AW: Last Call: draft-ietf-geopriv-radius-lo (Carrying LocationObjects in RADIUS

["Doug Ewell" <dewell@roadrunner.com>]

Hi Bernard,=20

Thank you for your review comments. Please find my response below.=20

> Review of draft-ietf-geopriv-radius-lo-10.txt
>=20
> Overview comments:
>=20
> Overall, this document includes many normative statements relating
> to privacy in a number of sections.   As it stands, this makes it very
> difficult to understand exactly what privacy support will be provided
> in various scenarios.   I would strongly urge that these statements
> be consolidated into a single section.
>=20
> In terms of RADIUS protocol usage, there are a few problems
> (violation of a MUST NOT provision in RFC 3576, use of non-standard
> RADIUS data types, inappropriate use of complex attributes)
>=20
> There are also a lot of editorial issues that need to be cleaned up.
>=20
> Given everything, this  document requires substantial  work before
> it would be suitable for publication as an RFC.
>=20
> Section 1
>=20
>    Wireless LAN (WLAN) access networks are being deployed in public
>    places such as airports, hotels, shopping malls, and=20
> coffee shops by
>    a diverse set of operators such as cellular network operators (GSM
>    and CDMA), Wireless Internet Service Providers (WISPs), and fixed
>    broadband operators.
>=20
> As noted later on, these attributes are not limited to use with WLAN
> networks, but the relationship to user location is probably stronger
> with WLAN or LAN access than other access types.  I think you need
> to talk about this.

>From a certain point of view the location determination techniques
determine the location corresponding to some sort of device. The type of
device is different depending on the environment.=20

I could mentioned this fact and that there does not necessiarly need to
be a 1:1 relationship between the device and the user. For example, I
was told that in certain places in Africa it is very common to share
your mobile phone with a bunch of people (since the costs for a mobile
phone itself are rather high compared to the income there).=20

>=20
>    When a user executes the network access authentication procedure to
>    such a network, information about the location and=20
> ownership of this
>    network needs to be conveyed to the user's home network to=20
> which the
>    user has a contractual relationship.
>=20
> The use of the term "need" seems wrong here, since
> one of the goals of the document is to guard the privacy of location
> information, only providing it where there is "need to know".

What about=20

"
   When a user executes the network access authentication procedure to
   such a network, information about the location and ownership of this
   network may be conveyed to the user's home network to which the
   user has a contractual relationship.
"

>=20
>    This document describes AAA attributes, which are used by a AAA
>    client or a AAA proxy in an access network, to convey location-
>    related information to the user's home AAA server.
>=20
> The use of the term "AAA" here is a bit confusing.  If the attributes
> are applicable to both RADIUS and Diameter, this should be explicitly
> stated.=20


I'll use RADIUS instead of AAA throughout the document, and I'll make a
statement here, as well as in section 7, that the attributes are
applicable to Diameter.


>=20
>    Although the proposed attributes in this draft are intended for
>    wireless LAN deployments, they can also be used in other types of
>    wireless and wired networks whenever location information is
>    required.
>=20
> I'd suggest this paragraph be combined with the first paragraph.

Ok

>=20
>    Location information needs to be protected against unauthorized
>    access and distribution to preserve the user's privacy.=20
> [10] defines
>    requirements for a protocol-independent model for the access to
>    geographic location information.  The model includes a Location
>    Generator (LG) that creates location information, a Location Server
>    (LS) that authorizes access to location information, a Location
>    Recipient (LR) that requests and receives information, and a Rule
>    Maker (RM) that provides authorization policies to the LS which
>    enforces access control policies on requests to location=20
> information.
>=20
> I would talk a bit more about the privacy model in general terms, such
> as what protections it is designed to provide.

I don't think I should write too much in the introduction itself since
we have other sections dealing with these issues.=20

>=20
> Section 2
>=20
>    Based on today's protocols we assume that the location=20
> information is
>    provided by the access network where the end host is attached.  As
>    part of the network attachment authentication to the AAA server
>    location information is sent from the AAA client to the AAA server.
>=20
> Earlier, the document refers to use by a AAA proxy.  Could you say
> a few words about where the information originates (e.g. may originate
> on the NAS, or may be added a proxy).  Somewhere it is also worth
> stating that existing RADIUS attributes may also provide location
> information (e.g. NAS-Identifier).

I should add "AAA proxy" to the above paragraph.

It depends on the deployment where location information is added.=20


>=20
>    The authenticated identity might refer to a user, a device or
>    something else.  Although there might often be a user=20
> associated with
>    the authentication process (either directly or indirectly;=20
> indirect33007
X-Mailman-Approved-At: Tue, 22 May 2007 15:26:09 -0400
Cc: Philip Guenther <guenther+ietfd@sendmail.com>
Subject: Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to
	Proposed Standard)
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>,
	<mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>,
	<mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org

Philip Guenther <guenther plus ietfd at sendmail dot com> wrote:

> That's a clearer version of what I meant, yes.  I certainly didn't mean 
> "must _only_ support specific version X.Y".
>
> It would probably be wise to have some canned words for this be provided 
> by true TLS experts to avoid subtle failure modes.  IIRC, a client that 
> supports, say, TLS 1.2 and 1.0 but not 1.1 will not interoperate with a 
> server that supports TLS 1.1 and 1.0.  The client presumably violates some 
> requirement, perhaps one for common sense, but I don't see it in a quick 
> scan of the RFCs.
>
> ("MUST request a version no smaller than X.Y and MUST support all versions 
> between and including that version and X.Y"?)

I remember MS-DOS software that would run under DOS version 3.3 or 5.0, but 
not 4.0.

--
Doug Ewell  *  Fullerton, California, USA  *  RFC 4645  *  UTN #14
http://users.adelphia.net/~dewell/
http://www1.ietf.org/html.charters/ltru-charter.html
http://www.alvestrand.no/mailman/listinfo/ietf-languages


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf





ly
>    when a binding between a device and a user exists) there is no
>    assurance that a particular real-world entity (such as a person)
>    triggered this process.
>=20
> Is the distinction between a user, device or machine identity
> relevant for the purposes of a privacy discussion?  This paragraph
> leaves me wondering whether there is a legal distinction that
> is relevant to the protocol design.


This document does not attempt to make distinctions for any purpose
among the end-user (a person), a device or something else, any of which
trigger authenticated identity in RADIUS and which may be the target of
location information.  For the purpose of discussions of location
privacy, it is not necessary that a means of determining an end-user
presence is found nor that an end-user be bound and present.

>=20
>    Since location based authorization is
>    executed based on the network access authentication of a particular
>    "user" it might be reasonable to talk about user's privacy within
>    this document even though scenarios exist where this might=20
> not apply
>    (and device or network privacy might be the better term).
>=20
> Maybe you need to define the term "user" in the document as being
> either a user, device or machine identity in order to clarify this.

Does my comment above help?

>=20
>    Furthermore, the authors believe that there is a=20
> relationship between
>    the NAS (or other nodes in the access network) and the location of
>    the entity that triggered the network access=20
> authentication, such as
>    the user.
>=20
> Why? If the NAS is a VPN server, then the user might be=20
> located halfway
> around the world.  Might make more sense to say "depending on the
> type of access being provided, there may be a close relationship...."

I agree with deleting.


> You might give examples:
>=20
> 1) WLAN has limited range when deployed with an omni-directional
> antenna, so user is probably close to the NAS in geospatial
> (but not necessarily civil) terms.  Also, some WLAN
> access points can use "time of arrival" or other processing
> techniques to determine user location accurately;
> 2) In LAN access, the user can't be further away from the switch
> than cable length will permit.
> 3) Dialup or VPN user could be very far away from the NAS;

Agree


>=20
> If you talk about this a bit, it might help clarify why the document
> is mostly for WLAN/LAN access.

Let's not make our document only on WLAN/LAN

>=20
>    The NAS might in many cases know the location of the end
>    host through various techniques (e.g., wire databases, wireless
>    triangulation).  Knowing the location of a network (where=20
> the user or
>    end host is attached) might in many networks also reveal enough
>    information about the location of the user or the end host.  A
>    similar assumption is also made with regard to the location
>    information obtained via DHCP (see for example [4]).
>=20
> The DHCP case might be analagous to WLAN/LAN, but it is not analagous
> to the case of VPN or dialup access where the NAS and user could be
> separated by thousands of miles.

True. You raised this point in one of your previous comments.=20


>=20
>    This
>    information might be used by applications in other=20
> protocols (such as
>    SIP [11] with extensions [12]) to indicate the location of a
>    particular user even though the location "only" refers to the
>    location of the network or equipment within the network.  This
>    assumption might not hold in all scenarios but seems to be=20
> reasonable
>    and practicable.
>=20
> I think you need to say that the assumption can be presumed to hold
> for certain values of the NAS-Port-Type attribute (e.g. LAN or
> WLAN access).  In others it may not hold.

Okay so can we say for which values of NAS-Port-Type?


Note that I modified the introduction somewhat to address your comments.


>=20
> Section 3
>=20
>    Location Objects, which consist of location information and privacy
>    rules, are transported via the RADIUS protocol from the=20
> AAA client to
>    the AAA server.  A few attributes are introduced for this=20
> purpose, as
>    listed in Section 5, whereby delivery to the RADIUS server=20
> can happen
>    during the authentication/authorization phase (described in
>    Section 3.1), or in the mid-session using the dynamic authorization
>    protocol framework (described in Section 3.2).  This section
>    describes messages flows for both delivery methods.
>=20
> To me, it makes more sense to talk about what packets the location
> information can be delivered in, rather than "phases".  For example,
> location is delivered in Access-Request or Accounting-Request packets.
> Whether the Access-Request was triggered by dynamic authorization or
> a new user login is not important.  Also, this paragraph=20
> seems to suggest
> that dynamic authorization is required to obtain mid-session location
> information.  Since location can be provided interim=20
> accounting packets,
> this is not really true.  Perhaps the point is that dynamic=20
> authorization
> allows the information to be provided on demand.

The information about location information being carried in
Access-Requests, Accounting-Requests, etc. is in the text.=20

I can add your statement about dynamic authorization.=20

>=20
> Section 3.1
>=20
>    Figure 1 shows an example message flow for delivering location
>    information during the network access authentication and
>    authorization procedure.  Upon a network authentication=20
> request from
>    an access network client, the NAS submits a RADIUS Access-Request
>    message that contains location information attributes among other
>    required attributes.  These attributes are added based on various
>    criteria (such as local policy, business relationship with
>    subscriber's home network provider and in case of location
>    information also by considering privacy policies).
>=20
> Even though Figure 1 mentions "out of band agreement" the text doesn't
> elaborate on what this means.

Out-of-band refers to some deployment environments where you send
location information right away. For example, in your enterprise network
the AAA server requests location information from the NASes all the
time.=20

> Since Figure 1 shows location information provided in
> an Accounting-Request, the first sentence isn't quite right.

Good catch.

> Given the privacy issues, I think you need to qualify what
> "location information" means in the second sentence. Do you
> mean that the user location is being supplied by the NAS?

Location information might be added by the NAS or by the AAA proxy,
depending on the deployment.=20
Depending on the location determination techniques available in the
network there might not be an option to provide the location information
of the end device.=20

> I think you need to say something about the default settings
> (e.g. location provided, or not?)

I said something about the default settings in the document.=20
Per-default you don't sent location information (if no other information
is known).=20


>  Backward compatiblity issues
> also probably deserve some discussion here. You might say
> a few words about when this flow might occur (e.g. challenge-incapable
> NAS).

We cover this case. The challenge-incapable NAS does not send the hint
that it is challenge-capable and hence the RADIUS server understands
that it cannot challenge the NAS for location information.=20

>=20
> Figure 1 uses the term "Network Access Client" which isn't
> defined in terminology or used in other RADIUS RFCs.  I would change
> all uses of this term to "User".

OK.

>=20
>    If the AAA server needs to obtain location information also in
>    accounting messages then it needs to include a Requested-Info
>    attribute to the Access-Accept to express that is desired=20
> (if privacy
>    policy allow it) and the Network Access Server SHOULD then include
>    location information to the RADIUS accounting messages .
>=20
> I think you should say something about the packets within which the
> location information can be delivered in Section 1.  Something like:
> "This document enables a RADIUS server to request the delivery of
> location information within Access-Request packets, or additionally,
> within Accounting-Request packets."

OK


>=20
> Section 3.2
>=20
> This section is problematic since it specifies RADIUS attribute
> usage prohibited by RFC 3576 Section 3, which states:
>=20
>    Where a Service-Type Attribute with value "Authorize Only" is
>    included within a CoA-Request or Disconnect-Request, attributes
>    representing an authorization change MUST NOT be included; only
>    identification attributes are permitted.


This is correct.  And the violation is that we have included the
Requested-Info attribute.  And in fact, in the Requested-Info attribute
section we
says that the attribute MAY appear in Access-Accept or Access-Challenge.


> If the desire is to change the location information being provided
> (e.g. to turn on location in accounting packets, or deliver different
> types of location) why couldn't a CoA-Request be sent without an
> "Authorization-Only" Service-Type?  If the desire is to request
> location immediately, couldn't this be encoded in the Request-Info
> attribute?  There seem to be ways to achieve the goal without
> violating RFC 3576.

The other reason or intent of this section is to make sure that
when the client upon receiving a COA (Authorize-Only) responds back with
an Access-Accept it include location information if it did so in a
previous Access-Request.  This is to cover the case where the AAA server
will need the location information to respond back in an Access-Accept
or Access-Reject.

It is true that the functionality can be accomplished without providing
the Requested-Info in the COA.=20

>=20
> Later on in the section, it is stated:
>=20
>    Since location information can be sent in accounting records
>    (including accounting interim records), RFC 3576 [5] is only needed
>    for authorization changes.
>=20
> Given this, it would appear that the need to obtain location=20
> mid-session
> is best met by another technique, and that use of CoA-Request packets
> is only a corner case.  Given that RFC 3576 is not widely implemented,
> I'd expect the accounting approach to be more applicable, at least
> without an explanation about why this isn't a good idea (e.g. might
> not need location info with each interim accounting update).

Agreed.  The intent of using COA etc was NOT to get a location
information mid session.  But rather to make sure that if the AAA client
is sending an access request then it should include the location
information so that the AAA server can compute the authorization
decision based on location if need be.

>=20
> Also, this section doesn't talk about when a RADIUS server can
> send a CoA-Request containing a Request-Info attribute.  Wouldn't
> this be restricted to cases where the NAS has previously included
> a Location-Information or Challenge-Capable attribute?

The statement is true and obvious so I am not sure we would have
to address it.

>=20
> Section 4
>=20
> I'm not clear this section should exist as a standalone=20
> entity. It might
> be best to delete Section 4.2 entirely and integrate Section 4.1 with
> Sections 1 or 2.

I do not have a big preference. I can do that.

>=20
> Section 4.1
>=20
>    The home network operator requires location information for
>    authorization and billing purposes.  The operator may deny=20
> service if
>    location information is not available, or it may offer limited
>    service only.  The NAS delivers location information to=20
> the home AAA
>    server.
>=20
>    The location of the AAA client and/or the end host is transferred
>    from the NAS to the RADIUS server (based on a pre-established
>    agreement or if the RADIUS server asks for it under=20
> consideration of
>    privacy policies).  The NAS and intermediaries (if any) are not
>    allowed to use that information other than to forward it=20
> to the home
>    network.
>=20
> Are the terms "NAS" and "AAA client" used interchangeably=20
> here?  If so,
> can we primarily use one term (NAS seems best)?

Ok. I can avoid the usage of AAA client.


>=20
>    The NAS and intermediaries (if any) are not
>    allowed to use that information other than to forward it=20
> to the home
>    network.
>=20
> Intermediaries (e.g. AAA proxies) sometimes log Accounting-Request
> packets, since they may need them for billing purposes. =20
> Since billing is
> one of the uses of location information, I don't think you=20
> can prohibit
> that.  Also, what does it mean for the NAS to "use" location=20
> information?

I think I should change that sentence. From a technical point of view,
you cannot prevent the NAS from doing anything.=20
Intermediaries might indeed use Accounting-Request information for
billing purposes.=20
They must, however, not use the information for non-intented purposes,
such as making the information available for marketing purposes.=20
=20

> Some NASes have stable storage, so they might write Accounting-Request
> packets to stable storage prior to delivery.  Or they might retain
> location information in memory.  Do you mean that that the=20
> NAS or proxies
> can't provide the location information to unauthorized=20
> parties?

Unauthorized parties is a good term here and they must not use the
information other than for the intended purpose.=20

>  Or do you
> mean that proxies MUST respect the privacy policies they=20
> receive from the
> RADIUS server?

Yes. That's stated later in the document.=20

>=20
>    The RADIUS server authenticates and authorizes the user requesting
>    access to the network.  If the user's location policies=20
> are available
>    to the RADIUS server, the RADIUS server MUST deliver those policies
>    in an Access Accept to the RADIUS client.  This information MAY be
>    needed if intermediaries or other elements want to act as Location
>    Servers (see Section 4.2).  If the NAS or intermediaries do not
>    receive policies from the RADIUS server (or the end host=20
> itself) then
>    they MUST NOT make any use of the location information other than
>    forwarding it to the user's home network.
>=20
> I would name the specific attributes rather than just saying "location
> policies".  You are essentially saying that some attributes MUST be
> included in an Access-Accept packet.  The last sentence is somewhat
> more specific than just saying "allowed to use that information".

Ok. I can replace the term "location policies" with the specific
attribute list, namely Basic-Policy-Rules and Extended-Policy-Rules. The
latter one is only relevant if there are indeed extended policies
available.=20

>=20
>    Location Information may also be reported in accounting messages.
>    Accounting messages are generated when the session starts,=20
> stops and
>    periodically.  Accounting messages may also be generated when the
>    user roams during handoff.  This information may be needed by the
>    billing system to calculate the user's bill.  For example,=20
> there may
>    be different tariffs or tax rates applied based on the location.
>    Unless otherwise specified by authorization rules, location
>    information in the accounting stream MUST NOT be=20
> transmitted to third
>    parties.
>=20
> Most of this paragraph probably belongs in Section 1 of the document.
> I'm unsure what the last sentence means.  I think that the part of
> the last sentence from "location..." should probably be combined with
> the next sentence, to clarify it:
>=20
>    Location information in the accounting stream MUST only be sent in
>    the proxy chain to the home network (unless specified otherwise).
>=20
> For example, you might say "Location attributes contained within
> Accounting-Request packets MUST only be made available to entities
> on the proxy chain between the NAS and the home accounting
> server."
>=20
> Section 4.2
>=20
>    Location Servers are entities that receive the user's location
>    information and transmit it to other entities.  In this second
>    scenario, Location Servers comprise also the NAS and the RADIUS
>    server.  The RADIUS servers are in the home network, in the visited
>    network, or in broker networks.
>=20
>    Unless explicitly authorized by the user's location=20
> policy, location
>    information MUST NOT be transmitted to other parties outside the
>    proxy chain between the NAS and the Home RADIUS server.
>=20
>    Upon authentication and authorization, the home RADIUS server MUST
>    transmit the ruleset (if available) in an Access-Accept. =20
> The RADIUS
>    client, intermediate proxies are allowed to share location
>    information if they received ruleset indicates that it is allowed.
>=20
> Is a "Location Server" somehow different from an entity eligible
> to receive location information as described in the previous section?
> I'm unclear whether this section is saying anything different from
> Section 4.1 with respect to handling of user location information.
>=20

In a previous paragraph you mentioned that you would like to see Section
4 and Section 1 or 2 being merged.=20
I can look at that.=20


> Section 5.1
>=20
>    The Operator-Name attribute SHOULD be sent in Access-Request, and
>    Accounting-Request records where the Acc-Status-Type is=20
> set to Start,
>    Interim, or Stop.
>=20
> Is this attribute only sent in these packets?  If so, I would say:
> "MAY only be sent in Access-Request and Accounting-Request..."
>=20
> The Value type is restricted to use with Integers.  I think that we
> are talking about a String here, no?

That's supposed to be a string.=20
>From a format point of view I just looked one of your documents, namely
RFC 4675 http://tools.ietf.org/html/rfc4675, and  assumed that it would
be fine.=20


>=20
> Section 5.2
>=20
>    The Location-Information attribute SHOULD be sent in Access-Request
>    and in Accounting-Request messages.  For the Accounting-Request
>    message the Acc-Status-Type may be set to Start, Interim or Stop.
>=20
> Is the intent that these attributes are only sent in Access-Request
> and Accounting-Request messages?  If so, say "MAY only be sent in..."

Yes; this attribute is only sent in Access-Request and
Accounting-Request messages


>=20
> I think you are talking about a String type attribute, not an integer,
> right?

Yes, this is a String type attribute.=20


>=20
>        The 16-bit unsigned integer value allows to associate
>        the Location-Information attribute with
>        Location-Info-Civic and Location-Info-Geo
>        attributes.
>=20
> This is not a complete sentence. I think you need to explain that
> this attribute is used to provide information relating to the
> information included in the Location-Info-Civic and
> Location-Info-Geo attributes to which it refers (via the Index).

Ok.=20

>=20
> You should probably also state that this attribute is largely treated
> as an opaque blob, like the Location-Info-Civic and Location-Info-Geo
> attributes to which it refers.  As a result, it is not expected that
> RADIUS servers will need to change code to receive this attribute
> (although location applications would have to parse it).

I indicated elsewhere in the document. I could, however, repeat it with
each attribute or put it in Section 1.=20

>=20
> Section 5.3
>=20
>    Location-Info-Civic attribute SHOULD be sent in=20
> Access-Request and in
>    Accounting-Request messages.  For the Accounting-Request=20
> message the
>    Acc-Status-Type may be set to Start, Interim or Stop.
>=20
> Change to "MAY only be sent..." if that is the intent.
>=20
> Please change "Value" to "String".

The token 'Value' in the packet format has nothing todo with the data
type.
Still, the intention was to use the string data type.=20

>=20
>        The 16-bit unsigned integer value allows to associate
>        the Location-Info-Civic attribute with the
>        Location-Information attributes.
>=20
> Is there an implication that multiple Location-Information attributes
> will have the same Index value?  That doesn't make sense to me.

The relationship is as follows:=20

The Location-Information attribute is associated with one or multiple
Location-Info-Civic / Location-Info-Geo attributes via the index.
Different Location-Information attributes will have a different index
value.=20


>=20
> Section 5.4
>=20
>    Location-Info-Geo attribute SHOULD be sent in Access-Request, and
>    Accounting-Request records where the Acc-Status-Type is=20
> set to Start,
>    Interim or Stop if available.
>=20
> Change to "MAY only be sent" if that is the intent.
>=20
> Change "Value" to "String"
>=20

See response from above.=20


> Section 5.5
>=20
> Should the title be "Basic-Policy-Rules Attribute"?
>=20
>    Policy rules control the distribution of location location
>    information.  In some environments the the AAA client=20
> might know the
>    privacy preferences of the user based on pre-configuration or the
>    user communicated them as part of the network attachment.
>=20
> This seems somewhat unlikely.  Do any existing access=20
> protocols support
> user-provided privacy policies?  Or are we talking about generic
> NAS privacy settings here?

I agree that it is somewhat unlikely. Still, it would be possible to
enhance network access authentication protocols to support this
functionality.=20

>=20
>=20
>    Basic-Policy-Rules attribute SHOULD be sent in an an=20
> Access-Request,
>    Access-Accept, an Access-Challenge, an Access-Reject and an
>    Accounting-Request message.
>=20
> I think you mean "MAY be sent in an Access-Request..."
>=20

Why do you think it is a "MAY"?

>    o  The AAA client SHOULD NOT attach location information in the
>       initial Access-Request message but should rather wait=20
> for the AAA
>       server to receive a challenge for location information.
>=20
> I think you mean "for the AAA server to send an Access-Challenge..."

Correct.=20

>=20
> I think you are instead saying that "absent NAS settings
> to the contrary, the default is..."  This probably should be=20
> clarified.

With the bugfix the sentence should be clear.=20

>=20
>    o  If a roamig agreement or legal circumstances require the AAA
>=20
> roamig -> roaming

OK.

>=20
>       client to transfer location information in the initial Access-
>       Request message to the AAA server (even though user specific
>       policies are not available to the AAA client) then the access
>       network attaches default authorization policies.
>=20
> Are you saying that a Basic Policy Rules attribute MUST accompany
> a Location-Information, Location-Info-Geo or Location-Info-Civic
> attribute?

Policies travel with location information.=20

The Location-Information attribute points to the Location-Info-Geo
or/and the Location-Info-Civic attribute(s).=20
(Note that I changed the name of the attribute in the latest draft.)
>=20
>       The 'retransmission-allowed' flag MUST be set to '0' meaning
>       that the location must not be shared with other parties=20
> (other than
>       forarding them to the user's home network).
>=20
> Are we saying that sharing of location information is=20
> controlled by the
> 're-transmission-allowed' flag and that parties MUST respect the flag?

Yes. That's the idea with these type of policies.=20

> This seems to contradict earlier MUST statements (which seem to imply
> that sharing is not permitted, regardless of the flag value).

I will try to spot these earlier statements and fix them if there are
contraditory statements.=20

>=20
>       In case the home
>       network knows the user's privacy policies then these policies
>       SHOULD be sent from the RADIUS server to the RADIUS client in a
>       subsequent response message and these policies will be=20
> applied to
>       further location dissemination and in subsequent RADIUS
>       interactions (e.g., when attaching location information to
>       Accounting messages).
>=20
> What kind of response message?  Do you mean Access-Challenge here
> or Access-Accept?=20

Access-Challenge & Access-Accept

>Is there a reason why a RADIUS server would refuse
> to disclose the user's privacy policies?  Should those policies
> ever be considered private?

There is no reason not to send the privacy policies.=20
But if the RADIUS server does not want to retrieve location information
from the NAS then there is no value in sending the privacy policies from
the RADIUS server to the NAS.=20

>=20
>       0                   1                   2                   3
>       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>      |  Flags                        | Retention Expires     =20
>       ...
>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>      | Retention Expires                                     =20
>       ...
>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>      | Retention Expires             | Note Well             =20
>       ...
>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>      | Note Well                                             =20
>       ...
>      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>=20
> The design of this attribute is problematic.  It is different from
> other complex attributes in that it is sent by the RADIUS server,
> and the inclusion of timestamps implies that it needs to be computed
> dynamically, rather than treated as an opaque blob.

No. The Retention Expires field is not dynamically computed.=20

The statement "NTP timestamp" might have confused you.=20

This field specifies an absolute date at which time the Recipient is no
longer permitted to possess the location information.=20

Do you see a problem?=20

>=20
> Also, there is an implication elsewhere in the document that the
> retransmission bit needs to be respected by RADIUS proxies.  Most
> existing RADIUS proxies cannot be configured to look at a specific
> octet in an attribute, so this will not be possible.

The retransmission bit is not supposed to be inspected by the proxy
unless it wants to distribute the location for means other than
forwarding to the NAS or to the RADIUS server. In the case where the
proxy wants to make use of location information for some reasons (e.g.,
marketing purposes) then it is not expected too much to also consider
this flag when it already processes the location information parts of
the attributes.=20


>=20
> Is there a reason that this could not be split into separate
> unitary attributes, say, one for Retransmission, one for
> Retention-Expires and another for Privacy-Policy?  The=20
> "Retention Expires"
> attribute would a 64-bit
> Long Integer, the Flags would be a 32-bit integer
> and the Note Well would be a string.
>=20
> This would be much more compatible with the design of existing
> RADIUS servers and proxies and would enable privacy policies to
> be respected.

See above.=20

>=20
> Section 5.6
>=20
>    The Extended-Policy-Rules attribute SHOULD be sent in an Access-
>    Request, an Access-Accept, an Access-Challenge, an=20
> Access-Reject and
>    in an Accounting-Request message whenever location information is
>    transmitted.
>=20
> Do we mean "MAY be sent" here?

Why do you think it should be a MAY?

>=20
> I think "String" should be used here instead of "Value"

See my other comments regarding the attribute format.=20

>=20
> Why is Length >=3D4 (rather than 3)?

Does not make a difference since the URI in the Extended-Policy-Rules
attribute is much longer than one or two octets anyway?=20



>=20
> Section 5.7
>=20
> Why is the Challenge-Capable attribute defined if it is always
> set to 0?  Is the presence of the attribute sufficient to indicate
> that the NAS is capable of being challenged so that the value
> is irrelevant?
>=20
> It would make more sense for this to be a 32-bit integer value
> that only has a single value defined (1) indicating that the
> NAS is capable of being challenged.

Wouldn't that be exactly the same functionality?=20

Defining the value as 32-bit integer instead of a string is fine for me.


Are you suggesting to define a registry to manage the value range? =20

>=20
> Section 5.8
>=20
>    The Requested-Info attribute allows the RADIUS server to indicate
>    whether it needs civic and/or geospatial location=20
> information of the
>    NAS or the end host (i.e., the entities that are indicated in the
>    Entity field of the Location-Information attribute).
>=20
> Can't the RADIUS server ask for both NAS and end host information?

The RADIUS server can ask for NAS and end host location information.=20
I will change the sentence to "...location information of the NAS and /
or end host..."


>=20
>       2.  If the RADIUS server does not receive the requested
>           information in response to the Access-Challenge=20
> (including the
>           Requested-Info attribute) then the RADIUS server=20
> responds with
>           an Access-Reject with an Error-Cause attribute=20
> (including the
>           "Location-Info-Required" value).  Note that an Access-Reject
>           message SHOULD only be sent if the RADIUS server MUST use
>           location information for returning a positive access control
>           decision.
>=20
> The combination of SHOULD and MUST is confusing.  I think you mean to
> say that an Access-Reject MUST only be sent if the RADIUS server
> requires location information, but does not receive it, right?

Correct.=20


>=20
>       This is typically the case when location
>       information is used for inclusion to the user's bill only.
>=20
> Rephrase to "is used only for billing".


Ok.=20

>=20
>    If the RADIUS server does not send a Requested-Info attribute then
>    the RADIUS client MUST NOT attach location information to=20
> messages to
>    the RADIUS server.  The user's authorization policies, if=20
> available,
>    MUST be consulted by the RADIUS server before requesting location
>    information delivery from the RADIUS client.
>=20
> But earlier it is said that the NAS may send location information by
> default,
> correct?  Or is an exception being made?

Only if an out-of-band agreement is in place.=20


>=20
> Figure 11 probably belongs earlier in the document.
>=20
>    The Requested-Info attribute MUST be sent by the RADIUS=20
> server if it
>    wants the RADIUS client to return civic and/or geospatial
>    information.  This Requested-Info attribute MAY appear in=20
> the Access-
>    Accept or in the Access-Challenge message.
>=20
> Earlier it seems to imply that the NAS could sent location information
> by out-of-band agreement.  So do you mean to say "in the absence of
> an out-of-band agreement..."?

Yes.=20

>=20
>      Requested-Info (64 bits):
>=20
>        This text field contains an integer value that encodes the
>        requested information attributes.
>        Each capability value represents a bit position.
>=20
> It would be clearer to just say that the Requested-Info attribute
> defines a bit field, where the information on CIVIC_LOCATION,
> GEO_LOCATION, USERS_LOCATION, and NAS_LOCATION can be requested.
>=20
> BTW, why is a 64-bit value required?  wouldn't 32-bits do as well?

Just wanted to be future-proof.=20


>=20
> Section 6
>=20
>    If multiple
>    Location-Information attributes are sent then they MUST NOT contain
>    the same information.
>=20
> Does this mean "must not have the same Index field?" Or does it mean
> that they must not be identical in all respects?

Maybe it is too obvious to mention but if the location information is
the same then you might not want to repeat it.=20
Maybe I should just delete the second part of the sentence since it is
common sense.=20



>=20
> Section 8.2
>=20
>    o  The visited network is able to learn the user's identity.
>=20
> I think you need a reference to NAI privacy (e.g. RFC 4282 or=20
> 4372) here.

I could do that.=20


>=20
> Section 8.3
>=20
> This section interrupts the document flow; it would better belong in
> an Appendix.


Fine with me.

=20

>=20
> Section 9
>=20
>    Two entities might act as Location Servers as shown in=20
> Section 4, in
>    Figure 16 and in Figure 17:
>=20
> I think the sentence should end with a period, not a colon, right?

Yes.=20


>=20
> Section 9.1
>=20
>    In this scenario it is difficult to obtain authorization policies
>    from the end host (or user) immediately when the user=20
> attaches to the
>    network.  In this case we have to assume that the visited network
>    does not allow unrestricted distribution of location information to
>    other than the intended recipients (e.g., to third party entities).
>    When the AAA messages traverses one or more broker networks, the
>    broker network is bound by the same guidelines as the=20
> visited network
>    with respect to the distribution of location information.
>=20
> Are you just saying that proxies need to respect the=20
> 'retransmission' bit?
> In practice, they won't be able to do that because their=20
> policy engines
> operate at the attribute, not bit level.  You'll need to have an
> individual attribute for retransmission if you want this to work.


You mentioned this issue already previously.=20

If the proxy (or an associated entity) wants to use the location
information for some other purpose then it needs to consider the
policies.=20
Hence, proxies are going to need to look at the bit, they will need to
be fully location aware and it will be ok to ask them to deal with the
bit.

>=20
>    The visited network MUST behave according to the following
>    guidelines:
>=20
>    o  Per default only the home network is allowed to receive location
>       information.  The visited network MUST NOT distribute location
>       information to third parties without seeing the user's privacy
>       rule set.
>=20
> Are you saying that the lack of distribution is the default, absent
> receipt of privacy policies to the contrary?  I'd suggest that this
> be stated earlier on.

Lack of distribution of geoloc is default and policy bits enable it,
that's how this stuff works.

>=20
>    o  If the RADIUS client in the visited network learns the=20
> basic rule
>       set or a reference to the extended rule set by means outside the
>       RADIUS protocol (e.g., provided by the end host) then it MUST
>       include the Basic-Policy-Rules and the Extended-Policy-Rules
>       attribute in the Access-Request message towards the home AAA
>       server.  Furthermore, the visited network MUST evaluate these
>       rules prior to the transmission of location information=20
> either to
>       the home network or a third party.  The visited network MUST
>       follow the guidance given with these rules.
>=20
> This seems quite unlikely.  Is there a reference to a specification
> where this is proposed?

Currently, there is no such protocol support available.=20
This is a forward-looking statement.=20

>=20
>    o  If the RADIUS client in the visited network receives the Basic-
>       Policy-Rules attribute with Access-Accept or the=20
> Access-Challenge
>       message then the Basic-Policy-Rules MUST be attach in subsequent
>       RADIUS messages which contain the Location-Information attribute
>       (such as interim accounting messages).
>=20
> attach -> attached

OK.

> You need to include this statement in the Attribute Table section 6.
> Doesn't it apply to all NASes, not just a visited network?

I could add a sentence to Section 6 that states this fact. However,
there is no way to express this in the table itself.=20


>=20
>    o  If the RADIUS client in the visited network receives=20
> the Extended-
>       Policy-Rules attribute with Access-Accept or the=20
> Access-Challenge
>       message then the Basic-Policy-Rules attribute MUST be attach in
>       subsequent RADIUS messages which contain the=20
> Location-Information
>       attribute (such as interim accounting messages).
>=20
> attach -> attached

OK.

>=20
> I think this needs to be included in the Attribute Table section 6.
> Doesn't it apply to all NASes, not just a Visited network?

Same as above.=20
I could add a sentence to Section 6 that states this fact. However,
there is no way to express this in the table itself.=20

>=20
> Section 10
>=20
>    If no authorization information is provided by the user
>    then the visited network MUST set the authorization=20
> policies to only
>    allow the home AAA server to use the provided location information.
>=20
> This seems to contradict Figure 1 which shows location
> information sent by out-of-band agreement without any policy=20
> attributes.

That's indeed an incomplete sentence.=20


>=20
>    It is necessary to use authorization policies to limit the
>    unauthorized distribution of location information.  The security
>    requirements which are created based on [10] are inline=20
> with threats
>    which appear in the relationship with disclosure of location
>    information as described in [33].  PIDF-LO [21] proposes S/MIME to
>    protect the Location Object against modifications.  S/SIME=20
> relies on
>    public key cryptography which raises performance,=20
> deployment and size
>    considerations.  Encryption would require that the local AAA server
>    or the NAS knows the recipient's public key (e.g., the=20
> public key of
>    the home AAA server).
>=20
> So are we saying that the location information attributes can=20
> be encrypted
> in some cases, so that the privacy concerns are not=20
> applicable? But the
> attributes don't support this, right?
>=20
>    Knowing the final recipient of the location
>    information is in many cases difficult for RADIUS entities.
>=20
> Specifically, RADIUS clients only deal with RADIUS servers=20
> that are one
> hop away.


Maybe the discussion about PIDF-LO S/MIME protection is a bit out of
context.=20


Here is the updated document:=20
http://www.tschofenig.com/svn/draft-ietf-geopriv-radius-lo/draft-ietf-ge
opriv-radius-lo-11.txt


Ciao
Hannes

PS: I merged the civic and the geospatial location information attribute
into a single attribute since I noticed a problem in the extensibility
mechanism. One would have to define new attributes with new location
formats even though location information is opaque for the RADIUS
protocol.=20

>=20
>=20
>=20
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf
>=20

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf