Re: [radext] Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 03 November 2016 02:59 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7CA112007C; Wed, 2 Nov 2016 19:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VX0kW6KleBkF; Wed, 2 Nov 2016 19:59:49 -0700 (PDT)
Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BBEA129496; Wed, 2 Nov 2016 19:59:49 -0700 (PDT)
Received: by mail-ua0-x233.google.com with SMTP id 51so28819577uai.1; Wed, 02 Nov 2016 19:59:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2uiefT2WVZYGKV/f9dxQdM26LU9J95AMPNl4gRRcXYM=; b=wqRzn45UY/iHVni1RTbIbeQKP93J2erD2DULdagZZOH2IcxGc/3XS9anoO5pEsHvEt UP4/nG/HYt+OwYvhZA7PEjSNNbsLrIm1lOk1PQbVwxEvBer8/PsH7J8SK8AHUpgh+LTq vrwQu0wkMpbyCxW/eTT8YcrDPte1rep7JzPiiSyTUq9Hru609CfNEC/GUx21gAFpFPQa MQUvz+nWcr7v6hsqlfEXVfpkoyJCdj6fvB6Q3V1dKCQ1hCyRV3KBY6DBn7DeZ5//7XU/ NTqHVNt0aW66GU1swnjBFs9LaXNRHr9ZbzaOpiwB7KMjh1qhInUFCciqWeO/GitkTI9r WeCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2uiefT2WVZYGKV/f9dxQdM26LU9J95AMPNl4gRRcXYM=; b=NCitUcR0oE7MX7g5GPcoGiOcBIDTnHBgjnK0lu8uIzf5/VFDUO8obF6XiQpHkkg9+z fG0k6D7c+j6Jz8X045PwfRHm6ukYw4HZ+fbP1ni/zy/A+D7P31cC/xqbXvOcvpE8XXfC AvAf3jgGtUho4peO1vRO/3Q6lXNM1JQzIJ70K0y2Oh5u19+8U+ZHJrsI91Ir8kWHFjQa 8NTsJwwhd6ibk/3wcU6BZO0If1/c+cjSulRyol8yXMeyfTkz0q2nJArlOLkFR84vrVF6 aFA0edjIS7Rb+ohMohLQjbJxE3pptG7+J6X6clMNyksAD8/mIRx0hT1VEA9verjWC1/N XWrA==
X-Gm-Message-State: ABUngveu/lzOVOZb7AfDg+yHugv9iGmG82yJ9yHm+xYcBiEHYAO55JtIZMTAyhzA+9/nCtKVPXvdnPUQwe0S3g==
X-Received: by 10.176.85.24 with SMTP id t24mr3196288uaa.21.1478141988046; Wed, 02 Nov 2016 19:59:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.82.143 with HTTP; Wed, 2 Nov 2016 19:59:47 -0700 (PDT)
In-Reply-To: <0ac7f8a6-58aa-403a-921a-f4385c95eec5@OPEXCLILM34.corporate.adroot.infra.ftgroup>
References: <147394238317.12106.98287185089633062.idtracker@ietfa.amsl.com> <0ac7f8a6-58aa-403a-921a-f4385c95eec5@OPEXCLILM34.corporate.adroot.infra.ftgroup>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 02 Nov 2016 22:59:47 -0400
Message-ID: <CAHbuEH7wP2tSXKoc7WGiBpP+KxfRX52y1OEvoSX0pS9V3Oc5dQ@mail.gmail.com>
To: "<mohamed.boucadair@orange.com>" <mohamed.boucadair@orange.com>
Content-Type: multipart/alternative; boundary="f403045dd960200b2705405cc005"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/3gmxbm8qGoXQzwzZZ9N5gBA6O5A>
Cc: "draft-ietf-radext-ip-port-radius-ext@ietf.org" <draft-ietf-radext-ip-port-radius-ext@ietf.org>, MORAND Lionel IMT/OLN <lionel.morand@orange.com>, "Tim.Chown@jisc.ac.uk" <Tim.Chown@jisc.ac.uk>, The IESG <iesg@ietf.org>, Benoit Claise <bclaise@cisco.com>, "radext@ietf.org" <radext@ietf.org>, "radext-chairs@ietf.org" <radext-chairs@ietf.org>
Subject: Re: [radext] Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 02:59:53 -0000
Benoit, Can you take a look at the response below to see if you agree your discuss and comments have been addressed? Thank you, Kathleen On Wed, Oct 5, 2016 at 2:15 AM, <mohamed.boucadair@orange.com> wrote: > Hi Benoit, > > Please see inline how the updated version takes into account your review. > > Cheers, > Med > > > -----Message d'origine----- > > De : Benoit Claise [mailto:bclaise@cisco.com] > > Envoyé : jeudi 15 septembre 2016 14:26 > > À : The IESG > > Cc : draft-ietf-radext-ip-port-radius-ext@ietf.org; radext@ietf.org; > > radext-chairs@ietf.org; MORAND Lionel IMT/OLN; radext@ietf.org; > > Tim.Chown@jisc.ac.uk > > Objet : Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext- > > 11: (with DISCUSS and COMMENT) > > > > Benoit Claise has entered the following ballot position for > > draft-ietf-radext-ip-port-radius-ext-11: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria. > html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-radext-ip-port-radius-ext/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > I'm late for my review here. If some points in my DISCUSS/COMMENT have > > been discussed already let me know. > > > > I'll flag this as a DISCUSS to follow up on the IPFIX issues. > > First of, I applause the attempt to reuse/map/combine data models (IPFIX > > information element and RADIUS attribute). > > > [Med] Thank you. > > > Now, there are a couple of issues. > > The first set of issues has been sent via the IPFIX experts, copied here > > for tracking purposes. > > > > Dear Authors, > > > > The experts for the IPFIX IE registry have returned the following > > review: > > > > In general, the Information Elements in draft-ietf-radext-ip-port- > > radius-ext are so underspecified as to be unimplementable. They > > should > > not be added to the registry in their present form. The authors are > > advised to read RFC 7013, especially Section 4, which provides > > useful > > information on defining Information Elements. Specifically: > > > > The Information Element transportType is underspecified: (a) I > > presume > > this is in reference to sourceTransportPort and > > destinationTransportPort, but the description must say this if it is > > the case; (b) It's not clear at all from the description in what > > context this distinction is useful; (c) What's an ICMP identifier? > > > > In addition, the description of transportType appears to create a > > table which should probably be handled as a subregistry. See See > > RFC7013 section 4.7. for advice on the creation of tables without > > subregistries (in short, "don't".) > > > > [Med] The description of the attribute was updated. Basically: > * Clarify the text > * We don't have any more sub-registries because we are relying on the IANA > Protocol Numbers > > > > The Information Element natTransportLimit has an inappropriate name; > > it does not describe that which it (presumably) is supposed to > > represent (see RFC 7013 section 4.1). In addition, it is > > underspecified. It is impossible to implement from the description. > > [Med] The attribute is renamed to "sourceTransportPortsLimit" + text > updated to clarify the use of the attribute. > > > Is > > the field IPv4 specific, or is IPv6 supported as well? (If not, why > > not?) > > > > [Med] It is valid for both IPv4 and IPv6. The text was updated to clarify > that point. > > > The Information Element localID has an inappropriate name; it is far > > too general (see RFC 7013 section 4.1). It uses an inappropriate > > abstract data type (addresses should never be represented as UTF-8 > > strings in IPFIX, see RFC 7013 section 4.2). It is underspecified as > > well as poorly designed. Without the ability to disambiguate the > > type > > of information in the field, this is not a useful Information > > Element. > > Without a complete enumeration of possible types (n.b. 'etc.' in the > > description), it is not a useful Information Element. Its purpose is > > unclear from its description; further, it appears to violate the > > following guidance in RFC 7013 section 4: "The Information Element > > must be unique within the registry, and its description must > > represent > > a substantially different meaning from that of any existing > > Information Element. An existing Information Element that can be > > reused for a given purpose should be reused." > > > > [Med] We made the following changes: > * We changed the Value field to be still a "string" but per definition of > ietf-draft-radext-datatype and not to propose as a new IPFIX IE. > * We added a new text to clarify the intent of the attribute: > > The primary issue addressed by this TLV is that there are CGN > deployments that do not distinguish internal hosts by their internal > IP address alone, but use further identifiers for unique subscriber > identification. For example, this is the case if a CGN supports > overlapping private or shared IP address spaces (refer to [RFC1918] > and [RFC6598]) for internal hosts of different subscribers. In such > cases, different internal hosts are identified and mapped at the CGN > by their IP address and/or another identifier, for example, the > identifier of a tunnel between the CGN and the subscriber. In these > scenarios (and similar ones), the internal IP address is not > sufficient to demultiplex connections from internal hosts. An > additional identifier needs to be present in the IP-Port-Range > Attribute and IP-Port-Forwarding-Mapping Attribute in order to > uniquely identify an internal host. The IP-Port-Local-Id TLV is used > to carry this identifier. > > > I have some more issues I would like to discuss: > > - section 3.2.5, as an example, contains a list of sourceIPv6Address. In > > IPFIX, we would export those as a list [RFC 6313] > > Does this RADIUS document want to only reuse the semantic of individual > > IPFIX information element? > > And also the semantic of multiple information elements [RFC 6313]? > > [Med] The intent is to reuse the semantic of individual IEs. The rationale > basically was that IPFIX offers a rich IE registry that can be reused in > our context. > > > And also the IPFIX encoding? For example, some IPFIX fields are "right > > justified" (sourceTransportPort), while some others are not (localID) > > The document should be clear. > > [Med] localId is not defined as an IPFIX attribute. > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > - > > > > 1. IP-Port-Limit-Info: This attribute may be carried in RADIUS > > Access-Accept, Access-Request, Accounting-Request or CoA-Request > > packet. The purpose of this attribute is to limit the total > > number of TCP/UDP ports and/or ICMP identifiers allocated to a > > user, associated with one or more IPv4 addresses. > > > > I see "may be carried". Could it be carried in other packets ... was my > > first question. > > It was not clear (until I read the rest of the document) that it's a non > > compulsory attribute only in > > Access-Accept, Access-Request, Accounting-Request or CoA-Request > > packets. > > Proposal: > > 1. IP-Port-Limit-Info: The purpose of this attribute is to limit the > > total > > number of TCP/UDP ports and/or ICMP identifiers allocated to a > > user, associated with one or more IPv4 addresses. This attribute > > is > > carried in RADIUS Access-Accept, Access-Request, > > Accounting-Request or > > CoA-Request packets. > > [Med] The initial wording is correct. It is aligned with the text in > Section 3.1.1. > > > > > Same remark for the other two points below. > > > > 2. IP-Port-Range: This attribute may be carried in RADIUS > > Accounting-Request packet. The purpose of this attribute is to > > report by an address sharing device (e.g., a CGN) to the RADIUS > > server the range of TCP/UDP ports and/or ICMP identifiers that > > have been allocated or deallocated associated with a given IPv4 > > address for a user. > > > > 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS > > Access-Accept, Access-Request, Accounting-Request or CoA-Request > > packet. The purpose of this attribute is to specify how an IPv4 > > address and a TCP/ UDP port (or an ICMP identifier) is mapped to > > another IPv4 address and a TCP/UDP port (or an ICMP identifier). > > > > - > > > > 1. IP-Port-Limit-Info: This attribute may be carried in RADIUS > > Access-Accept, Access-Request, Accounting-Request or CoA-Request > > packet. The purpose of this attribute is to limit the total > > number of TCP/UDP ports and/or ICMP identifiers allocated to a > > user, associated with one or more IPv4 addresses. > > > > > > Only for TCP/UDP? I believe Mirja had the same question. > > [Med] We updated the text so that any transport protocol can be used. The > new text says the following: > > The format of IP-Port-Type TLV is shown in Figure 4. This attribute > carries the IP transport protocol number defined by IANA (refer to > [ProtocolNumbers]) > > > > > - Section 2. Terminology. > > Typically, you want to have that note at the beginning: > > > > Note that the definitions of "internal IP address", "internal port", > > "internal realm", "external IP address", "external port", "external > > realm", and "mapping" are the same as defined in Port Control > > Protocol (PCP) [RFC6887], and the Common Requirements for Carrier- > > Grade NATs (CGNs) [RFC6888]. > > > > If I know of RFC6887 and RFC6888, I don't read the definitions. > > [Med] OK. > > > > > - Section 3.1.3 > > > > This attribute is of type "TLV" as defined in the RADIUS Protocol > > Extensions [RFC6929]. It contains the following sub-attributes: > > > > ... > > > > o either an IP-Port-Int-IPv4-Addr TLV (see Section 3.2.4) or an IP- > > Port-Local-Id TLV (see Section 3.2.11), > > > > o either an IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5) or an IP- > > Port-Local-Id TLV (see Section 3.2.11), > > > > Depending on the IP-Port-Type value, it's one of the two above, not > > both. > > [Med] Fair. Changed to: > > o If the internal realm is with IPv4 address family, the IP-Port- > Forwarding-Map Attribute MUST contain the IP-Port-Int-IPv4-Addr > TLV (see Section 3.2.4); if the internal realm is with IPv6 > address family, the IP-Port-Forwarding-Map Attribute MUST contain > the IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5). > > > > > - I believe the RFC 2119 keywords usage is sometimes weak (generic > > comment for the entire document) > > Example1: section 3.1.3 > > > > The attribute contains a 2-byte IP internal port number that is > > associated with an internal IPv4 or IPv6 address, or a locally > > significant identifier at the customer site, and a 2-byte IP external > > port number that is associated with an external IPv4 address. The > > internal IPv4 or IPv6 address, or the local identifier must be > > included; the external IPv4 address may also be included. > > > > Not RFC 2119 keywords. Shoud they be MUST and MAY? > > [Med] Fixed. The NEW text is provided below: > > NEW: > > The attribute contains a 2-byte IP internal port number and a 2-byte > IP external port number. The internal port number is associated with > an internal IPv4 or IPv6 address that MUST always be included. The > external port number is associated with a specific external IPv4 > address if included, but otherwise with all external IPv4 addresses > for the end user. > > > And the next paragraph contains RFC 2119 keywords. > > > > The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept > > packet. It MAY also appear in an Access-Request packet to indicate a > > preferred port mapping by the device co-located with NAS. However > > the server is not required to honor such a preference. > > > > Example2: > > > > IP-Port-Ext-IPv4-Addr TLV MAY be included in the following > > Attributes: > > > > o IP-Port-Limit-Info Attribute, identified as 241.TBD1.3 (see > > Section 3.1.1). > > > > o IP-Port-Range Attribute, identified as 241.TBD2.3 (see > > Section 3.1.2). > > > > o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.3 > > (see Section 3.1.3). > > > > Don't you need the RFC2119 keyword in the reverse situation, in section > > 3.1.1 (IP-Port-Limit-Info Attribute)? > > OLD: > > o an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). > > > > NEW: > > o The IP-Port-Limit-Info Attribute MAY contain the > > IP-Port-Ext-IPv4-Addr (see Section 3.2.3). > > [Med] Fixed. > > > > > This logic would not only be clearer, but would also avoid > > inconsistencies. > > See section 3.1.3 > > OLD: > > > > It contains the following sub-attributes: > > ... > > o an IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). > > > > > > NEW: > > > > It contains the following sub-attributes: > > > > ... > > o an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). > > > > Example 3: > > > > natEvent > > > > Integer. This field contains the data (unsigned8) of natEvent > > (230) defined in IPFIX, right justified, and unused bits must be > > set to zero. It indicates the allocation or deallocation of a > > range of IP ports as follows: > > > > MUST? > > [Med] Yes. Fixed in the new version. > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext > -- Best regards, Kathleen
- [radext] Benoit Claise's Discuss on draft-ietf-ra… Benoit Claise
- Re: [radext] Benoit Claise's Discuss on draft-iet… Dean cheng
- Re: [radext] Benoit Claise's Discuss on draft-iet… Kathleen Moriarty
- Re: [radext] Benoit Claise's Discuss on draft-iet… Dean cheng
- Re: [radext] Benoit Claise's Discuss on draft-iet… mohamed.boucadair
- Re: [radext] Benoit Claise's Discuss on draft-iet… Kathleen Moriarty