Re: [radext] Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
Dean cheng <dean.cheng@huawei.com> Thu, 22 September 2016 06:22 UTC
Return-Path: <dean.cheng@huawei.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B450812D0EF; Wed, 21 Sep 2016 23:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.537
X-Spam-Level:
X-Spam-Status: No, score=-6.537 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bU65ohx1Ak-R; Wed, 21 Sep 2016 23:22:46 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52D4312D0B1; Wed, 21 Sep 2016 23:22:44 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CRS02088; Thu, 22 Sep 2016 06:22:39 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.218.25.35) by lhreml704-cah.china.huawei.com (10.201.5.130) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 22 Sep 2016 07:22:38 +0100
Received: from SJCEML701-CHM.china.huawei.com ([169.254.3.53]) by SJCEML702-CHM.china.huawei.com ([169.254.4.207]) with mapi id 14.03.0235.001; Wed, 21 Sep 2016 23:22:33 -0700
From: Dean cheng <dean.cheng@huawei.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "radext@ietf.org" <radext@ietf.org>, "radext-chairs@ietf.org" <radext-chairs@ietf.org>
Thread-Topic: [radext] Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
Thread-Index: AQHSD0xk4h3y3hpW3UmXsV7mzWiK2qCAkf3wgARPBgCAADHmcA==
Date: Thu, 22 Sep 2016 06:22:30 +0000
Message-ID: <DC7880973D477648AC15A3BA66253F686E95F039@SJCEML701-CHM.china.huawei.com>
References: <147394238317.12106.98287185089633062.idtracker@ietfa.amsl.com> <DC7880973D477648AC15A3BA66253F686E95DB56@SJCEML701-CHM.china.huawei.com> <CAHbuEH7oCNGq1sCeuvcDrUcneMFVWP9jGB=8S_1=Tugg_sUYxg@mail.gmail.com>
In-Reply-To: <CAHbuEH7oCNGq1sCeuvcDrUcneMFVWP9jGB=8S_1=Tugg_sUYxg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.212.246.244]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.57E378B2.008E, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.3.53, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: e0db5ba1771b8965b0f2afe6038c8b8c
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/4wmPt9YUcvrRdun8SYIlPamkKk8>
Cc: Benoit Claise <bclaise@cisco.com>, "Tim.Chown@jisc.ac.uk" <Tim.Chown@jisc.ac.uk>, "draft-ietf-radext-ip-port-radius-ext@ietf.org" <draft-ietf-radext-ip-port-radius-ext@ietf.org>, The IESG <iesg@ietf.org>, "lionel.morand@orange.com" <lionel.morand@orange.com>
Subject: Re: [radext] Benoit Claise's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2016 06:22:50 -0000
Hi Kathleen, Yes we authors are in the process to update the draft based on the comments. Personally I think it is better to wait for the new revision for the final review and discussion. Regards Dean > -----Original Message----- > From: radext [mailto:radext-bounces@ietf.org] On Behalf Of Kathleen > Moriarty > Sent: Wednesday, September 21, 2016 1:17 PM > To: Dean cheng; radext@ietf.org; radext-chairs@ietf.org > Cc: Benoit Claise; Tim.Chown@jisc.ac.uk; lionel.morand@orange.com; The > IESG; draft-ietf-radext-ip-port-radius-ext@ietf.org > Subject: Re: [radext] Benoit Claise's Discuss on draft-ietf-radext-ip- > port-radius-ext-11: (with DISCUSS and COMMENT) > > Hello, > > Since I haven't seen much movement on this draft and the comment below > indicates there will be another pass at this draft by the WG, is it > safe to pull this off of the next telechat and wait for the WG? If > another WGLC is needed to address the expert review, I think that is > the right course of action. If not and comments and discusses will be > addressed by this Friday, please let me know. > > Thank you, > Kathleen > > > > On Mon, Sep 19, 2016 at 6:11 AM, Dean cheng <dean.cheng@huawei.com> > wrote: > > Hi Benoit, > > > > > > > > Many thanks for your comments. We'll incorporate > > > > your proposals and fixes for other comments we > > > > have received together into a new revision of > > > > this draft at a later time when this round of > > > > discussion concludes. We'll need some time > > > > requiring consensus among authors but also the WG. > > > > > > > > Please see below as well. > > > > > > > > Regards > > > > Dean > > > > > > > >> -----Original Message----- > > > >> From: radext [mailto:radext-bounces@ietf.org] On Behalf Of Benoit > > > >> Claise > > > >> Sent: Thursday, September 15, 2016 5:26 AM > > > >> To: The IESG > > > >> Cc: Tim.Chown@jisc.ac.uk; > >> draft-ietf-radext-ip-port-radius-ext@ietf.org; > > > >> lionel.morand@orange.com; radext-chairs@ietf.org; radext@ietf.org > > > >> Subject: [radext] Benoit Claise's Discuss on > >> draft-ietf-radext-ip-port- > > > >> radius-ext-11: (with DISCUSS and COMMENT) > > > >> > > > >> Benoit Claise has entered the following ballot position for > > > >> draft-ietf-radext-ip-port-radius-ext-11: Discuss > > > >> > > > >> When responding, please keep the subject line intact and reply to > all > > > >> email addresses included in the To and CC lines. (Feel free to cut > >> this > > > >> introductory paragraph, however.) > > > >> > > > >> > > > >> Please refer to https://www.ietf.org/iesg/statement/discuss- > > > >> criteria.html > > > >> for more information about IESG DISCUSS and COMMENT positions. > > > >> > > > >> > > > >> The document, along with other ballot positions, can be found here: > > > >> https://datatracker.ietf.org/doc/draft-ietf-radext-ip-port-radius- > ext > >> / > > > >> > > > >> > > > >> > > > >> -------------------------------------------------------------------- > - > >> - > > > >> DISCUSS: > > > >> -------------------------------------------------------------------- > - > >> - > > > >> > > > >> I'm late for my review here. If some points in my DISCUSS/COMMENT > >> have > > > >> been discussed already let me know. > > > >> > > > >> I'll flag this as a DISCUSS to follow up on the IPFIX issues. > > > >> First of, I applause the attempt to reuse/map/combine data models > > > >> (IPFIX information element and RADIUS attribute). > > > >> > > > >> Now, there are a couple of issues. > > > >> The first set of issues has been sent via the IPFIX experts, copied > > > >> here for tracking purposes. > > > >> > > > >> Dear Authors, > > > >> > > > >> The experts for the IPFIX IE registry have returned the > following > > > >> review: > > > >> > > > >> In general, the Information Elements in > >> draft-ietf-radext-ip-port- > > > >> radius-ext are so underspecified as to be unimplementable. They > > > >> should > > > >> not be added to the registry in their present form. The authors > >> are > > > >> advised to read RFC 7013, especially Section 4, which provides > > > >> useful > > > >> information on defining Information Elements. Specifically: > > > >> > > > >> The Information Element transportType is underspecified: (a) I > > > >> presume > > > >> this is in reference to sourceTransportPort and > > > >> destinationTransportPort, but the description must say this if > it > > > >> is > > > >> the case; (b) It's not clear at all from the description in what > > > >> context this distinction is useful; (c) What's an ICMP > identifier? > > > >> > > > >> In addition, the description of transportType appears to create > a > > > >> table which should probably be handled as a subregistry. See See > > > >> RFC7013 section 4.7. for advice on the creation of tables > without > > > >> subregistries (in short, "don't".) > > > >> > > > >> The Information Element natTransportLimit has an inappropriate > >> name; > > > >> it does not describe that which it (presumably) is supposed to > > > >> represent (see RFC 7013 section 4.1). In addition, it is > > > >> underspecified. It is impossible to implement from the > description. > > > >> Is > > > >> the field IPv4 specific, or is IPv6 supported as well? (If not, > >> why > > > >> not?) > > > >> > > > >> The Information Element localID has an inappropriate name; it is > > > >> far > > > >> too general (see RFC 7013 section 4.1). It uses an inappropriate > > > >> abstract data type (addresses should never be represented as > >> UTF-8 > > > >> strings in IPFIX, see RFC 7013 section 4.2). It is > underspecified > > > >> as > > > >> well as poorly designed. Without the ability to disambiguate the > > > >> type > > > >> of information in the field, this is not a useful Information > > > >> Element. > > > >> Without a complete enumeration of possible types (n.b. 'etc.' in > > > >> the > > > >> description), it is not a useful Information Element. Its > purpose > > > >> is > > > >> unclear from its description; further, it appears to violate the > > > >> following guidance in RFC 7013 section 4: "The Information > >> Element > > > >> must be unique within the registry, and its description must > > > >> represent > > > >> a substantially different meaning from that of any existing > > > >> Information Element. An existing Information Element that can be > > > >> reused for a given purpose should be reused." > > > > > > > > In my email on 9/11, we're planning to replace "transportType" > > > > (as a proposed new IE) by just a port type and make IP-Port-Type > > > > TLV optional. Also, we're planning to remove IP-Port-Local-Id TLV > > > > so that "localID" (as a proposed new IE) will not be needed. > > > > > > > > For the remaining proposed IE, i.e., "natTransportLimit", we'll > > > > change the name to "transportLimit" (or something similar) so that > > > > this IE can be used for other scenario in addition to > > > > NAT case, but also in both IPv4 and IPv6 networking. Text > > > > will be added for the explanation. > > > > > > > >> > > > >> I have some more issues I would like to discuss: > > > >> - section 3.2.5, as an example, contains a list of sourceIPv6Address. > > > >> In IPFIX, we would export those as a list [RFC 6313] Does this > RADIUS > > > >> document want to only reuse the semantic of individual IPFIX > > > >> information element? > > > >> And also the semantic of multiple information elements [RFC 6313]? > > > >> And also the IPFIX encoding? For example, some IPFIX fields are > >> "right > > > >> justified" (sourceTransportPort), while some others are not (localID) > > > >> The document should be clear. > > > >> > > > > In Section 3.2.5, the IP-Port-Int-IPv6-Addr TLV contains > > > > a single sourceIPv6Address (not a list), and we intend to > > > > reuse the semantics of the original IPFIX definition. This > > > > is true also for IP-Port-Int-IPv4-Addr TLV defined in > > > > Section 3.2.4, where sourceIPv4Address is also an IPFIX IE. > > > > > > > >> > > > >> -------------------------------------------------------------------- > - > >> - > > > >> COMMENT: > > > >> -------------------------------------------------------------------- > - > >> - > > > >> > > > >> - > > > >> > > > >> 1. IP-Port-Limit-Info: This attribute may be carried in RADIUS > > > >> Access-Accept, Access-Request, Accounting-Request or > >> CoA-Request > > > >> packet. The purpose of this attribute is to limit the total > > > >> number of TCP/UDP ports and/or ICMP identifiers allocated to > a > > > >> user, associated with one or more IPv4 addresses. > > > >> > > > >> I see "may be carried". Could it be carried in other packets ... was > >> my > > > >> first question. > > > >> It was not clear (until I read the rest of the document) that it's a > > > >> non compulsory attribute only in Access-Accept, Access-Request, > > > >> Accounting-Request or CoA-Request packets. > > > >> Proposal: > > > >> 1. IP-Port-Limit-Info: The purpose of this attribute is to limit > > > >> the total > > > >> number of TCP/UDP ports and/or ICMP identifiers allocated to > a > > > >> user, associated with one or more IPv4 addresses. This > >> attribute > > > >> is > > > >> carried in RADIUS Access-Accept, Access-Request, Accounting- > > > >> Request or > > > >> CoA-Request packets. > > > > > > > > Thank you very much for your proposal, and we'll incorporate this > > > > into the next revision. > > > > > > > >> > > > >> Same remark for the other two points below. > > > > > > > > Thank you and we will update the text for the following > > > > two in the same fashion as you proposed above. > > > > > > > >> > > > >> 2. IP-Port-Range: This attribute may be carried in RADIUS > > > >> Accounting-Request packet. The purpose of this attribute is > >> to > > > >> report by an address sharing device (e.g., a CGN) to the > >> RADIUS > > > >> server the range of TCP/UDP ports and/or ICMP identifiers > that > > > >> have been allocated or deallocated associated with a given > >> IPv4 > > > >> address for a user. > > > >> > > > >> 3. IP-Port-Forwarding-Map: This attribute may be carried in > >> RADIUS > > > >> Access-Accept, Access-Request, Accounting-Request or > >> CoA-Request > > > >> packet. The purpose of this attribute is to specify how an > >> IPv4 > > > >> address and a TCP/ UDP port (or an ICMP identifier) is mapped > >> to > > > >> another IPv4 address and a TCP/UDP port (or an ICMP > identifier). > > > >> > > > >> - > > > >> > > > >> 1. IP-Port-Limit-Info: This attribute may be carried in RADIUS > > > >> Access-Accept, Access-Request, Accounting-Request or > >> CoA-Request > > > >> packet. The purpose of this attribute is to limit the total > > > >> number of TCP/UDP ports and/or ICMP identifiers allocated to > a > > > >> user, associated with one or more IPv4 addresses. > > > >> > > > >> > > > >> Only for TCP/UDP? I believe Mirja had the same question. > > > > > > > > We're planning to make change to IP-Port-Type TLV as described > > > > in my email on 9/11, summarized below: > > > > > > > > - Make this TLV optionally included in > > > > IP-Port-Limit-Info Attribute and > > > > IP-Port-Forwarding-Map Attribute > > > > > > > > - If not included, the port type/number is a "don’t care". > > > > > > > > - The value of this TLV contains an single entry from > > http://www.iana.org/assignments/service-names-port-numbers/service- > names-port-numbers.xhtml. > > > > > > > >> > > > >> - Section 2. Terminology. > > > >> Typically, you want to have that note at the beginning: > > > >> > > > >> Note that the definitions of "internal IP address", "internal > >> port", > > > >> "internal realm", "external IP address", "external port", > >> "external > > > >> realm", and "mapping" are the same as defined in Port Control > > > >> Protocol (PCP) [RFC6887], and the Common Requirements for > Carrier- > > > >> Grade NATs (CGNs) [RFC6888]. > > > >> > > > >> If I know of RFC6887 and RFC6888, I don't read the definitions. > > > > > > > > OK, we'll remove this paragraph. > > > > > > > >> > > > >> - Section 3.1.3 > > > >> > > > >> This attribute is of type "TLV" as defined in the RADIUS Protocol > > > >> Extensions [RFC6929]. It contains the following sub-attributes: > > > >> > > > >> ... > > > >> > > > >> o either an IP-Port-Int-IPv4-Addr TLV (see Section 3.2.4) or an > >> IP- > > > >> Port-Local-Id TLV (see Section 3.2.11), > > > >> > > > >> o either an IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5) or an > >> IP- > > > >> Port-Local-Id TLV (see Section 3.2.11), > > > >> > > > >> Depending on the IP-Port-Type value, it's one of the two above, not > > > >> both. > > > > > > > > This is a good catch - thanks! We will update the text so that > > > > only one is included dependindg on IPv4 or IPv6 scenario. > > > > > > > >> > > > >> - I believe the RFC 2119 keywords usage is sometimes weak (generic > > > >> comment for the entire document) > > > >> Example1: section 3.1.3 > > > >> > > > >> The attribute contains a 2-byte IP internal port number that is > > > >> associated with an internal IPv4 or IPv6 address, or a locally > > > >> significant identifier at the customer site, and a 2-byte IP > > > >> external > > > >> port number that is associated with an external IPv4 address. > The > > > >> internal IPv4 or IPv6 address, or the local identifier must be > > > >> included; the external IPv4 address may also be included. > > > >> > > > >> Not RFC 2119 keywords. Shoud they be MUST and MAY? > > > >> And the next paragraph contains RFC 2119 keywords. > > > >> > > > >> The IP-Port-Forwarding-Map Attribute MAY appear in an > >> Access-Accept > > > >> packet. It MAY also appear in an Access-Request packet to > >> indicate > > > >> a > > > >> preferred port mapping by the device co-located with NAS. > However > > > >> the server is not required to honor such a preference. > > > >> > > > >> Example2: > > > >> > > > >> IP-Port-Ext-IPv4-Addr TLV MAY be included in the following > > > >> Attributes: > > > >> > > > >> o IP-Port-Limit-Info Attribute, identified as 241.TBD1.3 (see > > > >> Section 3.1.1). > > > >> > > > >> o IP-Port-Range Attribute, identified as 241.TBD2.3 (see > > > >> Section 3.1.2). > > > >> > > > >> o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.3 > > > >> (see Section 3.1.3). > > > >> > > > >> Don't you need the RFC2119 keyword in the reverse situation, in > >> section > > > >> 3.1.1 (IP-Port-Limit-Info Attribute)? > > > >> OLD: > > > >> o an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). > > > >> > > > >> NEW: > > > >> o The IP-Port-Limit-Info Attribute MAY contain the > >> IP-Port-Ext-IPv4- > > > >> Addr (see Section 3.2.3). > > > >> > > > >> This logic would not only be clearer, but would also avoid > > > >> inconsistencies. > > > >> See section 3.1.3 > > > >> OLD: > > > >> > > > >> It contains the following sub-attributes: > > > >> ... > > > >> o an IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). > > > >> > > > >> > > > >> NEW: > > > >> > > > >> It contains the following sub-attributes: > > > >> > > > >> ... > > > >> o an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). > > > >> > > > >> Example 3: > > > >> > > > >> natEvent > > > >> > > > >> Integer. This field contains the data (unsigned8) of natEvent > > > >> (230) defined in IPFIX, right justified, and unused bits must > >> be > > > >> set to zero. It indicates the allocation or deallocation of a > > > >> range of IP ports as follows: > > > >> > > > >> MUST? > > > > > > > > Thanks! We'll take your proposal but also apply it to > > > > others in the text. > > > > > > > >> > > > >> > > > >> _______________________________________________ > > > >> radext mailing list > > > >> radext@ietf.org > > > >> https://www.ietf.org/mailman/listinfo/radext > > > > -- > > Best regards, > Kathleen > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext
- [radext] Benoit Claise's Discuss on draft-ietf-ra… Benoit Claise
- Re: [radext] Benoit Claise's Discuss on draft-iet… Dean cheng
- Re: [radext] Benoit Claise's Discuss on draft-iet… Kathleen Moriarty
- Re: [radext] Benoit Claise's Discuss on draft-iet… Dean cheng
- Re: [radext] Benoit Claise's Discuss on draft-iet… mohamed.boucadair
- Re: [radext] Benoit Claise's Discuss on draft-iet… Kathleen Moriarty