[radext] OPS-DIR review of draft-ietf-radext-ip-port-radius-ext-11
Tim Chown <Tim.Chown@jisc.ac.uk> Wed, 17 August 2016 10:22 UTC
Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: expand-draft-ietf-radext-ip-port-radius-ext.all@virtual.ietf.org
Delivered-To: radext@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id 2FCB512D5FF; Wed, 17 Aug 2016 03:22:54 -0700 (PDT)
X-Original-To: xfilter-draft-ietf-radext-ip-port-radius-ext.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-radext-ip-port-radius-ext.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0620F12B036 for <xfilter-draft-ietf-radext-ip-port-radius-ext.all@ietfa.amsl.com>; Wed, 17 Aug 2016 03:22:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.11
X-Spam-Level:
X-Spam-Status: No, score=-4.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=jisc365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQ3tvj0DyP97 for <xfilter-draft-ietf-radext-ip-port-radius-ext.all@ietfa.amsl.com>; Wed, 17 Aug 2016 03:22:51 -0700 (PDT)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6256212D600 for <draft-ietf-radext-ip-port-radius-ext.all@ietf.org>; Wed, 17 Aug 2016 03:22:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc365.onmicrosoft.com; s=selector1-jisc-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2q0HucprS4uYdc+WAi8tLdtJuvS+Y9d0x5lu0lbK+0M=; b=amrqQuXaDzCHg9UWECdL3/1ZTLPN9YI8creRIpC6cDIIIJjTmZBT8ErennQwPW+o1BKYJDZgknC3gIsiIpzS1HtFCLJ1n8gqlObtDlXd2b7L45sKvpymtEvZJsGNOkWJl+bg87EWqZ5Dps/05q2myiFfgrgkR5DSD6BUtiIl5vo=
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02lp0050.outbound.protection.outlook.com [213.199.154.50]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-47-jWKzTpgpP1WpUyIvONQDjA-1; Wed, 17 Aug 2016 11:22:47 +0100
Received: from AMSPR07MB455.eurprd07.prod.outlook.com (10.242.106.148) by AMSPR07MB453.eurprd07.prod.outlook.com (10.242.106.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.549.15; Wed, 17 Aug 2016 10:22:44 +0000
Received: from AMSPR07MB455.eurprd07.prod.outlook.com ([10.242.106.148]) by AMSPR07MB455.eurprd07.prod.outlook.com ([10.242.106.148]) with mapi id 15.01.0549.023; Wed, 17 Aug 2016 10:22:45 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: "ops-dir@ietf.org" <ops-dir@ietf.org>, "draft-ietf-radext-ip-port-radius-ext.all@ietf.org" <draft-ietf-radext-ip-port-radius-ext.all@ietf.org>
Thread-Topic: OPS-DIR review of draft-ietf-radext-ip-port-radius-ext-11
Thread-Index: AQHR+HEowS7Op1qTZUSXToLnElhR2Q==
Date: Wed, 17 Aug 2016 10:22:45 +0000
Message-ID: <AMSPR07MB4557B288F324D4DAA4E0D4CD6140@AMSPR07MB455.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [194.82.140.195]
x-ms-office365-filtering-correlation-id: 48fa3172-a363-4440-1a53-08d3c6886e36
x-microsoft-exchange-diagnostics: 1; AMSPR07MB453; 20:DsvC0poe53swNaKLNS6WXLe9Li5P67CaKq20bOGOXQ2pzoaFxfhHMFlc4mf/Vez/lltU/1clLn3RdbEQ+q71fdDBbiHpc4nkJBCQofpsgSIGP6FiyGeS5XgJNa0Ik4nYiGb8CB1sx9gccDLi5i/XZ55wrSQNR9kXzaY0PaUHt74=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AMSPR07MB453;
x-microsoft-antispam-prvs: <AMSPR07MB4535908F9601601257F952AD6140@AMSPR07MB453.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(192374486261705)(131327999870524)(211171220733660);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:AMSPR07MB453; BCL:0; PCL:0; RULEID:; SRVR:AMSPR07MB453;
x-forefront-prvs: 0037FD6480
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(189002)(97736004)(3660700001)(54356999)(5001770100001)(2900100001)(450100001)(105586002)(2501003)(2906002)(76576001)(6116002)(586003)(81156014)(68736007)(5002640100001)(107886002)(19625215002)(77096005)(50986999)(8936002)(74316002)(7696003)(106116001)(101416001)(3846002)(230783001)(74482002)(87936001)(229853001)(8676002)(86362001)(106356001)(189998001)(9686002)(102836003)(7846002)(16236675004)(66066001)(122556002)(10400500002)(81166006)(3280700002)(92566002)(7736002)(33656002)(19627405001); DIR:OUT; SFP:1101; SCL:1; SRVR:AMSPR07MB453; H:AMSPR07MB455.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Aug 2016 10:22:45.4481 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMSPR07MB453
X-MC-Unique: jWKzTpgpP1WpUyIvONQDjA-1
Content-Type: multipart/alternative; boundary="_000_AMSPR07MB4557B288F324D4DAA4E0D4CD6140AMSPR07MB455eurprd_"
Resent-From: alias-bounces@ietf.org
Resent-To: dean.cheng@huawei.com, jouni.nospam@gmail.com, mohamed.boucadair@orange.com, ssenthil@cisco.com, stefan.winter@restena.lu, lionel.morand@orange.com, bclaise@cisco.com, joelja@bogus.com, Kathleen.Moriarty.ietf@gmail.com, radext@ietf.org
Resent-Message-Id: <20160817102254.2FCB512D5FF@ietfa.amsl.com>
Resent-Date: Wed, 17 Aug 2016 03:22:54 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/2uVT3NHn1W1Mdd8HGWtmTJJFWbw>
Subject: [radext] OPS-DIR review of draft-ietf-radext-ip-port-radius-ext-11
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 10:22:54 -0000
Hi, I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. This draft defines three new RADIUS attributes to be used when communicating with a RADIUS server to facilitate the configuration or reporting of IP and port ranges used with a network appliance, typically a CGN, where there is a need to constrain the ports available per customer where IP address sharing is in use. The three RADIUS attributes are: IP-Port-Limit-Info - defines the maximum number of ports available IP-Port-Range - the specific range of port numbers available IP-Port-Forwarding-Map - to configure port forwarding on a NAT/CGN device I would consider the document to be "Ready with Issues". I have some general comments, followed by some specific comments. Note that while I am familiar with RADIUS (from an eduroam context) the draft is not one I was familiar with or followed prior to this review. Thus these comments may have already been addressed. General comments: There are at least two areas in which this document has "creep". One is that it is providing an alternative method to PCP to define port forwarding mappings on a device. So there is an open question as to whether PCP should be the method of choice for this function, or whether we wish to create a new way to establish such mappings. Secondly, two of the new attributes support inclusion of a new TLV, IP-Port-Local-Id, which allows user/device-specific information to be transmitted via RADIUS, such as MAC address or VLAN ID. While this is intended to allow differentiation of users for accounting/identification r, in doing so it adds an additional potential privacy concern into a new RADIUS attribute, depending on specific use cases of the TLV. This is not discussed in the Security Considerations section, but probably should be. I note the new attributes use a number of IPFIX information elements; has the draft considered its relationship to draft-ietf-behave-ipfix-nat-logging-09, which says the "lack of a consistent way to log the data makes it difficult to write the collector applications that would receive this data and process it to present useful information"? This draft is introducing a new method to log such elements; is this a concern at all? The examples of use cases of the new attributes include both NAT44 devices and CGNs. The document could state more clearly the address sharing scenarios, perhaps with a simplified network element diagram for each example, showing the user/host, CPE/NAT44, and NAT444/CGN? Some additional clarity here would be useful (see also comments below). Also, the term "the user" is used in many places in the document where in practice "the customer's CPE" would be more appropriate. Specific comments: NAT64 is mentioned as a use case at the start, but no example is given later in the document. This might add useful value. In Sections 3.2.6, 3.2.7, 3.2.9 and 3.2.10, the IPFIX information elements in the TLV are 16 bit values, but 32 bits are reserved for the element. Similarly the NatEvent element is 8-bit, but has 32 bits reserved. It would be useful if the document stated why these elements are being padded out to 32 bits. In Section 4.1.1, I don't think NAT64 is specifically designed to multiplex users over a smaller number of shared IPv4 addresses, rather its primary design goal is to facilitate access to legacy IPv4 content from IPv6-only networks. The text should be clarified. Also in 4.1.1, do users really have service agreements that state port limits? If they do, I doubt users are aware of them (or care...), and the issue is beyond the scope of this document. In 4.1.2, I think you mean "block", not "bulk"? And the comment on "randomization" might fit better in the Security Considerations section if you discuss privacy there (which is presumably what you mean?) Also in 4.1.2 you discuss the scenario as if it's CGN, but the flow diagram shows only the NAT44 (presumably in the CPE) and not an ISP CGN. The same happens in 4.1.3; discussion of CGN and NAT44 interchangeably, without the diagram showing there may (presumably) be mappings to establish at both the user's CPE and the ISP's CGN. And in 4.1.4 the example talks of NAT44 for Joe's CPE, but then also about a CGN allocating more ports; is that at the NAT44, or at the CGN? (These specific NAT44/CGN comments are examples of the general comment I made earlier.) In Section 5, I found the format of the table with 0 and 0+ a little unintuitive. -- Tim
- [radext] OPS-DIR review of draft-ietf-radext-ip-p… Tim Chown
- [radext] OPS-DIR review of draft-ietf-radext-ip-p… Tim Chown
- Re: [radext] OPS-DIR review of draft-ietf-radext-… mohamed.boucadair
- Re: [radext] OPS-DIR review of draft-ietf-radext-… mohamed.boucadair