Re: [AAA-DOCTORS] draft-ietf-softwire-dslite-radius-ext-04
Bernard Aboba <bernard_aboba@hotmail.com> Mon, 08 August 2011 18:11 UTC
Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: aaa-doctors@ietfa.amsl.com
Delivered-To: aaa-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7F1221F86DC for <aaa-doctors@ietfa.amsl.com>; Mon, 8 Aug 2011 11:11:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpDdf4uR87AC for <aaa-doctors@ietfa.amsl.com>; Mon, 8 Aug 2011 11:11:04 -0700 (PDT)
Received: from blu0-omc2-s10.blu0.hotmail.com (blu0-omc2-s10.blu0.hotmail.com [65.55.111.85]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA8721F8B56 for <aaa-doctors@ietf.org>; Mon, 8 Aug 2011 11:11:04 -0700 (PDT)
Received: from BLU152-W14 ([65.55.111.73]) by blu0-omc2-s10.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 8 Aug 2011 11:11:14 -0700
Message-ID: <BLU152-W14989537DB380BB627E08B93210@phx.gbl>
Content-Type: multipart/alternative; boundary="_80c2c2e9-9a72-4122-b7a9-102276b1c920_"
X-Originating-IP: [131.107.160.34]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: aland@freeradius.org, "dromasca@avaya.com" <dromasca@avaya.com>
Date: Mon, 08 Aug 2011 11:11:13 -0700
Importance: Normal
In-Reply-To: <4E3FF818.5070606@freeradius.org>
References: <EDC652A26FB23C4EB6384A4584434A04037753CB@307622ANEX5.global.avaya.com>, <4E3FF818.5070606@freeradius.org>
MIME-Version: 1.0
X-OriginalArrivalTime: 08 Aug 2011 18:11:14.0531 (UTC) FILETIME=[8F889330:01CC55F6]
Cc: aaa-doctors@ietf.org
Subject: Re: [AAA-DOCTORS] draft-ietf-softwire-dslite-radius-ext-04
X-BeenThere: aaa-doctors@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: AAA Doctors E-mail List <aaa-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/aaa-doctors>
List-Post: <mailto:aaa-doctors@ietf.org>
List-Help: <mailto:aaa-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2011 18:11:06 -0000
I found a few other issues beyond those Alan mentions below. Figure 2 shows a RADIUS exchange with no NAS present, or user authentication occurring. As noted in RFC 5080 Section 2.1.1 describes the requirements for authorization-only Access-Requests: Access-Request packets that contain a Service-Type attribute with the value Authorize Only (17) MUST contain a State attribute. Access- Request packets that contain a Service-Type attribute with value Call Check (10) SHOULD NOT contain a State attribute. Any other Access- Request packet that performs authorization checks MUST contain a State attribute. This last requirement often means that an Access- Accept needs to contain a State attribute, which can then be used in a later Access-Request that performs authorization checks. The document does not describe the contents of the Access-Request in enough detail to understand whether it is compliant with RFC 5080, 2865 or other RADIUS protocol documents. So either this is a protocol violation, or the exchange described is under-specified. Section 4.1 describes a NAS sending an Access-Accept to a RADIUS server. Either this is a typo (e.g. it should say Access-Request) or the authors are making a major change to the RADIUS protocol: This attribute MAY be used in Access-Accept packets as a hint to the RADIUS server; for example if the NAS is pre-configured with a default tunnel name, this name MAY be inserted in the attribute. The RADIUS server MAY ignore the hint sent by the NAS and it MAY assign a different AFTR tunnel name. > Date: Mon, 8 Aug 2011 10:52:08 -0400 > From: aland@freeradius.org > To: dromasca@avaya.com > CC: aaa-doctors@ietf.org > Subject: Re: [AAA-DOCTORS] draft-ietf-softwire-dslite-radius-ext-04 > > Romascanu, Dan (Dan) wrote: > > Hi AAA Doctors, > > > > Did any of you review this document? > > I have minor nit-picks on the format. The discussion of > type/length/value at the top of page 9 doesn't follow the traditional > RADIUS format. It's minor, but still.. > > On a related note, there's been a surge of interest recently in adding > DHCP attributes to RADIUS. I registered a PEC a while back to address > the issue. I created a vendor-specific dictionary for RADIUS, which is > intended to carry DHCP options: > > https://github.com/alandekok/freeradius-server/blob/master/share/dictionary.freedhcp > > The intention is that VSAs with PEC of 34673 are duplicates of the > IANA allocation DHCP options. > > Using this would solve a few issues. The IETF standard RADIUS space > would feel less pressure, as the VSAs could be used. All of the other > vendors "ad hoc" ways of carrying DHCP options in RADIUS could be > replaced by using this dictionary. > > If people think it's worth-while, I can submit an individual draft > documenting this practice. It may not help for this document, but it > will help for future documents. > > Alan DeKok. > > _______________________________________________ > AAA-DOCTORS mailing list > AAA-DOCTORS@ietf.org > https://www.ietf.org/mailman/listinfo/aaa-doctors
- [AAA-DOCTORS] draft-ietf-softwire-dslite-radius-e… Romascanu, Dan (Dan)
- Re: [AAA-DOCTORS] draft-ietf-softwire-dslite-radi… Mark Jones
- Re: [AAA-DOCTORS] draft-ietf-softwire-dslite-radi… Alan T DeKok
- Re: [AAA-DOCTORS] draft-ietf-softwire-dslite-radi… Bernard Aboba
- Re: [AAA-DOCTORS] draft-ietf-softwire-dslite-radi… Bernard Aboba
- Re: [AAA-DOCTORS] draft-ietf-softwire-dslite-radi… lionel.morand