Re: [radext] Proposed new charter text
Peter Deacon <peterd@iea-software.com> Tue, 24 March 2015 16:33 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E47F81A90F1 for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 09:33:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVioK5prpuyc for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 09:33:44 -0700 (PDT)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id B28981A90C4 for <radext@ietf.org>; Tue, 24 Mar 2015 09:33:42 -0700 (PDT)
Received: from SMURF.peterd.ws (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005964586@aspen.iea-software.com>; Tue, 24 Mar 2015 09:33:40 -0700
Date: Tue, 24 Mar 2015 09:33:47 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Stefan Winter <stefan.winter@restena.lu>
In-Reply-To: <5511104F.2030006@restena.lu>
Message-ID: <alpine.WNT.2.20.1.1503240857140.3600@SMURF>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com> <alpine.WNT.2.20.1.1503221518060.3600@SMURF> <2DB68EA1-97A6-4263-9E7F-9BD24B567C7A@deployingradius.com> <alpine.WNT.2.20.1.1503221852040.3600@SMURF> <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com> <alpine.WNT.2.20.1.1503230923000.3600@SMURF> <1A6EF1EA-3412-4AAA-9646-3FD18EC0C4E4@deployingradius.com> <tsl4mpbb8r6.fsf@mit.edu> <5511104F.2030006@restena.lu>
User-Agent: Alpine 2.20.1 (WNT 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; CHARSET="US-ASCII"; FORMAT="flowed"
Content-ID: <alpine.WNT.2.20.1.1503240857501.3600@SMURF>
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/2iT179qYo-6eGhO9MzHzo1KCqjo>
Cc: radext@ietf.org
Subject: Re: [radext] Proposed new charter text
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 16:33:46 -0000
On Tue, 24 Mar 2015, Stefan Winter wrote: > I like that way out, if everyone else can live with it. I'd appreciate > comments from the working group on that topic, particularly from the > three of you of course :-) +------+ +-------+ +-------+ +-------+ +-------+ +----------+ | Home | - | RoamA | - | RoamB | - | RoamC | - | Visit | - | VisitNAS | +------+ +-------+ +-------+ +-------+ +-------+ +----------+ My best estimation of how this would work was simply to specify a generic state attribute.. Dynamic-Proxy-State and call it a day. Any administrative domain (RoamA-C or Visit) requiring verification injects Dynamic-Proxy-State into Access-Request. Dynamic Auth Clients are required to forward this information when issuing DM/CoA requests. Any admin domain in the path requiring verification then checks Dynamic-Proxy-State.. ideally at the border (RoamA) where the identity of sender is well established but intra-domain implementations can coordinate however they want. If attribute is missing but required and triplet of proxy state, identity and session identifiers of request do not add up the request is rejected. It would have the following general properties: - Injectable by anyone in proxy path via Access-Request .. "0+" -- Ideally once per admin domain implying some form of implementation dependant Intra-domain coordination. - DACs must transmit ALL Dynamic-Proxy-State atttributes from access request. - Recommendations to keep size and number of Dynamic-Proxy-State attributes as low as possible but specify no cutoff or required minimum. This is basically it.. implementations can do whatever they want to implement it... They can keep a state table or stuff the attribute with source, session identifying hints, cryptographic signatures and not have to keep much of any state at all. It should provide general advice on design options, tradeoffs, recommendations and perils of which I'm sure we call all dream up plenty. I prefer a solution that does not depend on keeping secrets.. Even if competitors sniffed out Dynamic-Proxy-State from my wires and know all of the session identifiers for my customers it would be preferable if re-injecting this information (often sent in the clear right now): not yield fruit. regards, Peter
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Secure COA Alan DeKok
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Proposed new charter text Peter Deacon
- [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Stefan Winter