IETF Logo Mail Archive

Re: [radext] configuration auto-discovery [was: draft-cullen-radextra-status-realm-00]

Alan DeKok <aland@deployingradius.com> Mon, 14 August 2023 18:56 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 500E2C151076 for <radext@ietfa.amsl.com>; Mon, 14 Aug 2023 11:56:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fd2koIueu2zl for <radext@ietfa.amsl.com>; Mon, 14 Aug 2023 11:56:28 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0620C14CF17 for <radext@ietf.org>; Mon, 14 Aug 2023 11:56:26 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 32069308; Mon, 14 Aug 2023 18:56:23 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <1bb810eb-a133-45d0-987d-86d5f5f5b871@app.fastmail.com>
Date: Mon, 14 Aug 2023 14:56:22 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5B849271-1B8D-4544-95D9-D2510D734E50@deployingradius.com>
References: <0FCC9942-32CE-4B98-8F71-175F410882E7@deployingradius.com> <5B16D759-758E-4701-8C7E-4A563AC74274@gmail.com> <f3da5d88-fb33-f40e-303d-10000434cf0d@dfn.de> <23A95285-EEF4-4CCE-A68B-8EF6AEFCD668@deployingradius.com> <1bb810eb-a133-45d0-987d-86d5f5f5b871@app.fastmail.com>
To: Alexander Clouter <alex+ietf@coremem.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/5fFaYtLKcYljmqqrB0jj7JiiOXU>
Subject: Re: [radext] configuration auto-discovery [was: draft-cullen-radextra-status-realm-00]
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 18:56:32 -0000

On Aug 14, 2023, at 11:34 AM, Alexander Clouter <alex+ietf@coremem.com> wrote:
> Say we invent a new type of RADIUS reject...call it 'Access-Unreachable'.

  We already have Protocol-Error.  But the way it works is a bit ugly.

  What would likely be better is a new packet type "unroutable", that could be a reply to any request.  For simplicity, it might be best to require that this is sent only over RADIUS/1.1

  The use of RADIUS/1.1 makes it trivial to tie a response packet to any request packet.  It may also help with per-hop signalling, so that servers know clients are capable of understanding this packet.

> Not important here and now, as it is detail, but this packet could have a 'scope' to communicate if this is just the realm the Access-Request was for or "all realms" or something in between.

  The response packet would need an Error-Cause attribute with new values.  Perhaps:

* temporary proxy failure for this destination (don't use "realm", as people proxy on different things)

* permanent proxy failure for this destination

> The tricky part would be figuring out when to unblock traffic to the upstream by realm. This probably would be a good fit for regularly polling Status-Realm with the TTL set to one.

  Do what we do now:  leave all of that to the client.  :)

  The client can at some later time send a probe, or it can simply start retrying packets after a period of time.

> This would be an optimisation effort. The system would have to discover unreachable before it can start reporting unreachable downstream.

  Yes.

  The "request unroutable" reply would essentially be treated the same way as packets which were sent on a TCP connection that was closed.  The packets would get redirected to another destination.

  The only difference is that the "request unroutable" reply is not a failure of the connection, it is a failure of the destination.  So the client wouldn't retry another connection to that server.  Instead, it would retry to a different server.  I suspect that there isn't a large difference in logic.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email