IETF Logo Mail Archive

Re: [Dime] WG adoption call for draft-zorn-dime-rfc4005bis-01

Stefan Winter <stefan.winter@restena.lu> Mon, 16 August 2010 09:52 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3F353A681B for <dime@core3.amsl.com>; Mon, 16 Aug 2010 02:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, J_CHICKENPOX_32=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6f2Xmz0DfZ1p for <dime@core3.amsl.com>; Mon, 16 Aug 2010 02:52:11 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by core3.amsl.com (Postfix) with ESMTP id ECE4A3A681F for <dime@ietf.org>; Mon, 16 Aug 2010 02:52:10 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 4832210586; Mon, 16 Aug 2010 11:52:46 +0200 (CEST)
Received: from [IPv6:2001:a18:1:8::155] (unknown [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 242E710584; Mon, 16 Aug 2010 11:52:46 +0200 (CEST)
Message-ID: <4C690A6D.3010903@restena.lu>
Date: Mon, 16 Aug 2010 11:52:45 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: Glen Zorn <gwz@net-zen.net>
References: <A0A5F8D2-62B7-40BF-A9C2-8ED231D6323E@gmail.com> <4C5A5F2D.20508@nict.go.jp> <001c01cb346e$d7f9a460$87eced20$@net> <4C5A6DA9.30309@nict.go.jp> <003201cb347a$0fb844a0$2f28cde0$@net> <4C650C71.9020000@restena.lu> <000e01cb3c5d$7b8d1620$72a74260$@net>
In-Reply-To: <000e01cb3c5d$7b8d1620$72a74260$@net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV
Cc: dime@ietf.org
Subject: Re: [Dime] WG adoption call for draft-zorn-dime-rfc4005bis-01
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 09:52:13 -0000

  Hi,

> I see.  Where did the actually usable implementation of RADIUS over TCP come
> from?

That's a good question. Back in the day, I thought we might have been 
the trigger for the Radiator guys (since the prototype system existed 
before I joined the club), but after all I heard, it wasn't us. There 
were apparently actual clients requesting that feature. It did fit quite 
nicely into our requirements, though, and that's why we picked it up.

>> More for the record: the first eduroam prototype was online June 2003;
>> RFC3588 dates September 2003. Your definition of "long before" violates
>> temporal continuity.
> Of course, my mistake for not realizing that initial prototype == published
> RFC.

This has nothing to do with published RFCs. You said "Diameter existed 
long before EDUROAM " and I pointed out that you are wrong.

Deployers of IETF standards don't usually have to announce themselves by 
writing an RFC describing their deployment, so I'm completely lost why 
you are talking of a "published RFC" here.

>> If the end auth server is a pure RADIUS server, someone else has
>> to do it for him.
> Why (&  how) would a Diameter message be delivered to a pure RADIUS server?

That's the point: if one realm in the consortium only speaks RADIUS and 
some other device has wrapped RADIUS into Diameter with RADIA, then 
there needs to be another RADIA-supporting Diameter server somewhere in 
the path to do the unwrapping.
Of course not the Diameter message needs to be delivered, but only the 
contents of the Radius-Message AVP, unwrapped and transformed into plain 
RADIUS.

> The only element relevant to authentication/authorization in a RADIA message
> is the encapsulated RADIUS message; any other Diameter AVPs that may be
> present are only for transport purposes.

There's a " * [ AVP ] " in the command definition of Radia-Req and 
-Answer. I had the impression that this enables one to send 
non-transport-related content. I may be wrong with that; am I?

>> Even if unwrapping works,
>> what if a (Diameter) auth server crafts a (Diameter) answer, with
>> untranslatable attributes which can never be translated back to a RADIUS
>> NAS?
> Then the Diameter server in question is broken; nevertheless, what happens
> if a NASREQ app server does the same thing today?

Why would the Diameter server in question be broken? RFC4005 mentions 
that it is well possible that a Diameter crafts messages with 
untranslatable attributes. That's not brokenness; it is just something 
that might happen. The RFCs answer for oversized attributes, for example 
(which also answers your own question, above, is: "a Result-Code of 
DIAMETER_INVALID_AVP_LENGTH should be returned."

>> If forwarded along multiple proxies, the wrapping entity would need
>> signalling on whether there will be an entity along the line to unwrap
>> the message at all. If there is none, the tunnel has no other end.
>> Signalling of this along multiple hops is unspecified in your draft, if
>> I'm not mistaken.
> Because it's unnecessary; if there is no RADIA app server in the destination
> realm, a standard "undeliverable message" error must be returned.  That
> point should be made in the draft.

Into what does this error message get translated to the originating 
RADIUS NAS? I would guess into an Access-Reject? With a Reply-Message 
containing some hint that it wasn't actually the user's fault? Or a new 
RADIUS attribute to convey the error condition? Or should it just be 
silently discarded? Difficult to say if the draft doesn't specify any 
handling for such error conditions.

>> I don't think your draft has answers to these questions.
>>
>> Anyway, the tunneling requires both ends of the tunnel to understand
>> RADIUS. It is thus not a transition mechanism.
> OK.  How, then, is RFC 4005 (one-way) translation a transition mechanism?

It is not. As I wrote earlier, the much more honest answer to the 
transition question is "It's not possible."

> As I have pointed out many times, the end NASREQ server must understand how
> to respond to the request in a translatable way

That's not what RFC4005 says. In the above-quoted section 9.5 it is 
acknowledged that untranslatable attributes can occur. There is no "must 
understand how to respond to the request in a translatable way"in the 
RFC. If there were, it would be easier to build a deterministic 
transition path with it. In it's current state, the answer "it will 
often work, but sometimes it just won't" is not a satisfactory answer. 
Funny, 4005bis could have been used to make such a point; but instead, 
now the content gets purged in its entirety. But I'm happy either way.

>> It's an alternative
>> transport. And a not very useful one, IMHO. I acknowledge your point
>> that there are apparently some organisations which have hardwired the
>> use of Diameter in their specs, while actually wanting to speak RADIUS
>> on some paths, and for these organisations, RADIUS disguised as Diameter
>> is a tool they might need.
> &  is precisely what RADIA supplies, but w/o the overhead of "translation".

And it may very well be good for this particular and narrow purpose. The 
Abstract and Intro make much higher and undue promises to the reader 
though. How about calling this "transporting RADIUS messages over 
Diameter routing".

>> Your point "noone ever transitioned" is true; but for reasons of lack of
>> options to do so. It's not exactly fair to blame the RFC for it. FWIW,
>> if were to write about RADIUS<->Diameter translation, it would be one
>> very short paragraph "This doesn't work." Note that I think that this
>> sentence is necessary IMHO; merely not writing *anything* about the
>> topic, because "noone ever used it", is not enough. You know, some
>> people might be *curious* about the topic, and could be *told* that they
>> need not look any further.
> Lots of people are curious about lots of things...

And if this curiosity originates from them using an SDO's spec, then it 
might be a good idea if the SDO supplies the answer to them.

Greetings,

Stefan Winter

>> Greetings,
>>
>> Stefan Winter
>>
>>>> Best regards,
>>>> Sebastien.
>>>>
>>>> --
>>>> Sebastien Decugis
>>>> Research fellow
>>>> Network Architecture Group
>>>> NICT (nict.go.jp)
>>>>
>>> _______________________________________________
>>> DiME mailing list
>>> DiME@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dime
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>> de la Recherche
>> 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>> _______________________________________________
>> DiME mailing list
>> DiME@ietf.org
>> https://www.ietf.org/mailman/listinfo/dime
>


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

v2.23.0 | Report a Bug | By Email