Re: [radext] Extended IDs
Peter Deacon <peterd@iea-software.com> Tue, 12 December 2017 06:11 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2EF7126CD6 for <radext@ietfa.amsl.com>; Mon, 11 Dec 2017 22:11:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-dJZoPPhEEH for <radext@ietfa.amsl.com>; Mon, 11 Dec 2017 22:11:25 -0800 (PST)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id 1A8B6126C26 for <radext@ietf.org>; Mon, 11 Dec 2017 22:11:24 -0800 (PST)
Received: from smurf (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0006061894@aspen.iea-software.com>; Mon, 11 Dec 2017 22:11:24 -0800
Date: Mon, 11 Dec 2017 22:11:26 -0800
From: Peter Deacon <peterd@iea-software.com>
To: "Brian Weis (bew)" <bew@cisco.com>
cc: "radext@ietf.org" <radext@ietf.org>
In-Reply-To: <C50ED086-A344-492B-9782-53FB5A1C0761@cisco.com>
Message-ID: <alpine.WNT.2.21.1.1712111906360.2252@smurf>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <C50ED086-A344-492B-9782-53FB5A1C0761@cisco.com>
User-Agent: Alpine 2.21.1 (WNT 202 2017-01-01)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="-1092297921-7599-1513050747=:2252"
Content-ID: <alpine.WNT.2.21.1.1712111952550.2252@smurf>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/1nCbpviRqs3jOuUgGKreMgPxMOs>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2017 06:11:27 -0000
On Tue, 12 Dec 2017, Brian Weis (bew) wrote: > draft-chen. With the same thought process I’m a little worried about > defining "behavior previously left open to implementation > interpretation” (as mentioned in Section 2.1 of draft-dekok). I cannot > disagree that it “should" be OK, but the lack of certainly does add some > risk. Partially why I prefer draft-dekok-radext-request-authenticator. Mitigates existing ambiguity that remains intact /w draft-chen-radext-identifier-attr. > I appreciate the arguments in draft-dekok that indicate that there > should not be a problem with overloading, but because overloading > protocol fields can carry unexpected risks my preference is to adopt the > explicit approach in draft-chen. Both drafts are "overloading" payload of RADIUS packets to carry identifiers that clearly belong in header. This has objectively articulable consequences. Due to "overloading" it is no longer possible to route and correlate packets based on header information. Implementations are now required to decode attribute payloads to perform this function. Possible new risks of request and response attributes being mishandled or misinterpreted in mixed environments. Of the two draft-dekok-radext-request-authenticator appears to carry LESS "overload" risks as only responses are modified. Most importantly ORA is native header information being used for header purposes unique to one and only one specific request packet. The major reason I support draft-dekok-radext-request-authenticator it is intentionally designed to mitigate "overload" risk. On "Overloading" invoked by transmission of ORA.. RFC2865 Section 3 describes RA: --- "In Access-Request Packets, the Authenticator value is a 16 octet random number" ... "The value SHOULD be unpredictable and unique over the lifetime of a secret" ... "Since it is expected that the same secret MAY be used to authenticate with servers in disparate geographic regions, the Request Authenticator field SHOULD exhibit global and temporal uniqueness." --- For acct/dyn auth MD5 sum over packet. I am aware of no objectively articulable consequences of using authenticator for this purpose. There are no architecturally pure options on the table except time honored tradition of throwing more connections at the problem. regards, Peter
- [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Robert Raszuk
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Astrid Smith
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stig Venaas
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Arran Cudbard-Bell
- Re: [radext] Extended IDs peter
- Re: [radext] Extended IDs Bernard Aboba
- Re: [radext] Extended IDs Alan DeKok
- [radext] FW: Extended IDs Albert Tian
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs David Carrel
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Jun Zhuang
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alexander Clouter