Re: [Dime] WG adoption call for draft-zorn-dime-rfc4005bis-01
Stefan Winter <stefan.winter@restena.lu> Mon, 16 August 2010 09:52 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3F353A681B for <dime@core3.amsl.com>; Mon, 16 Aug 2010 02:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, J_CHICKENPOX_32=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6f2Xmz0DfZ1p for <dime@core3.amsl.com>; Mon, 16 Aug 2010 02:52:11 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by core3.amsl.com (Postfix) with ESMTP id ECE4A3A681F for <dime@ietf.org>; Mon, 16 Aug 2010 02:52:10 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 4832210586; Mon, 16 Aug 2010 11:52:46 +0200 (CEST)
Received: from [IPv6:2001:a18:1:8::155] (unknown [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 242E710584; Mon, 16 Aug 2010 11:52:46 +0200 (CEST)
Message-ID: <4C690A6D.3010903@restena.lu>
Date: Mon, 16 Aug 2010 11:52:45 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: Glen Zorn <gwz@net-zen.net>
References: <A0A5F8D2-62B7-40BF-A9C2-8ED231D6323E@gmail.com> <4C5A5F2D.20508@nict.go.jp> <001c01cb346e$d7f9a460$87eced20$@net> <4C5A6DA9.30309@nict.go.jp> <003201cb347a$0fb844a0$2f28cde0$@net> <4C650C71.9020000@restena.lu> <000e01cb3c5d$7b8d1620$72a74260$@net>
In-Reply-To: <000e01cb3c5d$7b8d1620$72a74260$@net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV
Cc: dime@ietf.org
Subject: Re: [Dime] WG adoption call for draft-zorn-dime-rfc4005bis-01
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 09:52:13 -0000
Hi, > I see. Where did the actually usable implementation of RADIUS over TCP come > from? That's a good question. Back in the day, I thought we might have been the trigger for the Radiator guys (since the prototype system existed before I joined the club), but after all I heard, it wasn't us. There were apparently actual clients requesting that feature. It did fit quite nicely into our requirements, though, and that's why we picked it up. >> More for the record: the first eduroam prototype was online June 2003; >> RFC3588 dates September 2003. Your definition of "long before" violates >> temporal continuity. > Of course, my mistake for not realizing that initial prototype == published > RFC. This has nothing to do with published RFCs. You said "Diameter existed long before EDUROAM " and I pointed out that you are wrong. Deployers of IETF standards don't usually have to announce themselves by writing an RFC describing their deployment, so I'm completely lost why you are talking of a "published RFC" here. >> If the end auth server is a pure RADIUS server, someone else has >> to do it for him. > Why (& how) would a Diameter message be delivered to a pure RADIUS server? That's the point: if one realm in the consortium only speaks RADIUS and some other device has wrapped RADIUS into Diameter with RADIA, then there needs to be another RADIA-supporting Diameter server somewhere in the path to do the unwrapping. Of course not the Diameter message needs to be delivered, but only the contents of the Radius-Message AVP, unwrapped and transformed into plain RADIUS. > The only element relevant to authentication/authorization in a RADIA message > is the encapsulated RADIUS message; any other Diameter AVPs that may be > present are only for transport purposes. There's a " * [ AVP ] " in the command definition of Radia-Req and -Answer. I had the impression that this enables one to send non-transport-related content. I may be wrong with that; am I? >> Even if unwrapping works, >> what if a (Diameter) auth server crafts a (Diameter) answer, with >> untranslatable attributes which can never be translated back to a RADIUS >> NAS? > Then the Diameter server in question is broken; nevertheless, what happens > if a NASREQ app server does the same thing today? Why would the Diameter server in question be broken? RFC4005 mentions that it is well possible that a Diameter crafts messages with untranslatable attributes. That's not brokenness; it is just something that might happen. The RFCs answer for oversized attributes, for example (which also answers your own question, above, is: "a Result-Code of DIAMETER_INVALID_AVP_LENGTH should be returned." >> If forwarded along multiple proxies, the wrapping entity would need >> signalling on whether there will be an entity along the line to unwrap >> the message at all. If there is none, the tunnel has no other end. >> Signalling of this along multiple hops is unspecified in your draft, if >> I'm not mistaken. > Because it's unnecessary; if there is no RADIA app server in the destination > realm, a standard "undeliverable message" error must be returned. That > point should be made in the draft. Into what does this error message get translated to the originating RADIUS NAS? I would guess into an Access-Reject? With a Reply-Message containing some hint that it wasn't actually the user's fault? Or a new RADIUS attribute to convey the error condition? Or should it just be silently discarded? Difficult to say if the draft doesn't specify any handling for such error conditions. >> I don't think your draft has answers to these questions. >> >> Anyway, the tunneling requires both ends of the tunnel to understand >> RADIUS. It is thus not a transition mechanism. > OK. How, then, is RFC 4005 (one-way) translation a transition mechanism? It is not. As I wrote earlier, the much more honest answer to the transition question is "It's not possible." > As I have pointed out many times, the end NASREQ server must understand how > to respond to the request in a translatable way That's not what RFC4005 says. In the above-quoted section 9.5 it is acknowledged that untranslatable attributes can occur. There is no "must understand how to respond to the request in a translatable way"in the RFC. If there were, it would be easier to build a deterministic transition path with it. In it's current state, the answer "it will often work, but sometimes it just won't" is not a satisfactory answer. Funny, 4005bis could have been used to make such a point; but instead, now the content gets purged in its entirety. But I'm happy either way. >> It's an alternative >> transport. And a not very useful one, IMHO. I acknowledge your point >> that there are apparently some organisations which have hardwired the >> use of Diameter in their specs, while actually wanting to speak RADIUS >> on some paths, and for these organisations, RADIUS disguised as Diameter >> is a tool they might need. > & is precisely what RADIA supplies, but w/o the overhead of "translation". And it may very well be good for this particular and narrow purpose. The Abstract and Intro make much higher and undue promises to the reader though. How about calling this "transporting RADIUS messages over Diameter routing". >> Your point "noone ever transitioned" is true; but for reasons of lack of >> options to do so. It's not exactly fair to blame the RFC for it. FWIW, >> if were to write about RADIUS<->Diameter translation, it would be one >> very short paragraph "This doesn't work." Note that I think that this >> sentence is necessary IMHO; merely not writing *anything* about the >> topic, because "noone ever used it", is not enough. You know, some >> people might be *curious* about the topic, and could be *told* that they >> need not look any further. > Lots of people are curious about lots of things... And if this curiosity originates from them using an SDO's spec, then it might be a good idea if the SDO supplies the answer to them. Greetings, Stefan Winter >> Greetings, >> >> Stefan Winter >> >>>> Best regards, >>>> Sebastien. >>>> >>>> -- >>>> Sebastien Decugis >>>> Research fellow >>>> Network Architecture Group >>>> NICT (nict.go.jp) >>>> >>> _______________________________________________ >>> DiME mailing list >>> DiME@ietf.org >>> https://www.ietf.org/mailman/listinfo/dime >> >> -- >> Stefan WINTER >> Ingenieur de Recherche >> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et >> de la Recherche >> 6, rue Richard Coudenhove-Kalergi >> L-1359 Luxembourg >> >> Tel: +352 424409 1 >> Fax: +352 422473 >> >> _______________________________________________ >> DiME mailing list >> DiME@ietf.org >> https://www.ietf.org/mailman/listinfo/dime > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
- [Dime] WG adoption call for draft-zorn-dime-rfc40… jouni korhonen
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Romascanu, Dan (Dan)
- Re: [Dime] WG adoption call for draft-zorn-dime-r… jouni korhonen
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… lionel.morand
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- [Dime] Concluded: WG adoption call for draft-zorn… jouni korhonen
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Alan DeKok
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis