IETF Logo Mail Archive

Re: [radext] Proposed new charter text

Peter Deacon <peterd@iea-software.com> Tue, 24 March 2015 16:33 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E47F81A90F1 for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 09:33:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVioK5prpuyc for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 09:33:44 -0700 (PDT)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id B28981A90C4 for <radext@ietf.org>; Tue, 24 Mar 2015 09:33:42 -0700 (PDT)
Received: from SMURF.peterd.ws (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005964586@aspen.iea-software.com>; Tue, 24 Mar 2015 09:33:40 -0700
Date: Tue, 24 Mar 2015 09:33:47 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Stefan Winter <stefan.winter@restena.lu>
In-Reply-To: <5511104F.2030006@restena.lu>
Message-ID: <alpine.WNT.2.20.1.1503240857140.3600@SMURF>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com> <alpine.WNT.2.20.1.1503221518060.3600@SMURF> <2DB68EA1-97A6-4263-9E7F-9BD24B567C7A@deployingradius.com> <alpine.WNT.2.20.1.1503221852040.3600@SMURF> <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com> <alpine.WNT.2.20.1.1503230923000.3600@SMURF> <1A6EF1EA-3412-4AAA-9646-3FD18EC0C4E4@deployingradius.com> <tsl4mpbb8r6.fsf@mit.edu> <5511104F.2030006@restena.lu>
User-Agent: Alpine 2.20.1 (WNT 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; CHARSET="US-ASCII"; FORMAT="flowed"
Content-ID: <alpine.WNT.2.20.1.1503240857501.3600@SMURF>
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/2iT179qYo-6eGhO9MzHzo1KCqjo>
Cc: radext@ietf.org
Subject: Re: [radext] Proposed new charter text
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 16:33:46 -0000

On Tue, 24 Mar 2015, Stefan Winter wrote:

> I like that way out, if everyone else can live with it. I'd appreciate
> comments from the working group on that topic, particularly from the
> three of you of course :-)

+------+    +-------+   +-------+   +-------+   +-------+   +----------+
| Home | -  | RoamA | - | RoamB | - | RoamC | - | Visit | - | VisitNAS |
+------+    +-------+   +-------+   +-------+   +-------+   +----------+

My best estimation of how this would work was simply to specify a generic 
state attribute.. Dynamic-Proxy-State and call it a day.

Any administrative domain (RoamA-C or Visit) requiring verification 
injects Dynamic-Proxy-State into Access-Request.

Dynamic Auth Clients are required to forward this information when issuing 
DM/CoA requests.

Any admin domain in the path requiring verification then checks 
Dynamic-Proxy-State.. ideally at the border (RoamA) where the identity of 
sender is well established but intra-domain implementations can coordinate 
however they want.  If attribute is missing but required and triplet of 
proxy state, identity and session identifiers of request do not add up the 
request is rejected.

It would have the following general properties:

- Injectable by anyone in proxy path via Access-Request .. "0+"
-- Ideally once per admin domain implying some form of implementation 
dependant Intra-domain coordination.

- DACs must transmit ALL Dynamic-Proxy-State atttributes from access 
request.
- Recommendations to keep size and number of Dynamic-Proxy-State 
attributes as low as possible but specify no cutoff or required minimum.

This is basically it.. implementations can do whatever they want to 
implement it... They can keep a state table or stuff the attribute with 
source, session identifying hints, cryptographic signatures and not have 
to keep much of any state at all.

It should provide general advice on design options, tradeoffs, 
recommendations and perils of which I'm sure we call all dream up plenty.

I prefer a solution that does not depend on keeping secrets.. Even if 
competitors sniffed out Dynamic-Proxy-State from my wires and know all of 
the session identifiers for my customers it would be preferable if 
re-injecting this information (often sent in the clear right now): not 
yield fruit.

regards,
Peter

v2.23.0 | Report a Bug | By Email