Re: [dhcwg] I-D Action: draft-boucadair-dhcwg-rfc4014-update-00.txt
mohamed.boucadair@orange.com Thu, 20 October 2022 07:59 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362C4C152563 for <dhcwg@ietfa.amsl.com>; Thu, 20 Oct 2022 00:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OfCjfFt0VmY9 for <dhcwg@ietfa.amsl.com>; Thu, 20 Oct 2022 00:59:48 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDA94C152566 for <dhcwg@ietf.org>; Thu, 20 Oct 2022 00:59:47 -0700 (PDT)
Received: from opfedar06.francetelecom.fr (unknown [xx.xx.xx.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar21.francetelecom.fr (ESMTP service) with ESMTPS id 4MtKkn6B5Wz7tyh; Thu, 20 Oct 2022 09:59:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1666252785; bh=KG9oJ80F+7UWM2/RSKeuxOYcaOr9GpGslsAGRvgPN2E=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=FcLS+06zy+/B8URQ+CXkoXf1uNt2Tb9ZpUrsIKVbh6c26SvXEvxuU4Dz7df5r8JG8 upffMqelD1ghXCa/YkBH4N6g6I/94adrUMlqwMIxCjUIX36g9JMJA+xE0SOwtgoDBz Aw1lhOAOijXAG3+L8TBPgSq72Ol05D580Vr5O8H/wp8wYIEkH698jEeVE44/c40OCJ Ix4h/3PwEqvvzAfaOlhwqa2EW02hDgvMZURYsHfq24tGML5HZhuGu6qJwV8pd2NlGy mR7X84eDlolANtL9TIJVXEhXuQWSAUFBUmCnZgglljDknnkqBC1HdHtNHPdagn24go jUyT/bXYY+IdA==
From: mohamed.boucadair@orange.com
To: Alan DeKok <aland@deployingradius.com>
CC: "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] I-D Action: draft-boucadair-dhcwg-rfc4014-update-00.txt
Thread-Index: AQHY48CynFNDC9eMJU6GPJPRcRbtu64W5/dg
Content-Class:
Date: Thu, 20 Oct 2022 07:59:45 +0000
Message-ID: <30357_1666252785_6350FFF1_30357_120_5_d13dddbb5b63427ea2a520106ed68d28@orange.com>
References: <166600727234.23935.1660471028632089675@ietfa.amsl.com> <11412_1666009014_634D47B6_11412_272_2_528bd3b9da81447a9b2a4ebdfec01d05@orange.com> <50F00ADA-A65A-49BF-84BA-91664676636C@deployingradius.com> <17695_1666011175_634D5026_17695_93_1_e29e439685d941e585f87709fbba3c93@orange.com> <C8340E9F-9A56-47F9-8F95-33E5B4AC719F@deployingradius.com>
In-Reply-To: <C8340E9F-9A56-47F9-8F95-33E5B4AC719F@deployingradius.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-10-20T07:44:33Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=623bfe73-d2ba-4df7-854d-55ca8078ffb7; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.52]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/1WHOO51T7qsw5wMLB6GVN4sfWdI>
Subject: Re: [dhcwg] I-D Action: draft-boucadair-dhcwg-rfc4014-update-00.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 07:59:52 -0000
Hi Alan, Please see inline. Cheers, Med > -----Message d'origine----- > De : Alan DeKok <aland@deployingradius.com> > Envoyé : mercredi 19 octobre 2022 15:43 > À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com> > Cc : dhcwg@ietf.org > Objet : Re: [dhcwg] I-D Action: draft-boucadair-dhcwg-rfc4014- > update-00.txt > > On Oct 17, 2022, at 8:52 AM, mohamed.boucadair@orange.com wrote: > > [Med] This is equivalent to implementations such as: > https://www.juniper.net/documentation/us/en/software/junos/subscri > ber-mgmt-sessions/topics/topic-map/dhcp-options-radius- > server.html. > > Yes. There are a few other vendors doing the same thing. > > So if it's useful... it should be standardized. > > >> I think it may be best to forbid DHCPv4-Options from being > carried > >> inside of the RADIUS Attributes Sub-option. > > > > [Med] If we forbid this, how a relay agent can then relay, e.g., > the encrypted DNS information received from a RADIUS server to a > DHCP serve? This is no an RSOO, but RADIUS data. > > Hmm... true. > > Maybe just add a note saying that nesting things twice is a bad > idea? [Med] The nesting will be experienced only when a relay interacts with a RADIUS server, which is a deployment choice. Note that nesting can already be present with multiple layers of relays (with or without RSOOs). We already have two guards to control which options can be enclosed (the IANA registration with an Expert review + a local policy) and make sure the feature is used when justified. I think that's already sufficient. > > i.e. RADIUS packets with DHCP-Options and then RADIUS attributes > inside of that is NOT RECOMMENDED > > and DHCP packets with RADIUS attributes and the DHCP-Options > inside of that is NOT RECOMMENDED > > Alan DeKok. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [dhcwg] TR: I-D Action: draft-boucadair-dhcwg-rfc… mohamed.boucadair
- Re: [dhcwg] I-D Action: draft-boucadair-dhcwg-rfc… Alan DeKok
- Re: [dhcwg] I-D Action: draft-boucadair-dhcwg-rfc… mohamed.boucadair
- Re: [dhcwg] I-D Action: draft-boucadair-dhcwg-rfc… Alan DeKok
- Re: [dhcwg] I-D Action: draft-boucadair-dhcwg-rfc… mohamed.boucadair