IETF Logo Mail Archive

Re: [radext] Extended IDs

Stefan Winter <stefan.winter@restena.lu> Wed, 13 December 2017 07:15 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC87A126E64 for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 23:15:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 367F-3zJxlWp for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 23:15:13 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16656126BF3 for <radext@ietf.org>; Tue, 12 Dec 2017 23:15:13 -0800 (PST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 322A443B0C; Wed, 13 Dec 2017 08:15:11 +0100 (CET)
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, "Naiming Shen (naiming)" <naiming@cisco.com>, Peter Deacon <peterd@iea-software.com>
Cc: "radext@ietf.org" <radext@ietf.org>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk> <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com> <alpine.WNT.2.21.1.1712121615090.2252@smurf> <EE3BB1A7-EAD9-4BE1-9EA2-B780580E5C95@cisco.com> <alpine.WNT.2.21.1.1712121704430.2252@smurf> <B41EF4CD-309C-4E0F-BE7A-B77A244DA421@cisco.com> <alpine.WNT.2.21.1.1712121824110.2252@smurf> <313FEFCE-FD61-4394-804D-91BAE98CA687@cisco.com> <alpine.WNT.2.21.1.1712121947300.2252@smurf> <38A550CE-C1E5-441E-B25E-7E87D266F627@cisco.com> <677f41484d9f413aab126b623141d729@XCH-ALN-014.cisco.com>
From: Stefan Winter <stefan.winter@restena.lu>
Organization: RESTENA
Message-ID: <97bb93d9-8006-9143-fe81-dd654a7c1960@restena.lu>
Date: Wed, 13 Dec 2017 08:15:11 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <677f41484d9f413aab126b623141d729@XCH-ALN-014.cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: lb-LU
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/-dqmRHf3uklvRwvjoLzWTead9kA>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 07:15:15 -0000

Hello,

> Once we are arguing "It doesn't work when there's bugs or misconfigs",
> then we've sunk pretty low.

As a chair:

I do not think that was the point made in this (sub)thread.

The substantial part of the discussion was about misconfiguration (not
bugs in implementation), and the *extent* to which a misconfiguration
does harm.

The argument was that draft-dekok has a more gentle failure consequence:
communication between a client and its communication target (server or
proxy) does not work, and deterministically so. The breakage is local
between the two.

Contrary to that, draft-chen's failure mode is that confusion about the
state of communication peers may transpire along all proxies and the
final server along the proxy chain, with the ability to debug and
isolate the problem becoming difficult.

It is a configuration problem because nobody is required to implement
this new RFC - so if a request comes in with the new attribute, it's by
default treated like any other unknown attribute in RADIUS: ignore as a
server, forward unchanged as a proxy. This simple "do-nothing" is what
triggers the unpleasant failure mode in draft-chen draft. To prevent it,
every proxy operator has to take action and configure this attribute as
to-be-deleted when proxying.

That appears to be a very strong argument against a new attribute.

As an individual:

Operating a global-scale proxy environment with hundreds of proxies
across hundreds of different administrative domains, I think I can say
with some certainty that a) proxies without support for the new RFC will
be around for timescales best measured in decades, and b) such
misconfigurations WILL occur.

Greetings,

Stefan Winter

>  But now that we're there, here is a more
> likely bug: Retransmission with a new request-authenticator.
> draft-dekok will interpret that as an entirely new request.
> That is why keeping the id and authenticator separate is cleaner.
>
> Thanks,
> Jakob
>
>
> -----Original Message-----
> From: radext [mailto:radext-bounces@ietf.org] On Behalf Of Naiming Shen (naiming)
> Sent: Tuesday, December 12, 2017 10:08 PM
> To: Peter Deacon <peterd@iea-software.com>
> Cc: radext@ietf.org
> Subject: Re: [radext] Extended IDs
>
>
> When I say “check the status of the server”, sorry I didn’t mean the server-status
> message. When an operator decides to do manual configuration of a new feature
> and override the normal automated discovery procedure, he/she needs to check
> the radius server and/or radius proxy server software version, status, etc. He/she would
> not just blindly configure the new feature, and go home to sleep and assume
> everything is fine. That's just common sense. 
>
> BTW, Status-server is not supported universally is not a problem here.
> When the server software supports this draft, then it MUST implement the
> Status-server message at least for this feature.
>
> Regards,
> - Naiming
>
>> On Dec 12, 2017, at 9:58 PM, Peter Deacon <peterd@iea-software.com> wrote:
>>
>> On Wed, 13 Dec 2017, Naiming Shen (naiming) wrote:
>>
>>> If you insist misconfiguration is the greatest thing we have to deal with,
>> Decision to expand on original remarks in response to call for adoption was result of your inquiry:
>>
>> "Third, if assume an operation completely messed up, and leaking this extended-ID towards the home-server, I still need to see a good example on what the harm is that, and why this can not be debugged. The draft I agree needs to add some text on various cases and how to debug those in each of them."
>>
>> Otherwise I am happy with the relative strength of my remarks in their original context.
>>
>>> then I can imagine you misconfigurae your server ip address and proxy ip address,
>>> and packets will not be returned, how to you troubleshoot that? if you do
>> If when manually switched on in an environment where it should not be the result is not working at all that would be perfectly fine.  Unfortunatly as I have shown this is not the case with extended-id.
>>
>> In this aspect of consideration ORA clearly has an advantage both in ability to detect and report failure and nature of failure itself.
>>
>>> have ways, and this draft also have ways. Can you imaging an operator
>>> insist to do a manual configuration without check the status of the server,
>> Yes absolutely.  This will defiantly occur.  Status-server is not universally supported.
>>
>> regards,
>> Peter
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email