IETF Logo Mail Archive

Re: [radext] Extended IDs

"Naiming Shen (naiming)" <naiming@cisco.com> Wed, 13 December 2017 06:08 UTC

Return-Path: <naiming@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62B97128DF3 for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 22:08:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WwwLbVDksbcM for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 22:08:09 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5F1A124BE8 for <radext@ietf.org>; Tue, 12 Dec 2017 22:08:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3038; q=dns/txt; s=iport; t=1513145288; x=1514354888; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=JQsYoaMpb6mNiXtGEquImU6oa1zsNJBT1vZuA2kXbh0=; b=KM611ivO2IV4vxPpwPlrHAk8HFsL6lRobY5ljhti/52PIIuTpKK0WPZU tg/ZLedQlQQEDT48PmoVnNg7UddZIuOki2agB4fPk1B9JGr63U7StE7sH ph+ffizpJwOgojATiuHcxWlLHpwg7kDcG49pFGOiRcUc6Dw9ew+z0t8yN M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BMAgA7wzBa/5FdJa1dGQEBAQEBAQEBAQEBAQcBAQEBAYM+gVonB4N7mSaBfZkmCoIBgzoCGoRuQhUBAQEBAQEBAQFrKIUjAQEBAQIBHQYRRQULAgEIGAICJgICAjAVEAIEDgWKIAioKoInimEBAQEBAQEBAQEBAQEBAQEBAQEBAR6BD4JUgguDPymDAoMvgVgWgxUxgjIFoxkClSSTZ5Y5AhEZAYE6ATUjgU5vFWQBgX6EVXiJLoEVAQEB
X-IronPort-AV: E=Sophos;i="5.45,397,1508803200"; d="scan'208";a="43922199"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Dec 2017 06:08:08 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id vBD688p6017017 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Dec 2017 06:08:08 GMT
Received: from xch-rcd-004.cisco.com (173.37.102.14) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 13 Dec 2017 00:08:07 -0600
Received: from xch-rcd-004.cisco.com ([173.37.102.14]) by XCH-RCD-004.cisco.com ([173.37.102.14]) with mapi id 15.00.1320.000; Wed, 13 Dec 2017 00:08:07 -0600
From: "Naiming Shen (naiming)" <naiming@cisco.com>
To: Peter Deacon <peterd@iea-software.com>
CC: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Extended IDs
Thread-Index: AQHTKHKrqtJDphnIu0Ga679ujWV4vKMqT+8AgBZxrICAAJ7zgIAADIgAgAACGYCAAAuaAIAABy4AgAALtICAAAh4AIAALHEAgAAClwA=
Date: Wed, 13 Dec 2017 06:08:07 +0000
Message-ID: <38A550CE-C1E5-441E-B25E-7E87D266F627@cisco.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk> <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com> <alpine.WNT.2.21.1.1712121615090.2252@smurf> <EE3BB1A7-EAD9-4BE1-9EA2-B780580E5C95@cisco.com> <alpine.WNT.2.21.1.1712121704430.2252@smurf> <B41EF4CD-309C-4E0F-BE7A-B77A244DA421@cisco.com> <alpine.WNT.2.21.1.1712121824110.2252@smurf> <313FEFCE-FD61-4394-804D-91BAE98CA687@cisco.com> <alpine.WNT.2.21.1.1712121947300.2252@smurf>
In-Reply-To: <alpine.WNT.2.21.1.1712121947300.2252@smurf>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.71.8]
Content-Type: text/plain; charset="utf-8"
Content-ID: <EFBC465E3565FE41B514192D91DD3CFB@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/7MwTKZg7R2sknfXlR6b8cX6bOms>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 06:08:10 -0000

When I say “check the status of the server”, sorry I didn’t mean the server-status
message. When an operator decides to do manual configuration of a new feature
and override the normal automated discovery procedure, he/she needs to check
the radius server and/or radius proxy server software version, status, etc. He/she would
not just blindly configure the new feature, and go home to sleep and assume
everything is fine. That's just common sense. 

BTW, Status-server is not supported universally is not a problem here.
When the server software supports this draft, then it MUST implement the
Status-server message at least for this feature.

Regards,
- Naiming

> On Dec 12, 2017, at 9:58 PM, Peter Deacon <peterd@iea-software.com> wrote:
> 
> On Wed, 13 Dec 2017, Naiming Shen (naiming) wrote:
> 
>> If you insist misconfiguration is the greatest thing we have to deal with,
> 
> Decision to expand on original remarks in response to call for adoption was result of your inquiry:
> 
> "Third, if assume an operation completely messed up, and leaking this extended-ID towards the home-server, I still need to see a good example on what the harm is that, and why this can not be debugged. The draft I agree needs to add some text on various cases and how to debug those in each of them."
> 
> Otherwise I am happy with the relative strength of my remarks in their original context.
> 
>> then I can imagine you misconfigurae your server ip address and proxy ip address,
>> and packets will not be returned, how to you troubleshoot that? if you do
> 
> If when manually switched on in an environment where it should not be the result is not working at all that would be perfectly fine.  Unfortunatly as I have shown this is not the case with extended-id.
> 
> In this aspect of consideration ORA clearly has an advantage both in ability to detect and report failure and nature of failure itself.
> 
>> have ways, and this draft also have ways. Can you imaging an operator
>> insist to do a manual configuration without check the status of the server,
> 
> Yes absolutely.  This will defiantly occur.  Status-server is not universally supported.
> 
> regards,
> Peter

v2.23.0 | Report a Bug | By Email