IETF Logo Mail Archive

Re: [radext] Extended IDs

Alan DeKok <aland@deployingradius.com> Fri, 01 December 2017 22:16 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96AC1270A0 for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 14:16:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkD2ofAOTI_k for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 14:16:40 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 0AEBF1205F1 for <radext@ietf.org>; Fri, 1 Dec 2017 14:16:40 -0800 (PST)
Received: from [192.168.2.9] (198-84-205-59.cpe.teksavvy.com [198.84.205.59]) by mail.networkradius.com (Postfix) with ESMTPSA id D147125D; Fri, 1 Dec 2017 22:16:38 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <20171128201853.GD17201@seadev21.f5.com>
Date: Fri, 01 Dec 2017 17:16:36 -0500
Cc: Winter Stefan <stefan.winter@restena.lu>, radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <990F2F84-4C13-4A5B-A6B2-8D61C4029E79@deployingradius.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <20171128201853.GD17201@seadev21.f5.com>
To: Astrid Smith <AE.Smith@f5.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/0FooPsQq_oIL6nhjONabZTp-kuU>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 22:16:42 -0000

On Nov 28, 2017, at 3:18 PM, Astrid Smith <AE.Smith@f5.com> wrote:
> I'm concerned about the extended Code field it defines: How should
> implementations treat messages where this Code differs from the Code
> in the RADIUS header?  The precedence is poorly defined and liable to
> cause issues.

  That is a concern.  What happens if the same Extended ID is used in two different packets from the same src/dst IP/port + Code + ID?

> The proposal also requires all proxies to explicitly support (by
> parsing and passing through, or by stripping) the Identifier
> Attribute; this requires protocol users to upgrade and test all the
> software in their RADIUS deployment before any clients may safely
> attempt to use the attribute.

  There are provisions for negotiation in both drafts.

> The request-authenticator proposal appears safe to deploy without
> upgrading the software of any proxies in the network.  As a maintainer
> of a RADIUS proxy I prefer this, and I suspect my customers would
> agree :)

  The one benefit of the request authenticator draft is that even in the case of misconfiguration, it's *impossible* for the extended IDs to leak across a proxy boundary.

  draft-chen, on the other hand, would have the extended ID leaked across old-style proxies if the client was statically misconfigured.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email