Re: [radext] Small issues in the ALPN draft
Heikki Vatiainen <hvn@radiatorsoftware.com> Wed, 20 March 2024 05:01 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D8E5C14F69B for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 22:01:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5gbyQp1V2Fc for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 22:01:55 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F6DCC151536 for <radext@ietf.org>; Tue, 19 Mar 2024 22:01:08 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id ffacd0b85a97d-33ddd1624beso286137f8f.1 for <radext@ietf.org>; Tue, 19 Mar 2024 22:01:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1710910866; x=1711515666; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=rmzm4TIWqc0UIJCicdWnrz0kxQeZyJqST85Q0q3pyY4=; b=SghoOyNoc60nt5OuPqlbAxSX0HrrIIh3uuvRB0M0JnYyGUQvSV+LUgVaxS3x4i1po+ bSV8v8NHzBX6SrQbWP4Xp8iEaMKpeYzokZA5yLoLozWhNa+niT+DSD3G4RZpMUK511d7 VkqQxx8RC81s/G65jaW3xMOUJ8L7zk5t9etCotbPtfhHHOVaP1uEeN9xVjatfneQHokh kDTOWyJupN5QHziDMmdqDUeoqZsEYyu8ZzEakyB3LEMX4Pr0BofUt9HewZDzSu75ilWn BBB1yU6BNqseTFzdocS2eaumlVahM3awgnxQtZO2CDW5Mq9Xm23l+b/TXUXkw70N8UNM J7uA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710910866; x=1711515666; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rmzm4TIWqc0UIJCicdWnrz0kxQeZyJqST85Q0q3pyY4=; b=Pse1njIqxN2nVKbOp3/XJG+B4KqA8nE1EAnYJPDoQDWcv35+OeF9xIgxj5sumr8EMC bfIK3YyOKpAjYmy9B+S8ClimDmwvN9U9O6sJ12rOVfCfu7JHLwqNa2y2G6LbfiyelXmu lcTHUVrVBpf3hP7P8LOjSvF7ir6K1wNew2CMG3YSAj36U3NcELP+utaiMBY/oxWPSNPC gqoXG9WQfV+tjWEDIX4WHeKX1WumBMDQLMEsUcWHA5R2h5jN6g0w/NUMzh1NED4E2T+y 2eO2G32kk11hWH5LwRS8epH2mWgGDPAkMJMhCdNFZbVJiuOGQgd8j1YnMfGuWwGhirrO 9+qw==
X-Gm-Message-State: AOJu0YxpClOjrx8i5sU272kWD3L5oNlyjfo0NiVplQYHRwaS83Krqwmb sH3v1Y/7qNDLk6o1ZIwZO/2RF6lA4AEOuu8VCwJCNudiSboR/eWezD7i47ytK2BsJ4oQ0kRMTgY wd9MwzioDydlKhjsu/17lngDqqV+zOrTEcRTl/QYp1fI3qNZQXg==
X-Google-Smtp-Source: AGHT+IEDq+jEDNc9BwPhgmAMjTCH6sZmSl+5wrxTwUbXNt24yfS8sT5e3zlFXFXFAvBwdDaZRRhgSHNNGOT35NahKs0=
X-Received: by 2002:a5d:5986:0:b0:33e:6a81:d8b9 with SMTP id n6-20020a5d5986000000b0033e6a81d8b9mr1434576wri.20.1710910866297; Tue, 19 Mar 2024 22:01:06 -0700 (PDT)
MIME-Version: 1.0
References: <3a5885c2-fa5a-4aae-a1f4-e79b9456ad94@dfn.de> <3C061F54-4D3A-4523-AC5B-E744A22A8EA3@deployingradius.com> <c1a00b2f-e716-4e8e-87d3-0d8dedeb8957@dfn.de> <E2A51B6B-A621-41B7-8371-B5110AD29624@deployingradius.com> <edcbd00f-860e-4035-9abc-c9f23e8a5560@dfn.de> <b28c7cf1-c872-491c-a7fd-4f48d3517b43@app.fastmail.com>
In-Reply-To: <b28c7cf1-c872-491c-a7fd-4f48d3517b43@app.fastmail.com>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Wed, 20 Mar 2024 15:00:49 +1000
Message-ID: <CAA7Lko8xhOm6mAZzKoD0Qk2CD0yvYNqfAmsH6CyC0ksbw-wSuQ@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006dbb660614107a9c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/7qYLcx1-1bVmVQtwt48-zm8lFw0>
Subject: Re: [radext] Small issues in the ALPN draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 05:01:56 -0000
On Wed, 20 Mar 2024 at 14:38, Alexander Clouter <alex+ietf@coremem.com> wrote: > On Wed, 20 Mar 2024, at 03:53, Jan-Frederik Rieckers wrote: > > But for outstanding packets, the server and client MUST have a matching > > idea of when a token can be reused, in order to have a stable connection. > > One way to solve this is retain that from the server perspective the token > is 100% opaque but suggest that client implementations split the token as > [token|epoch] where this 'epoch' is some local timestamp representation > (meaningful only to the client) of when the initial request was sent. > Here's an example from another AAA protocol, see End-to-End Identifier definition: https://datatracker.ietf.org/doc/html/rfc6733#section-3 In any case, I support mandating a counter on the client side. For the server it's mandated to be opaque. This would be good for debugging (easy to see the order of messages) and should not be hard to implement because the counter would exist as a property of a connection. When the connection is closed, the counter and its history no longer exists. The starting value could be random, or perhaps the 12bits construct End-to-End identifier uses. I'd say this may be a bit fancy since the counter in question is not used for end-to-end purposes over multiple hops. -- Heikki Vatiainen hvn@radiatorsoftware.com
- [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Alexander Clouter
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Heikki Vatiainen
- Re: [radext] Small issues in the ALPN draft Alan DeKok