IETF Logo Mail Archive

Re: [radext] Extended IDs

Astrid Smith <AE.Smith@f5.com> Fri, 01 December 2017 21:52 UTC

Return-Path: <prvs=501a3f60c=AE.Smith@f5.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F18B1270A3 for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 13:52:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=f5.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWPKibOC4SGQ for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 13:52:28 -0800 (PST)
Received: from mail15.f5.com (mail15.f5.com [104.219.107.14]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4656127419 for <radext@ietf.org>; Fri, 1 Dec 2017 13:52:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=f5.com; i=@f5.com; q=dns/txt; s=f5; t=1512165148; x=1543701148; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=VXR8siHYQ9UpbgAs0ZiEed4S8RO8gZxbfm8sbiLNfyY=; b=lQ06q0jYghgfoB0loDwOExaqRAK72jN7yHsU8RMcohgaHWxZTFQ5YbfX frAr53OPCeZljb/D/WJjc82cwXh4TfwxdNIgGy6gtm9xNhAQRgbCOz+8u VjOCoa/QFkLNc/vEgbxy6YIgeyTpIgJjtz0T7PT7Vc/CYhxPiKFcDCmTc a5L7ZsH90rou2rlnJWTaDEQJkeMBGN7pHF25lvJ/KampcU30drajzIQVQ DS7ZnNpZhzkFkONh5AVaqZ12pPXDT+DGRokee+RJXhQdvjdvyph+LPI9N sGWcQ2aatNIkoUOMAKuh0lX8CvXeQgluNsaYlEs/W+SdvOllCs1M97jsY A==;
X-IronPort-AV: E=McAfee;i="5900,7806,8732"; a="28621939"
X-IronPort-AV: E=Sophos;i="5.45,347,1508828400"; d="scan'208";a="28621939"
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from seadev21.olympus.f5net.com ([192.168.180.71]) by mail.f5net.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Dec 2017 13:52:27 -0800
Received: from seadev21.olympus.f5net.com (localhost [127.0.0.1]) by seadev21.olympus.f5net.com (8.14.4/8.14.4) with ESMTP id vASKIs7B029114; Tue, 28 Nov 2017 12:18:54 -0800
Received: (from aesmith@localhost) by seadev21.olympus.f5net.com (8.14.4/8.14.4/Submit) id vASKIrJg029106; Tue, 28 Nov 2017 12:18:53 -0800
X-Authentication-Warning: seadev21.olympus.f5net.com: aesmith set sender to AE.Smith@f5.com using -f
Date: Tue, 28 Nov 2017 12:18:53 -0800
From: Astrid Smith <AE.Smith@f5.com>
To: Stefan Winter <stefan.winter@restena.lu>
Cc: radext@ietf.org
Message-ID: <20171128201853.GD17201@seadev21.f5.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/4D9QaiHLXUzlwbR8JnbsNAmVpy4>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 21:52:29 -0000

Hello,

I prefer the option laid out in
draft-dekok-radext-request-authenticator-02, due to deficiencies in
the other proposal (draft-chen-radext-identifier-attr-02).

I'm concerned about the extended Code field it defines: How should
implementations treat messages where this Code differs from the Code
in the RADIUS header?  The precedence is poorly defined and liable to
cause issues.

The proposal also requires all proxies to explicitly support (by
parsing and passing through, or by stripping) the Identifier
Attribute; this requires protocol users to upgrade and test all the
software in their RADIUS deployment before any clients may safely
attempt to use the attribute.

It feels half-baked.

The request-authenticator proposal appears safe to deploy without
upgrading the software of any proxies in the network.  As a maintainer
of a RADIUS proxy I prefer this, and I suspect my customers would
agree :)

-- 
astrid smith     -------------------
--<[ c y b e r  |  s o f t w a r e  |  e n g i n e e r ]>--
    ------------                     ------------------



On Tue, Nov 28, 2017 at 02:54:32PM +0100, Stefan Winter wrote:
> Hello,
> 
> > thanks all for raising the awareness of these two drafts.
> >
> >
> > I think it would be good if all remaining readers of this list who care
> > enough now take some time to read both drafts and make up their mind on
> > what the preferred approach is.
> >
> >
> > In approx. two weeks' time I will start a call for adoption on both
> > drafts, and hopefully there are enough responses to make the exercise
> > meaningful. If so, the one with more votes wins.
> 
> Now that was a relaxed "two weeks" delay. My apologies, I've been on and
> off work for a while, with substantial backlogs.
> 
> This email starts a two week call for adoption of at most one of the
> following two drafts:
> 
> * draft-chen-radext-identifier-attr-02
> * draft-dekok-radext-request-authenticator-02
> 
> Since the two drafts treat the same topic, at most one can be selected
> to serve as the basis for future work.
> 
> In your reply to this call for adoption, please indicate which of the
> two drafts you think should be adopted. You can of course also indicate
> that none of the two are fit for purpose. The only thing you really
> shouldn't do is to vote for both; that wouldn't help the discussion move on.
> 
> Please reply by 12 dec 2017 2400 UTC.
> 
> Greetings,
> 
> Stefan Winter

v2.23.0 | Report a Bug | By Email