Re: [radext] Client ID exhaustion

Alan DeKok <aland@deployingradius.com> Thu, 27 April 2017 15:10 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F192129AFA for <radext@ietfa.amsl.com>; Thu, 27 Apr 2017 08:10:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOj6kRjSytco for <radext@ietfa.amsl.com>; Thu, 27 Apr 2017 08:10:43 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id E3C41129B0E for <radext@ietf.org>; Thu, 27 Apr 2017 08:09:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id 299441287; Thu, 27 Apr 2017 15:09:32 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l5s_gVTvJER0; Thu, 27 Apr 2017 15:09:32 +0000 (UTC)
Received: from [192.168.120.42] (23-233-24-114.cpe.pppoe.ca [23.233.24.114]) by mail.networkradius.com (Postfix) with ESMTPSA id B53585BC; Thu, 27 Apr 2017 15:09:31 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <e4c8aee2-c97f-e89e-8b48-6c943651238f@cisco.com>
Date: Thu, 27 Apr 2017 11:09:29 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B2D57E9F-C8B7-4E1C-9234-C1B41A08ABA7@deployingradius.com>
References: <f521cd74-028d-33e7-4b94-0a9d65bd7d37@restena.lu> <e4c8aee2-c97f-e89e-8b48-6c943651238f@cisco.com>
To: Enke Chen <enkechen@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/3vuFOhgyTruv6bsKRIEtKtOiH78>
Subject: Re: [radext] Client ID exhaustion
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 15:10:45 -0000

On Apr 26, 2017, at 3:17 PM, Enke Chen <enkechen@cisco.com> wrote:
> 
> The case we have is with the wireless controller that needs to manage
> thousands of APs and tens of thousands of clients. The wireless world
> uses "centralized" management model.  The scaling requirements keep
> increasing every year.

  FYI, I'm aware of multiple vendors with similar use-cases.  The other vendors are using software which will open multiple source ports.

  But... there is a limit.  Depending on the version, a FreeRADIUS proxy will open 32-256 outgoing ports, and then decide that's too many ports.  Fixing that involves code changes and upgrades.

  I've seen multiple situations where a high load RADIUS proxy continually has 32 or more source ports in use.  At that point, you have to ask if it isn't more efficient to just update RADIUS.

  i.e. Asking implementations to open 1-4 source ports is reasonable.  Asking them to implement 2000 source ports for a high load situation is possible, but is less reasonable.

  Alan DeKok.