Re: [radext] A proposal to allow more than 256 packets on any connection
Bernard Aboba <bernard.aboba@gmail.com> Mon, 24 April 2017 21:20 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E921131943 for <radext@ietfa.amsl.com>; Mon, 24 Apr 2017 14:20:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lPab3blTBb0C for <radext@ietfa.amsl.com>; Mon, 24 Apr 2017 14:20:45 -0700 (PDT)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 406941294A6 for <radext@ietf.org>; Mon, 24 Apr 2017 14:20:45 -0700 (PDT)
Received: by mail-vk0-x22e.google.com with SMTP id q78so45621958vke.3 for <radext@ietf.org>; Mon, 24 Apr 2017 14:20:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ugd0xV3NY75Dk9JBwWtDhbwiN/a21b7vbkC1a91unoQ=; b=C/xgz+njurMqW8hoXfNksjMM11LVh1i7sjCKFe54Hxoc9zIYGQQ2s8U6ghQ7E7sioY 9hyccLGHYuUJzMw8xQwezrq4lC6JHKY2mRQGIaLaBQW5H4wFLMJD2aFDO85GosLnTzTh +VgL2EQoDApI3fio/OlTNNN3Xl5uU/VZWlTZWqxrImsTIWVXVtP3at37VgYZPuI5DfGa 1jzc8JLqvPP8z74WOf9e44qkr9aL1muToype0KSmsIGchjI7cRubaX4JylKS7RUZXwx4 r0U8WH+2boIRBhm6nBR3QlOgkx2DAa30fPZw5x9+bstAEilkuTrkqqBSPTRhjWFbaM5v iMCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ugd0xV3NY75Dk9JBwWtDhbwiN/a21b7vbkC1a91unoQ=; b=kMIdZ0/SaC+5ZsNs3qG/QhG3DILGwy/agOQo0yR0ArYgHCgCIBOYE7kOBbqSgzJBP9 FjZaP4W4LAb9Uj2AxHBNVFpi+SNztZSTO8LL63k+ZcziYE6vQL1n7nvmbzzfBs4h5Mqe VtoZ4FeljZwX1sVAxb++Nx4fn9/nEf7IJ/ZxD6U4kaOAz2g27wcoRjeSr4io+V/QWNHQ C8He++nKzoQdFJZ38N1k3FuqGSgoMkfVgxSisSk/YuntePEDpxsgIrslx9bw8KEREsT/ Az7agw9ttXf4LVuPGKclBMlaDEBwjlt8XIE3wZW4gCR+2SBy0NqlHJPxclvDYiDXYKA5 utFg==
X-Gm-Message-State: AN3rC/6T91SP5Zdrq9/9B7EkvfgUj5Gc3f11wR0csvUH9OpEtX5n4fez 4VOpdTAzDR4194cvZY8IDDt2XbHuEtKfftk=
X-Received: by 10.31.191.9 with SMTP id p9mr3074773vkf.50.1493068844172; Mon, 24 Apr 2017 14:20:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.23.100 with HTTP; Mon, 24 Apr 2017 14:20:23 -0700 (PDT)
In-Reply-To: <1AB9F08E-0739-4BE3-9827-3EA830DC113B@freeradius.org>
References: <149306333665.25840.6313986250597447759.idtracker@ietfa.amsl.com> <1AB9F08E-0739-4BE3-9827-3EA830DC113B@freeradius.org>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Mon, 24 Apr 2017 14:20:23 -0700
Message-ID: <CAOW+2ds=FjVxfmexhYrNMGV0-O+nYohSN=ou-O4upsoA90g0og@mail.gmail.com>
To: Alan DeKok <aland@freeradius.org>
Cc: radext@ietf.org
Content-Type: multipart/alternative; boundary="001a114db700150bf0054df02eaf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/3gXOHoF_1_fjS8YPiOHk9_XJkdY>
Subject: Re: [radext] A proposal to allow more than 256 packets on any connection
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 21:20:47 -0000
Alan said: "Note that I'm *not* proposing a change to the Id field, or to much else in the protocol." [BA] +1 to that. RADIUS is 25+ years old, and given the pace of change on the Internet, one can make a case that protocol age is somewhat akin to "dog years". That would make RADIUS 175 years old! Changing the Id field in RADIUS is somewhat akin to attempting a heart transplant on a 175 year-old. While some doctor might try this (more as a "cash-ectomy" than a legitimate procedure), let's not pretend that it is in the best interest of the patient. Carry on! On Mon, Apr 24, 2017 at 1:00 PM, Alan DeKok <aland@freeradius.org> wrote: > I've written a draft to allow more than 256 packets on any connection. > Note that I'm *not* proposing a change to the Id field, or to much else in > the protocol. > > The document is a first draft, and doesn't cover some of the protocol > details. But the concept is very simple: > > a) use Status-Server to negotiate the new functionality (see below for > details) > > b) allow clients to use Request Authenticator as a unique key for packets, > in addition to src/dst ip/port, Code, and Id > > i) For Access-Request packets, Request Authenticator is a bunch of > random numbers, which is fine. > > ii) for other packet types Request Authenticator is the signature of the > packet contents and the secret. So if the contents are the same, the > Request Authenticator is the same. If the contents are different, it's > different. > > c) have the server send a new attribute: Original-Request-Authenticator in > response packets. This allows clients to correlate responses with > requests, using the key mentioned in (b), above. > > For negotiation, a client sends Status-Server containing > Original-Request-Authenticator of all zeroes. If the server has the > functionality, it sends a response containing > Original-Request-Authenticator with value copied from the original Request > Authenticator. > > All other packet signing / Id management stays the same. > > I think this is the minimal possible change to RADIUS which solves the > underlying problem. As such, I hope it's also the least contentious. > > To do for the spec: > > - more text on how Original-Request-Authenticator works in response packets > > - more text on why this works for all packet types > > - make the text less hacky (it was written in less than a day, after the > concept was worked out) > > - get WG review (I don't think we can achieve consensus quickly on this) > > Alan DeKok. > > > Begin forwarded message: > > > > From: internet-drafts@ietf.org > > Subject: New Version Notification for draft-dekok-radext-request- > authenticator-00.txt > > Date: April 24, 2017 at 3:48:56 PM EDT > > To: "Alan DeKok" <aland@freeradius.org> > > > > > > A new version of I-D, draft-dekok-radext-request-authenticator-00.txt > > has been successfully submitted by Alan DeKok and posted to the > > IETF repository. > > > > Name: draft-dekok-radext-request-authenticator > > Revision: 00 > > Title: Correlating requests and replies in the Remote > Authentication Dial In User Service (RADIUS) Protocol via the Request > Authenticator. > > Document date: 2017-04-24 > > Group: Individual Submission > > Pages: 14 > > URL: https://www.ietf.org/internet-drafts/draft-dekok-radext- > request-authenticator-00.txt > > Status: https://datatracker.ietf.org/doc/draft-dekok-radext- > request-authenticator/ > > Htmlized: https://tools.ietf.org/html/draft-dekok-radext-request- > authenticator-00 > > Htmlized: https://datatracker.ietf.org/ > doc/html/draft-dekok-radext-request-authenticator-00 > > > > > > Abstract: > > RADIUS contains a one-octet Identifier field which is used to > > correlate requests and replies. This field limits the number of > > outstanding requests to 256. Experience shows that this limitation > > is problematic for high load systems. This document proposes to use > > the Request Authenticator field as an additional unique identifier. > > The replies can then be correlated to requests by copying the Request > > Authenticator from the request to a new attribute in the response, > > called the Original-Request-Authenticator. > > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext > >
- [radext] A proposal to allow more than 256 packet… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Ignacio Goyret
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Bernard Aboba
- Re: [radext] A proposal to allow more than 256 pa… Ignacio Goyret
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Peter Deacon
- Re: [radext] A proposal to allow more than 256 pa… Ignacio Goyret
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Ignacio Goyret
- Re: [radext] A proposal to allow more than 256 pa… Enke Chen