IETF Logo Mail Archive

Re: [Dime] WG adoption call for draft-zorn-dime-rfc4005bis-01

"Glen Zorn" <gwz@net-zen.net> Sun, 15 August 2010 09:37 UTC

Return-Path: <gwz@net-zen.net>
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 302213A68B9 for <dime@core3.amsl.com>; Sun, 15 Aug 2010 02:37:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.792
X-Spam-Level:
X-Spam-Status: No, score=-100.792 tagged_above=-999 required=5 tests=[AWL=-0.793, BAYES_50=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZUtWEq8v246 for <dime@core3.amsl.com>; Sun, 15 Aug 2010 02:37:11 -0700 (PDT)
Received: from smtpauth13.prod.mesa1.secureserver.net (smtpauth13.prod.mesa1.secureserver.net [64.202.165.37]) by core3.amsl.com (Postfix) with SMTP id 8F6D73A67A7 for <dime@ietf.org>; Sun, 15 Aug 2010 02:37:11 -0700 (PDT)
Received: (qmail 20780 invoked from network); 15 Aug 2010 09:37:46 -0000
Received: from unknown (124.157.141.92) by smtpauth13.prod.mesa1.secureserver.net (64.202.165.37) with ESMTP; 15 Aug 2010 09:37:45 -0000
From: Glen Zorn <gwz@net-zen.net>
To: 'Stefan Winter' <stefan.winter@restena.lu>
References: <A0A5F8D2-62B7-40BF-A9C2-8ED231D6323E@gmail.com> <4C5A5F2D.20508@nict.go.jp> <001c01cb346e$d7f9a460$87eced20$@net> <4C5A6DA9.30309@nict.go.jp> <003201cb347a$0fb844a0$2f28cde0$@net> <4C650C71.9020000@restena.lu>
In-Reply-To: <4C650C71.9020000@restena.lu>
Date: Sun, 15 Aug 2010 16:37:27 +0700
Organization: Network Zen
Message-ID: <000e01cb3c5d$7b8d1620$72a74260$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acs6x6Tr3aKyCp1QSCyj2WV+xlmkfABhifzw
Content-Language: en-us
Cc: dime@ietf.org
Subject: Re: [Dime] WG adoption call for draft-zorn-dime-rfc4005bis-01
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Aug 2010 09:37:13 -0000

Stefan Winter [mailto://stefan.winter@restena.lu] writes:

>   Hi,
> 
> > The problem is that apparently nobody has _ever_ transitioned from
> RADIUS to
> > Diameter and it appears as if nobody ever will.  Regarding EDUROAM,
> Diameter
> > existed long before EDUROAM but they chose to hack RADIUS in their own
> way.
> > In any case, if they decided to migrate to Diameter they could use the
> > pointless tunneling protocol, retiring their RADIUS server when the
> > transition was complete.
> 
> For the record: Yes, Diameter-the-protocol existed before going into
> production service, and we looked at it.
> Diameter-the-actually-usable-implementation didn't exist, and still
> doesn't - at least not with our requirements. 

I see.  Where did the actually usable implementation of RADIUS over TCP come
from?

> Sebastien's software is
> the first thing that gets vaguely close (too many EAP types missing
> though), and yes, we are evaluating it. Also the 4005 part of it.
> 
> More for the record: the first eduroam prototype was online June 2003;
> RFC3588 dates September 2003. Your definition of "long before" violates
> temporal continuity.

Of course, my mistake for not realizing that initial prototype == published
RFC.

> 
> The pointless tunneling protocol doesn't help at all. As I pointed out
> at the mic at earlier occasions: the authentication can only take place
> if the final auth server is able to *unwrap* the message into plain
> RADIUS. 

Yes.

> If the end auth server is a pure RADIUS server, someone else has
> to do it for him. 

Why (& how) would a Diameter message be delivered to a pure RADIUS server?

> The outer Diameter message might have been decorated
> with untranslatable extra attributes on the way; creating a highly
> ambiguous state of the auth (unwrapped RADIUS might have conflicting
> values to the added genuine Diameter ones? 

The only element relevant to authentication/authorization in a RADIA message
is the encapsulated RADIUS message; any other Diameter AVPs that may be
present are only for transport purposes.

> Even if unwrapping works,
> what if a (Diameter) auth server crafts a (Diameter) answer, with
> untranslatable attributes which can never be translated back to a RADIUS
> NAS? 

Then the Diameter server in question is broken; nevertheless, what happens
if a NASREQ app server does the same thing today?

> If forwarded along multiple proxies, the wrapping entity would need
> signalling on whether there will be an entity along the line to unwrap
> the message at all. If there is none, the tunnel has no other end.
> Signalling of this along multiple hops is unspecified in your draft, if
> I'm not mistaken.

Because it's unnecessary; if there is no RADIA app server in the destination
realm, a standard "undeliverable message" error must be returned.  That
point should be made in the draft.

> 
> I don't think your draft has answers to these questions.
> 
> Anyway, the tunneling requires both ends of the tunnel to understand
> RADIUS. It is thus not a transition mechanism. 

OK.  How, then, is RFC 4005 (one-way) translation a transition mechanism?
As I have pointed out many times, the end NASREQ server must understand how
to respond to the request in a translatable way; if transition is complete,
that dead code undoubtedly remains.  OTOH, the RADIA servers can be retired,
along with the associated RADIUS servers.

> It's an alternative
> transport. And a not very useful one, IMHO. I acknowledge your point
> that there are apparently some organisations which have hardwired the
> use of Diameter in their specs, while actually wanting to speak RADIUS
> on some paths, and for these organisations, RADIUS disguised as Diameter
> is a tool they might need.

& is precisely what RADIA supplies, but w/o the overhead of "translation".

> 
> Your point "noone ever transitioned" is true; but for reasons of lack of
> options to do so. It's not exactly fair to blame the RFC for it. FWIW,
> if were to write about RADIUS<->Diameter translation, it would be one
> very short paragraph "This doesn't work." Note that I think that this
> sentence is necessary IMHO; merely not writing *anything* about the
> topic, because "noone ever used it", is not enough. You know, some
> people might be *curious* about the topic, and could be *told* that they
> need not look any further.

Lots of people are curious about lots of things...

> 
> Greetings,
> 
> Stefan Winter
> 
> >> Best regards,
> >> Sebastien.
> >>
> >> --
> >> Sebastien Decugis
> >> Research fellow
> >> Network Architecture Group
> >> NICT (nict.go.jp)
> >>
> >
> > _______________________________________________
> > DiME mailing list
> > DiME@ietf.org
> > https://www.ietf.org/mailman/listinfo/dime
> 
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> _______________________________________________
> DiME mailing list
> DiME@ietf.org
> https://www.ietf.org/mailman/listinfo/dime

v2.23.0 | Report a Bug | By Email