading is that State was added solely to satisfy portions of RFC 5080. I think it, and all references to 5080 should be removed from the draft. Since no user authentication is taking place, perhaps a better suggestion would be to allocate a new Service-Type, of IPv6-6rd-Configuration. The Access-Request could contain: Service-Type = IPv6-6rd-Configuration IPv6-6rd-Configuration = ... data ... RADIUS servers should be able to key off of the Service-Type to distinguish 6rd requests from all other RADIUS requests. They can then respond correctly, even though no user credentials are in the request. </quote> There is almost the same description in section 3 of RFC 6519. Quoted as follows: 'In the scenario depicted in Figure 2, the Access-Request packet contains a Service-Type attribute with the value Authorize Only (17); thus, according to [RFC5080], the Access-Request packet MUST contain a State attribute.' Is it an Errata here? c. IPv6-6rd-Configuration sounds not in the category of Service-Type (6) per the following records @ http://www.iana.org/assignments/radius-types/radius-types.xml. 1 Login 2 Framed 3 Callback Login 4 Callback Framed 5 Outbound 6 Administrative 7 NAS Prompt 8 Authenticate Only 9 Callback NAS Prompt 10 Call Check 11 Callback Administrative 12 Voice 13 Fax 14 Modem Relay 15 IAPP-Register 16 IAPP-AP-Check 17 Authorize Only [RFC3576] 18 Framed-Management Do we really find the suitable registry for the attribute of 6rd Configuration? d. How about replace the type name of this newly designed attribute to be '6rd-configuration'? Best Regards, Leaf -----Original Message----- From: aaa-doctors-bounces@ietf.org [mailto:aaa-doctors-bounces@ietf.org] On Behalf Of Alan DeKok Sent: Wednesday, October 03, 2012 2:47 AM To: Bernard Aboba Cc: aaa-doctors@ietf.org; draft-ietf-softwire-6rd-radius-attrib@tools.ietf.org; Ralph Droms Subject: Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attrib-06.txt Bernard Aboba wrote: > I have some questions about this document. > > RFC 5080 Section 2.1.1 lays out the requirements for use of a State > attribute: ... > This requirement exists to ensure that a State attribute ties back to an > authenticated RADIUS session. The document references RFC 5080, and says: In the abovementioned scenario, the Access-Request packet contains a Service-Type attribute with the value Authorize Only (17), thus according to [RFC5080] the Access-Request packet MUST contain a State attribute. They seem to have missed the paragraph you quoted. It is immediately above the paragraph requiring State for Authorize Only. > This diagram neither indicates that the RADIUS Access-Request/Accept > sequence is authenticated, nor does it show any previous previous > authenticated RADIUS interaction. It therefore appears to violate the > RFC 5080 requirement. The document repeatedly refers to "authentication", where no authentication is taking place: ... A 6rd configuration request may also be sent in the same message. If the user authentication is approved by the AAA server, There is no "user", and no credentials supplied for authentication. My reading is that State was added solely to satisfy portions of RFC 5080. I think it, and all references to 5080 should be removed from the draft. Since no user authentication is taking place, perhaps a better suggestion would be to allocate a new Service-Type, of IPv6-6rd-Configuration. The Access-Request could contain: Service-Type = IPv6-6rd-Configuration IPv6-6rd-Configuration = ... data ... RADIUS servers should be able to key off of the Service-Type to distinguish 6rd requests from all other RADIUS requests. They can then respond correctly, even though no user credentials are in the request. The draft should also replace the four references to "authentication" on page 4 with "authorization". The format of the IPv6-6rf-Configuration attribute is not ideal. This is OK, as the RADIUS extensions document has not been published. The only suggestions I would have are: - make the IPv4MaskLen field 32 bits long. RFC 6158 Section A.2.1 has this text forbidding 8-bit fields: * Unsigned integers of size other than 32 bits. SHOULD be replaced by an unsigned integer of 32 bits. There is insufficient justification to define a new size of integer. - make it clear that since the subtypes have values, they can appear in any order. e.g. subtype 1,2,3 is OK, but so is subtype order 2,3,1 and 3,2,1. - if new subtypes are envisioned, then an IANA registry for subtypes should be allocated, subject to expert review, or IETF consensus Alan DeKok. _______________________________________________ AAA-DOCTORS mailing list AAA-DOCTORS@ietf.org https://www.ietf.org/mailman/listinfo/aaa-doctors
- [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attr… Ralph Droms
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Bernard Aboba
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Alan DeKok
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Ralph Droms
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Sheng Jiang
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Leaf yeh
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Alan DeKok
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Benoit Claise
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Bernard Aboba
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Alan DeKok
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Dave Nelson
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Benoit Claise
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Bernard Aboba
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Joseph Salowey (jsalowey)
- Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-… Glen Zorn