Re: [Dime] WG adoption call for draft-zorn-dime-rfc4005bis-01
"Glen Zorn" <gwz@net-zen.net> Sun, 15 August 2010 09:37 UTC
Return-Path: <gwz@net-zen.net>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 302213A68B9 for <dime@core3.amsl.com>; Sun, 15 Aug 2010 02:37:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.792
X-Spam-Level:
X-Spam-Status: No, score=-100.792 tagged_above=-999 required=5 tests=[AWL=-0.793, BAYES_50=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZUtWEq8v246 for <dime@core3.amsl.com>; Sun, 15 Aug 2010 02:37:11 -0700 (PDT)
Received: from smtpauth13.prod.mesa1.secureserver.net (smtpauth13.prod.mesa1.secureserver.net [64.202.165.37]) by core3.amsl.com (Postfix) with SMTP id 8F6D73A67A7 for <dime@ietf.org>; Sun, 15 Aug 2010 02:37:11 -0700 (PDT)
Received: (qmail 20780 invoked from network); 15 Aug 2010 09:37:46 -0000
Received: from unknown (124.157.141.92) by smtpauth13.prod.mesa1.secureserver.net (64.202.165.37) with ESMTP; 15 Aug 2010 09:37:45 -0000
From: Glen Zorn <gwz@net-zen.net>
To: 'Stefan Winter' <stefan.winter@restena.lu>
References: <A0A5F8D2-62B7-40BF-A9C2-8ED231D6323E@gmail.com> <4C5A5F2D.20508@nict.go.jp> <001c01cb346e$d7f9a460$87eced20$@net> <4C5A6DA9.30309@nict.go.jp> <003201cb347a$0fb844a0$2f28cde0$@net> <4C650C71.9020000@restena.lu>
In-Reply-To: <4C650C71.9020000@restena.lu>
Date: Sun, 15 Aug 2010 16:37:27 +0700
Organization: Network Zen
Message-ID: <000e01cb3c5d$7b8d1620$72a74260$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acs6x6Tr3aKyCp1QSCyj2WV+xlmkfABhifzw
Content-Language: en-us
Cc: dime@ietf.org
Subject: Re: [Dime] WG adoption call for draft-zorn-dime-rfc4005bis-01
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Aug 2010 09:37:13 -0000
Stefan Winter [mailto://stefan.winter@restena.lu] writes: > Hi, > > > The problem is that apparently nobody has _ever_ transitioned from > RADIUS to > > Diameter and it appears as if nobody ever will. Regarding EDUROAM, > Diameter > > existed long before EDUROAM but they chose to hack RADIUS in their own > way. > > In any case, if they decided to migrate to Diameter they could use the > > pointless tunneling protocol, retiring their RADIUS server when the > > transition was complete. > > For the record: Yes, Diameter-the-protocol existed before going into > production service, and we looked at it. > Diameter-the-actually-usable-implementation didn't exist, and still > doesn't - at least not with our requirements. I see. Where did the actually usable implementation of RADIUS over TCP come from? > Sebastien's software is > the first thing that gets vaguely close (too many EAP types missing > though), and yes, we are evaluating it. Also the 4005 part of it. > > More for the record: the first eduroam prototype was online June 2003; > RFC3588 dates September 2003. Your definition of "long before" violates > temporal continuity. Of course, my mistake for not realizing that initial prototype == published RFC. > > The pointless tunneling protocol doesn't help at all. As I pointed out > at the mic at earlier occasions: the authentication can only take place > if the final auth server is able to *unwrap* the message into plain > RADIUS. Yes. > If the end auth server is a pure RADIUS server, someone else has > to do it for him. Why (& how) would a Diameter message be delivered to a pure RADIUS server? > The outer Diameter message might have been decorated > with untranslatable extra attributes on the way; creating a highly > ambiguous state of the auth (unwrapped RADIUS might have conflicting > values to the added genuine Diameter ones? The only element relevant to authentication/authorization in a RADIA message is the encapsulated RADIUS message; any other Diameter AVPs that may be present are only for transport purposes. > Even if unwrapping works, > what if a (Diameter) auth server crafts a (Diameter) answer, with > untranslatable attributes which can never be translated back to a RADIUS > NAS? Then the Diameter server in question is broken; nevertheless, what happens if a NASREQ app server does the same thing today? > If forwarded along multiple proxies, the wrapping entity would need > signalling on whether there will be an entity along the line to unwrap > the message at all. If there is none, the tunnel has no other end. > Signalling of this along multiple hops is unspecified in your draft, if > I'm not mistaken. Because it's unnecessary; if there is no RADIA app server in the destination realm, a standard "undeliverable message" error must be returned. That point should be made in the draft. > > I don't think your draft has answers to these questions. > > Anyway, the tunneling requires both ends of the tunnel to understand > RADIUS. It is thus not a transition mechanism. OK. How, then, is RFC 4005 (one-way) translation a transition mechanism? As I have pointed out many times, the end NASREQ server must understand how to respond to the request in a translatable way; if transition is complete, that dead code undoubtedly remains. OTOH, the RADIA servers can be retired, along with the associated RADIUS servers. > It's an alternative > transport. And a not very useful one, IMHO. I acknowledge your point > that there are apparently some organisations which have hardwired the > use of Diameter in their specs, while actually wanting to speak RADIUS > on some paths, and for these organisations, RADIUS disguised as Diameter > is a tool they might need. & is precisely what RADIA supplies, but w/o the overhead of "translation". > > Your point "noone ever transitioned" is true; but for reasons of lack of > options to do so. It's not exactly fair to blame the RFC for it. FWIW, > if were to write about RADIUS<->Diameter translation, it would be one > very short paragraph "This doesn't work." Note that I think that this > sentence is necessary IMHO; merely not writing *anything* about the > topic, because "noone ever used it", is not enough. You know, some > people might be *curious* about the topic, and could be *told* that they > need not look any further. Lots of people are curious about lots of things... > > Greetings, > > Stefan Winter > > >> Best regards, > >> Sebastien. > >> > >> -- > >> Sebastien Decugis > >> Research fellow > >> Network Architecture Group > >> NICT (nict.go.jp) > >> > > > > _______________________________________________ > > DiME mailing list > > DiME@ietf.org > > https://www.ietf.org/mailman/listinfo/dime > > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et > de la Recherche > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > > Tel: +352 424409 1 > Fax: +352 422473 > > _______________________________________________ > DiME mailing list > DiME@ietf.org > https://www.ietf.org/mailman/listinfo/dime
- [Dime] WG adoption call for draft-zorn-dime-rfc40… jouni korhonen
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Romascanu, Dan (Dan)
- Re: [Dime] WG adoption call for draft-zorn-dime-r… jouni korhonen
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… lionel.morand
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- [Dime] Concluded: WG adoption call for draft-zorn… jouni korhonen
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Glen Zorn
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Alan DeKok
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Stefan Winter
- Re: [Dime] WG adoption call for draft-zorn-dime-r… Sebastien Decugis