[AAA-DOCTORS] Dan Romascanu's Discuss on draft-ietf-softwire-dslite-radius-ext-05: (with DISCUSS and COMMENT)

Dan Romascanu <dromasca@avaya.com> Thu, 11 August 2011 09:15 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Dan Romascanu <dromasca@avaya.com>
To: The IESG <iesg@ietf.org>
Message-ID: <20110811091538.14186.92185.idtracker@ietfa.amsl.com>
Date: Thu, 11 Aug 2011 02:15:38 -0700
Cc: aaa-doctors@ietf.org, draft-ietf-softwire-dslite-radius-ext@tools.ietf.org, softwire-chairs@tools.ietf.org
Subject: [AAA-DOCTORS] Dan Romascanu's Discuss on draft-ietf-softwire-dslite-radius-ext-05: (with DISCUSS and COMMENT)
Precedence: list

Dan Romascanu has entered the following ballot position for
draft-ietf-softwire-dslite-radius-ext-05: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Slightly edited version. Please use this one.

The DISCUSS and COMMENT is in part based on the reviews and discussions on the AAA-Doctors list.

1. Figure 2 shows a RADIUS exchange with no NAS present, or user authentication occurring.

As noted in RFC 5080 Section 2.1.1 describes the requirements for authorization-only Access-Requests:
Access-Request packets that contain a Service-Type attribute with the
value Authorize Only (17) MUST contain a State attribute. Access-
Request packets that contain a Service-Type attribute with value Call
Check (10) SHOULD NOT contain a State attribute. Any other Access-
Request packet that performs authorization checks MUST contain a
State attribute. This last requirement often means that an Access-
Accept needs to contain a State attribute, which can then be used in
a later Access-Request that performs authorization checks.

The document does not describe the contents of the Access-Request in enough detail to understand whether it is compliant with RFC 5080, 2865 or other RADIUS protocol documents. So either this is a protocol violation, or the exchange described is under-specified.

2. RFC 5176 requires that session identification attributes not be used to request authorization changes. I am not clear whether the DSLITE-Tunnel-Name Attribute would be classified as a session identification attribute, but RFC 5176 does classify other IPv6-related configuration attributes (e.g. Framed-IPv6-Prefix) as session-identification attributes which cannot be changed by CoA-Request packets. The reasoning is that changing a host's address without notifying the host is a bad idea, so that it is better to notify the host first then initiate another Access-Request/Accept sequence than to send a CoA-Request.
(Note 1) Where NAS or session identification attributes are included
in Disconnect-Request or CoA-Request packets, they are used for
identification purposes only. These attributes MUST NOT be used for
purposes other than identification (e.g., within CoA-Request packets
to request authorization changes).

3. Section 4.1 describes a NAS sending an Access-Accept to a RADIUS server. Either this is a typo (e.g. it should say Access-Request) or the authors are making a major change to the RADIUS protocol:
This attribute MAY be used in Access-Accept packets as a hint to the
RADIUS server; for example if the NAS is pre-configured with a
default tunnel name, this name MAY be inserted in the attribute. The
RADIUS server MAY ignore the hint sent by the NAS and it MAY assign a
different AFTR tunnel name.

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

1. The use of kewords in section 3 seems inconsistent. Why are the 'may' and 'shall' in the second paragraph of the section non-capitalized, while in the rest of the section the keywords are capitalized.

> This list may also contain the AFTR Tunnel Name. When
the NAS receives a DHCPv6 client request containing the DS-Lite
tunnel Option, the NAS shall use the name returned in the RADIUS DS-
Lite-Tunnel-Name attribute to populate the DHCPv6 OPTION_AFTR_NAME
option in the DHCPv6 reply message.

2. I support item #2 in David's DISCUSS about the need to document the operational considerations of the NAS configuration and device configuration changes.

3. Two of the AAA-Doctors made in early reviews the comment that it was not clear why the authors needed a new AVP when the RADIUS tunnel attributes (RFC2868) could probably be reused here. One of them even proposed an alternative based on RFC2868 but authors argued that their approach was better… that may be true, but it would have been good to document the decision and explain why the alternative was rejected.

[AAA-DOCTORS] Dan Romascanu's Discuss on draft-ie… Dan Romascanu
[AAA-DOCTORS] Dan Romascanu's Discuss on draft-ie… Dan Romascanu
Re: [AAA-DOCTORS] Dan Romascanu's Discuss on draf… Maglione Roberta
Re: [AAA-DOCTORS] Dan Romascanu's Discuss on draf… Romascanu, Dan (Dan)
[AAA-DOCTORS] Dan Romascanu's Discuss on draft-ie… Dan Romascanu
Re: [AAA-DOCTORS] Dan Romascanu's Discuss on draf… Maglione Roberta