IETF Logo Mail Archive

Re: [radext] Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 03 November 2016 02:59 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7CA112007C; Wed, 2 Nov 2016 19:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VX0kW6KleBkF; Wed, 2 Nov 2016 19:59:49 -0700 (PDT)
Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BBEA129496; Wed, 2 Nov 2016 19:59:49 -0700 (PDT)
Received: by mail-ua0-x233.google.com with SMTP id 51so28819577uai.1; Wed, 02 Nov 2016 19:59:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2uiefT2WVZYGKV/f9dxQdM26LU9J95AMPNl4gRRcXYM=; b=wqRzn45UY/iHVni1RTbIbeQKP93J2erD2DULdagZZOH2IcxGc/3XS9anoO5pEsHvEt UP4/nG/HYt+OwYvhZA7PEjSNNbsLrIm1lOk1PQbVwxEvBer8/PsH7J8SK8AHUpgh+LTq vrwQu0wkMpbyCxW/eTT8YcrDPte1rep7JzPiiSyTUq9Hru609CfNEC/GUx21gAFpFPQa MQUvz+nWcr7v6hsqlfEXVfpkoyJCdj6fvB6Q3V1dKCQ1hCyRV3KBY6DBn7DeZ5//7XU/ NTqHVNt0aW66GU1swnjBFs9LaXNRHr9ZbzaOpiwB7KMjh1qhInUFCciqWeO/GitkTI9r WeCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2uiefT2WVZYGKV/f9dxQdM26LU9J95AMPNl4gRRcXYM=; b=NCitUcR0oE7MX7g5GPcoGiOcBIDTnHBgjnK0lu8uIzf5/VFDUO8obF6XiQpHkkg9+z fG0k6D7c+j6Jz8X045PwfRHm6ukYw4HZ+fbP1ni/zy/A+D7P31cC/xqbXvOcvpE8XXfC AvAf3jgGtUho4peO1vRO/3Q6lXNM1JQzIJ70K0y2Oh5u19+8U+ZHJrsI91Ir8kWHFjQa 8NTsJwwhd6ibk/3wcU6BZO0If1/c+cjSulRyol8yXMeyfTkz0q2nJArlOLkFR84vrVF6 aFA0edjIS7Rb+ohMohLQjbJxE3pptG7+J6X6clMNyksAD8/mIRx0hT1VEA9verjWC1/N XWrA==
X-Gm-Message-State: ABUngveu/lzOVOZb7AfDg+yHugv9iGmG82yJ9yHm+xYcBiEHYAO55JtIZMTAyhzA+9/nCtKVPXvdnPUQwe0S3g==
X-Received: by 10.176.85.24 with SMTP id t24mr3196288uaa.21.1478141988046; Wed, 02 Nov 2016 19:59:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.82.143 with HTTP; Wed, 2 Nov 2016 19:59:47 -0700 (PDT)
In-Reply-To: <0ac7f8a6-58aa-403a-921a-f4385c95eec5@OPEXCLILM34.corporate.adroot.infra.ftgroup>
References: <147394238317.12106.98287185089633062.idtracker@ietfa.amsl.com> <0ac7f8a6-58aa-403a-921a-f4385c95eec5@OPEXCLILM34.corporate.adroot.infra.ftgroup>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 02 Nov 2016 22:59:47 -0400
Message-ID: <CAHbuEH7wP2tSXKoc7WGiBpP+KxfRX52y1OEvoSX0pS9V3Oc5dQ@mail.gmail.com>
To: "<mohamed.boucadair@orange.com>" <mohamed.boucadair@orange.com>
Content-Type: multipart/alternative; boundary="f403045dd960200b2705405cc005"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/3gmxbm8qGoXQzwzZZ9N5gBA6O5A>
Cc: "draft-ietf-radext-ip-port-radius-ext@ietf.org" <draft-ietf-radext-ip-port-radius-ext@ietf.org>, MORAND Lionel IMT/OLN <lionel.morand@orange.com>, "Tim.Chown@jisc.ac.uk" <Tim.Chown@jisc.ac.uk>, The IESG <iesg@ietf.org>, Benoit Claise <bclaise@cisco.com>, "radext@ietf.org" <radext@ietf.org>, "radext-chairs@ietf.org" <radext-chairs@ietf.org>
Subject: Re: [radext] Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 02:59:53 -0000

Benoit,

Can you take a look at the response below to see if you agree your discuss
and comments have been addressed?

Thank you,
Kathleen

On Wed, Oct 5, 2016 at 2:15 AM, <mohamed.boucadair@orange.com> wrote:

> Hi Benoit,
>
> Please see inline how the updated version takes into account your review.
>
> Cheers,
> Med
>
> > -----Message d'origine-----
> > De : Benoit Claise [mailto:bclaise@cisco.com]
> > Envoyé : jeudi 15 septembre 2016 14:26
> > À : The IESG
> > Cc : draft-ietf-radext-ip-port-radius-ext@ietf.org; radext@ietf.org;
> > radext-chairs@ietf.org; MORAND Lionel IMT/OLN; radext@ietf.org;
> > Tim.Chown@jisc.ac.uk
> > Objet : Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext-
> > 11: (with DISCUSS and COMMENT)
> >
> > Benoit Claise has entered the following ballot position for
> > draft-ietf-radext-ip-port-radius-ext-11: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut this
> > introductory paragraph, however.)
> >
> >
> > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.
> html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-radext-ip-port-radius-ext/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > I'm late for my review here. If some points in my DISCUSS/COMMENT have
> > been discussed already let me know.
> >
> > I'll flag this as a DISCUSS to follow up on the IPFIX issues.
> > First of, I applause the attempt to reuse/map/combine data models (IPFIX
> > information element and RADIUS attribute).
> >
> [Med] Thank you.
>
> > Now, there are a couple of issues.
> > The first set of issues has been sent via the IPFIX experts, copied here
> > for tracking purposes.
> >
> >     Dear Authors,
> >
> >     The experts for the IPFIX IE registry have returned the following
> >     review:
> >
> >     In general, the Information Elements in draft-ietf-radext-ip-port-
> >     radius-ext are so underspecified as to be unimplementable. They
> > should
> >     not be added to the registry in their present form. The authors are
> >     advised to read RFC 7013, especially Section 4, which provides
> > useful
> >     information on defining Information Elements. Specifically:
> >
> >     The Information Element transportType is underspecified: (a) I
> > presume
> >     this is in reference to sourceTransportPort and
> >     destinationTransportPort, but the description must say this if it is
> >     the case; (b) It's not clear at all from the description in what
> >     context this distinction is useful; (c) What's an ICMP identifier?
> >
> >     In addition, the description of transportType appears to create a
> >     table which should probably be handled as a subregistry. See See
> >     RFC7013 section 4.7. for advice on the creation of tables without
> >     subregistries (in short, "don't".)
> >
>
> [Med] The description of the attribute was updated. Basically:
> * Clarify the text
> * We don't have any more sub-registries because we are relying on the IANA
> Protocol Numbers
>
>
> >     The Information Element natTransportLimit has an inappropriate name;
> >     it does not describe that which it (presumably) is supposed to
> >     represent (see RFC 7013 section 4.1). In addition, it is
> >     underspecified. It is impossible to implement from the description.
>
> [Med] The attribute is renamed to "sourceTransportPortsLimit" + text
> updated to clarify the use of the attribute.
>
> > Is
> >     the field IPv4 specific, or is IPv6 supported as well? (If not, why
> >     not?)
> >
>
> [Med] It is valid for both IPv4 and IPv6. The text was updated to clarify
> that point.
>
> >     The Information Element localID has an inappropriate name; it is far
> >     too general (see RFC 7013 section 4.1). It uses an inappropriate
> >     abstract data type (addresses should never be represented as UTF-8
> >     strings in IPFIX, see RFC 7013 section 4.2). It is underspecified as
> >     well as poorly designed. Without the ability to disambiguate the
> > type
> >     of information in the field, this is not a useful Information
> > Element.
> >     Without a complete enumeration of possible types (n.b. 'etc.' in the
> >     description), it is not a useful Information Element. Its purpose is
> >     unclear from its description; further, it appears to violate the
> >     following guidance in RFC 7013 section 4: "The Information Element
> >     must be unique within the registry, and its description must
> > represent
> >     a substantially different meaning from that of any existing
> >     Information Element. An existing Information Element that can be
> >     reused for a given purpose should be reused."
> >
>
> [Med] We made the following changes:
> * We changed the Value field to be still a "string" but per definition of
> ietf-draft-radext-datatype and not to propose as a new IPFIX IE.
> * We added a new text to clarify the intent of the attribute:
>
>    The primary issue addressed by this TLV is that there are CGN
>    deployments that do not distinguish internal hosts by their internal
>    IP address alone, but use further identifiers for unique subscriber
>    identification.  For example, this is the case if a CGN supports
>    overlapping private or shared IP address spaces (refer to [RFC1918]
>    and [RFC6598]) for internal hosts of different subscribers.  In such
>    cases, different internal hosts are identified and mapped at the CGN
>    by their IP address and/or another identifier, for example, the
>    identifier of a tunnel between the CGN and the subscriber.  In these
>    scenarios (and similar ones), the internal IP address is not
>    sufficient to demultiplex connections from internal hosts.  An
>    additional identifier needs to be present in the IP-Port-Range
>    Attribute and IP-Port-Forwarding-Mapping Attribute in order to
>    uniquely identify an internal host.  The IP-Port-Local-Id TLV is used
>    to carry this identifier.
>
> > I have some more issues I would like to discuss:
> > - section 3.2.5, as an example, contains a list of sourceIPv6Address. In
> > IPFIX, we would export those as a list [RFC 6313]
> > Does this RADIUS document want to only reuse the semantic of individual
> > IPFIX information element?
> > And also the semantic of multiple information elements [RFC 6313]?
>
> [Med] The intent is to reuse the semantic of individual IEs. The rationale
> basically was that IPFIX offers a rich IE registry that can be reused in
> our context.
>
> > And also the IPFIX encoding? For example, some IPFIX fields are "right
> > justified" (sourceTransportPort), while some others are not (localID)
> > The document should be clear.
>
> [Med] localId is not defined as an IPFIX attribute.
>
> >
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > -
> >
> >    1.  IP-Port-Limit-Info: This attribute may be carried in RADIUS
> >        Access-Accept, Access-Request, Accounting-Request or CoA-Request
> >        packet.  The purpose of this attribute is to limit the total
> >        number of TCP/UDP ports and/or ICMP identifiers allocated to a
> >        user, associated with one or more IPv4 addresses.
> >
> > I see "may be carried". Could it be carried in other packets ... was my
> > first question.
> > It was not clear (until I read the rest of the document) that it's a non
> > compulsory attribute only in
> > Access-Accept, Access-Request, Accounting-Request or CoA-Request
> > packets.
> > Proposal:
> >    1.  IP-Port-Limit-Info: The purpose of this attribute is to limit the
> > total
> >        number of TCP/UDP ports and/or ICMP identifiers allocated to a
> >        user, associated with one or more IPv4 addresses. This attribute
> > is
> >        carried in RADIUS Access-Accept, Access-Request,
> > Accounting-Request or
> >        CoA-Request packets.
>
> [Med] The initial wording is correct. It is aligned with the text in
> Section 3.1.1.
>
> >
> > Same remark for the other two points below.
> >
> >  2.  IP-Port-Range: This attribute may be carried in RADIUS
> >        Accounting-Request packet.  The purpose of this attribute is to
> >        report by an address sharing device (e.g., a CGN) to the RADIUS
> >        server the range of TCP/UDP ports and/or ICMP identifiers that
> >        have been allocated or deallocated associated with a given IPv4
> >        address for a user.
> >
> >    3.  IP-Port-Forwarding-Map: This attribute may be carried in RADIUS
> >        Access-Accept, Access-Request, Accounting-Request or CoA-Request
> >        packet.  The purpose of this attribute is to specify how an IPv4
> >        address and a TCP/ UDP port (or an ICMP identifier) is mapped to
> >        another IPv4 address and a TCP/UDP port (or an ICMP identifier).
> >
> > -
> >
> >    1.  IP-Port-Limit-Info: This attribute may be carried in RADIUS
> >        Access-Accept, Access-Request, Accounting-Request or CoA-Request
> >        packet.  The purpose of this attribute is to limit the total
> >        number of TCP/UDP ports and/or ICMP identifiers allocated to a
> >        user, associated with one or more IPv4 addresses.
> >
> >
> > Only for TCP/UDP? I believe Mirja had the same question.
>
> [Med] We updated the text so that any transport protocol can be used. The
> new text says the following:
>
>    The format of IP-Port-Type TLV is shown in Figure 4.  This attribute
>    carries the IP transport protocol number defined by IANA (refer to
>    [ProtocolNumbers])
>
> >
> > - Section 2. Terminology.
> > Typically, you want to have that note at the beginning:
> >
> >    Note that the definitions of "internal IP address", "internal port",
> >    "internal realm", "external IP address", "external port", "external
> >    realm", and "mapping" are the same as defined in Port Control
> >    Protocol (PCP) [RFC6887], and the Common Requirements for Carrier-
> >    Grade NATs (CGNs) [RFC6888].
> >
> > If I know of RFC6887 and RFC6888, I don't read the definitions.
>
> [Med] OK.
>
> >
> > - Section 3.1.3
> >
> >    This attribute is of type "TLV" as defined in the RADIUS Protocol
> >    Extensions [RFC6929].  It contains the following sub-attributes:
> >
> >    ...
> >
> >    o  either an IP-Port-Int-IPv4-Addr TLV (see Section 3.2.4) or an IP-
> >       Port-Local-Id TLV (see Section 3.2.11),
> >
> >    o  either an IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5) or an IP-
> >       Port-Local-Id TLV (see Section 3.2.11),
> >
> > Depending on the IP-Port-Type value, it's one of the two above, not
> > both.
>
> [Med] Fair. Changed to:
>
>    o  If the internal realm is with IPv4 address family, the IP-Port-
>       Forwarding-Map Attribute MUST contain the IP-Port-Int-IPv4-Addr
>       TLV (see Section 3.2.4); if the internal realm is with IPv6
>       address family, the IP-Port-Forwarding-Map Attribute MUST contain
>       the IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5).
>
> >
> > - I believe the RFC 2119 keywords usage is sometimes weak (generic
> > comment for the entire document)
> > Example1: section 3.1.3
> >
> >    The attribute contains a 2-byte IP internal port number that is
> >    associated with an internal IPv4 or IPv6 address, or a locally
> >    significant identifier at the customer site, and a 2-byte IP external
> >    port number that is associated with an external IPv4 address.  The
> >    internal IPv4 or IPv6 address, or the local identifier must be
> >    included; the external IPv4 address may also be included.
> >
> > Not RFC 2119 keywords. Shoud they be MUST and MAY?
>
> [Med] Fixed. The NEW text is provided below:
>
> NEW:
>
>    The attribute contains a 2-byte IP internal port number and a 2-byte
>    IP external port number.  The internal port number is associated with
>    an internal IPv4 or IPv6 address that MUST always be included.  The
>    external port number is associated with a specific external IPv4
>    address if included, but otherwise with all external IPv4 addresses
>    for the end user.
>
> > And the next paragraph contains RFC 2119 keywords.
> >
> >    The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept
> >    packet.  It MAY also appear in an Access-Request packet to indicate a
> >    preferred port mapping by the device co-located with NAS.  However
> >    the server is not required to honor such a preference.
> >
> > Example2:
> >
> >    IP-Port-Ext-IPv4-Addr TLV MAY be included in the following
> >    Attributes:
> >
> >    o  IP-Port-Limit-Info Attribute, identified as 241.TBD1.3 (see
> >       Section 3.1.1).
> >
> >    o  IP-Port-Range Attribute, identified as 241.TBD2.3 (see
> >       Section 3.1.2).
> >
> >    o  IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.3
> >       (see Section 3.1.3).
> >
> > Don't you need the RFC2119 keyword in the reverse situation, in section
> > 3.1.1 (IP-Port-Limit-Info Attribute)?
> > OLD:
> >    o  an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3).
> >
> > NEW:
> >    o The IP-Port-Limit-Info Attribute MAY contain the
> > IP-Port-Ext-IPv4-Addr (see Section 3.2.3).
>
> [Med] Fixed.
>
> >
> > This logic would not only be clearer, but would also avoid
> > inconsistencies.
> > See section 3.1.3
> > OLD:
> >
> > It contains the following sub-attributes:
> >    ...
> >    o  an IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3).
> >
> >
> > NEW:
> >
> > It contains the following sub-attributes:
> >
> >   ...
> >    o  an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3).
> >
> > Example 3:
> >
> >    natEvent
> >
> >       Integer.  This field contains the data (unsigned8) of natEvent
> >       (230) defined in IPFIX, right justified, and unused bits must be
> >       set to zero.  It indicates the allocation or deallocation of a
> >       range of IP ports as follows:
> >
> > MUST?
>
> [Med] Yes. Fixed in the new version.
>
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email