IETF Logo Mail Archive

Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attrib-06.txt

Alan DeKok <aland@deployingradius.com> Tue, 02 October 2012 18:46 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: aaa-doctors@ietfa.amsl.com
Delivered-To: aaa-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412CB21F8585 for <aaa-doctors@ietfa.amsl.com>; Tue, 2 Oct 2012 11:46:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.999
X-Spam-Level:
X-Spam-Status: No, score=-101.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_37=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61K9MbhfmNPH for <aaa-doctors@ietfa.amsl.com>; Tue, 2 Oct 2012 11:46:57 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 47CEE21F8574 for <aaa-doctors@ietf.org>; Tue, 2 Oct 2012 11:46:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 6EF6A2240E49; Tue, 2 Oct 2012 20:46:22 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uj5Le42mYsFo; Tue, 2 Oct 2012 20:46:20 +0200 (CEST)
Received: from Thor.local (37-8-182-23.coucou-networks.fr [37.8.182.23]) by power.freeradius.org (Postfix) with ESMTPSA id 78F2622406BD; Tue, 2 Oct 2012 20:46:19 +0200 (CEST)
Message-ID: <506B3687.9050803@deployingradius.com>
Date: Tue, 02 Oct 2012 20:46:31 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <EAEA2FB5-3078-486D-9ECE-BEF8BFE70078@gmail.com> <BLU002-W224D3128D06805C30F22D4993860@phx.gbl>
In-Reply-To: <BLU002-W224D3128D06805C30F22D4993860@phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 02 Oct 2012 12:02:31 -0700
Cc: "aaa-doctors@ietf.org" <aaa-doctors@ietf.org>, draft-ietf-softwire-6rd-radius-attrib@tools.ietf.org, Ralph Droms <rdroms.ietf@gmail.com>
Subject: Re: [AAA-DOCTORS] draft-ietf-softwire-6rd-radius-attrib-06.txt
X-BeenThere: aaa-doctors@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: AAA Doctors E-mail List <aaa-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/aaa-doctors>
List-Post: <mailto:aaa-doctors@ietf.org>
List-Help: <mailto:aaa-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/aaa-doctors>, <mailto:aaa-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2012 18:46:58 -0000

Bernard Aboba wrote:
> I have some questions about this document.
> 
> RFC 5080 Section 2.1.1 lays out the requirements for use of a State
> attribute:
...
> This requirement exists to ensure that a State attribute ties back to an
> authenticated RADIUS session. 

  The document references RFC 5080, and says:

   In the abovementioned scenario, the Access-Request packet contains a
   Service-Type attribute with the value Authorize Only (17), thus
   according to [RFC5080] the Access-Request packet MUST contain a State
   attribute.

  They seem to have missed the paragraph you quoted.  It is immediately
above the paragraph requiring State for Authorize Only.

> This diagram neither indicates that the RADIUS Access-Request/Accept
> sequence is authenticated, nor does it show any previous previous
> authenticated RADIUS interaction.   It therefore appears to violate the
> RFC 5080 requirement.

  The document repeatedly refers to "authentication", where no
authentication is taking place:

   ... A 6rd configuration request may
   also be sent in the same message. If the user authentication is
   approved by the AAA server,

  There is no "user", and no credentials supplied for authentication.

  My reading is that State was added solely to satisfy portions of RFC
5080.  I think it, and all references to 5080 should be removed from the
draft.

  Since no user authentication is taking place, perhaps a better
suggestion would be to allocate a new Service-Type, of
IPv6-6rd-Configuration.  The Access-Request could contain:

	Service-Type = IPv6-6rd-Configuration
	IPv6-6rd-Configuration = ... data ...

  RADIUS servers should be able to key off of the Service-Type to
distinguish 6rd requests from all other RADIUS requests.  They can then
respond correctly, even though no user credentials are in the request.

  The draft should also replace the four references to "authentication"
on page 4 with "authorization".

  The format of the IPv6-6rf-Configuration attribute is not ideal.  This
is OK, as the RADIUS extensions document has not been published.  The
only suggestions I would have are:

- make the IPv4MaskLen field 32 bits long.  RFC 6158 Section A.2.1 has
this text forbidding 8-bit fields:

      * Unsigned integers of size other than 32 bits.
        SHOULD be replaced by an unsigned integer of 32 bits.  There is
        insufficient justification to define a new size of integer.

- make it clear that since the subtypes have values, they can appear in
any order.  e.g. subtype 1,2,3 is OK, but so is subtype order 2,3,1 and
3,2,1.

- if new subtypes are envisioned, then an IANA registry for subtypes
should be allocated, subject to expert review, or IETF consensus

  Alan DeKok.

v2.23.0 | Report a Bug | By Email