Re: [radext] Small issues in the ALPN draft
Alexander Clouter <alex+ietf@coremem.com> Wed, 20 March 2024 04:38 UTC
Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D8F1C1D5C69 for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 21:38:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="ZcIofQuf"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Zf8d1oI9"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iFIJO8rKv6wE for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 21:38:07 -0700 (PDT)
Received: from fout4-smtp.messagingengine.com (fout4-smtp.messagingengine.com [103.168.172.147]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92301C1D5C67 for <radext@ietf.org>; Tue, 19 Mar 2024 21:38:07 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfout.nyi.internal (Postfix) with ESMTP id 37B651380066 for <radext@ietf.org>; Wed, 20 Mar 2024 00:38:06 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute3.internal (MEProxy); Wed, 20 Mar 2024 00:38:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1710909486; x=1710995886; bh=cfONzDDeUr 9grdjpCpsTnKIPnRpNqB8SY6SUl5is5tQ=; b=ZcIofQuffWJdQKeabmiOCZBwaT XsbCmD6spYaT/THXF+MiJxVJECeSgu1FmVlRG0w1fdX1OqVHAF/U4BCvYbREHtAS kFTw0300uqCoYZzBwJMevCgr1TwjuIMOJF9foVUa0oV1YRhwKRXVuAXtIDfnJduy TXmTYzcUuZOdK+m3eXsZw6Lrz4bNMPJM4xfYqiRW9Qgm80d7cYI1vxUrDlw6TemF FvJhMYJ0cIjZLQg3CdEtA2RCyFTWSo9GTvbUAj+/UE28sdwBpzszfhAuYMLdccbQ MzdU0JCgXCDgrhEsTzmtt3fp+JdHhynVQKapz/c5KBv45M2A7YXLFtpmdtRw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1710909486; x=1710995886; bh=cfONzDDeUr9grdjpCpsTnKIPnRpN qB8SY6SUl5is5tQ=; b=Zf8d1oI9Fn2OXUZn4G3Tq78U9YipiucmFn47odQ9GStl en3/ZEsB5+YG5bFmYl4hKjbUdWDTERh1ERuFrlJ4UvYuYXx+eD6yxAEH7T2IspNK fV01Xp8gcmiFjc2Nb1NST48N+rxB+H5bY9Vli02GLpSLzJpNiyllAIMyGFMy/TeJ iMWBDu1etbMWG4Kd1eotmml1/4WnvoLOY97K3MgEWkdFSjYef5aKHmEtBOjt7LAz I36F0uPyEWOb7w+OXvAHgo198Ghn5VfEUnDB+bRmOOuk5SWDLLadxYKTGIP3Stee w3+Jg/J1Xt1AAqVngtGabc5qIZfeVfuty9EM2n2/dQ==
X-ME-Sender: <xms:Lmj6ZbBH6FRUpoP0Fu_zFTpt4iz2y4zcrQJsf1qoAfI2ik_c8EVwOQ> <xme:Lmj6ZRjChNXfRUYVWcZwzG8r63lncF0vWx9DKnT_tIv6ac_HCcQgLTglyGbE6e_sS ruO7hyUh4BW1DQcKw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrleefgddulecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgv gidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpedvteejhf ehgfegleeuleefteeikefgvefhheekheevvdekueefkeeiieffhfdvgeenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhgvgidoihgvthhfse gtohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:Lmj6ZWmMaOVA1mgy7-Ufbaz3Zg3hi5K5aOXweqvC2c3RYueuRhAh3w> <xmx:Lmj6ZdyKWV-IyORpneSUuHJ1Mm6elSta-JkB8QJUjkgkjGbc2_OG_w> <xmx:Lmj6ZQSM9RIyjS35ogJAktWyvgPrPRUjzfk_FRmIEVBbCgX2OND9tA> <xmx:Lmj6ZQbS7rp6PtUzjqKcQsIz5Pr-w3O_e4_ksqcJ90JC98RdLUgRXQ> <xmx:Lmj6ZbKV7LglVtS340s8rnZVOxMdBVR8vh95a7CFg8yWRUlje8Vacw>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E9BBB2A20092; Wed, 20 Mar 2024 00:38:05 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-332-gdeb4194079-fm-20240319.002-gdeb41940
MIME-Version: 1.0
Message-Id: <b28c7cf1-c872-491c-a7fd-4f48d3517b43@app.fastmail.com>
In-Reply-To: <edcbd00f-860e-4035-9abc-c9f23e8a5560@dfn.de>
References: <3a5885c2-fa5a-4aae-a1f4-e79b9456ad94@dfn.de> <3C061F54-4D3A-4523-AC5B-E744A22A8EA3@deployingradius.com> <c1a00b2f-e716-4e8e-87d3-0d8dedeb8957@dfn.de> <E2A51B6B-A621-41B7-8371-B5110AD29624@deployingradius.com> <edcbd00f-860e-4035-9abc-c9f23e8a5560@dfn.de>
Date: Wed, 20 Mar 2024 04:37:45 +0000
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/-KjEpnhRPASyBOuXO0I4EApOAVU>
Subject: Re: [radext] Small issues in the ALPN draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 04:38:12 -0000
Hello, On Wed, 20 Mar 2024, at 03:53, Jan-Frederik Rieckers wrote: > But for outstanding packets, the server and client MUST have a matching > idea of when a token can be reused, in order to have a stable connection. One way to solve this is retain that from the server perspective the token is 100% opaque but suggest that client implementations split the token as [token|epoch] where this 'epoch' is some local timestamp representation (meaningful only to the client) of when the initial request was sent. This lets the client to continue to use a random value, but the time element guarantees that there is no reuse within a window; similar to UUID version 1 and 2. We would need to recommend that this timestamp representation support at least N seconds (~60s+) of modulo window so the client can be sure the server definitely has abandoned the old request. I think this is okay as already the document suggests strategies for token generation (random or counter). In the case of where an implementer decides: * "you picked 'random' as a generation method" "you wish not to remember N minutes of token IDs" Here we can describe this problem and recommend this as a way to solve it. On this note, may be helpful to the server to know it was a retry so maybe at some stage we assign N bits in the header as a counter for the client to use to communicate how many retries it has done. Cheers
- [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Alexander Clouter
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Heikki Vatiainen
- Re: [radext] Small issues in the ALPN draft Alan DeKok