IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

Peter Deacon <peterd@iea-software.com> Sat, 06 April 2013 00:22 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A2F921F8B15 for <radext@ietfa.amsl.com>; Fri, 5 Apr 2013 17:22:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.51
X-Spam-Level:
X-Spam-Status: No, score=-2.51 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0nn9imXJHI0 for <radext@ietfa.amsl.com>; Fri, 5 Apr 2013 17:22:32 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id 6F51121F8AC3 for <radext@ietf.org>; Fri, 5 Apr 2013 17:22:32 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005878350@aspen.internal.iea-software.com>; Fri, 5 Apr 2013 17:22:31 -0700
Date: Fri, 05 Apr 2013 17:22:30 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Jim Schaad <ietf@augustcellars.com>
In-Reply-To: <007601ce3252$6fd489b0$4f7d9d10$@augustcellars.com>
Message-ID: <alpine.WNT.2.00.1304051625560.3988@SMURF>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <007601ce3252$6fd489b0$4f7d9d10$@augustcellars.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: radext@ietf.org, radext-chairs@tools.ietf.org, 'Alan DeKok' <aland@deployingradius.com>
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 00:22:33 -0000

On Fri, 5 Apr 2013, Jim Schaad wrote:

>> For the sake of this example RADIUS client is connected to a NAS that sees
>> only a few concurrent sessions and only sparse activity every few
>> minutes...From our experience typical AP in a low traffic environment.
>>
>> At 75 seconds the client sends a RADIUS request to RADIUS/DTLS server.
>> Server promptly ignores this request because the session was torn down due
>> to exceeding idle timeout.  The client runs thru all of its retries and
> timeouts
>> IGNORED by the server before it either picks a different RADIUS server or
>> tries to open a new RADIUS/DTLS session to the same server.

> But you are also going assume that the teardown message on the DTLS link is
> also going to be lost.  In the more common case the close_notify alert is
> going to get sent from the server to the client (or the other way) and both
> sides are going to know that the session has been shut down.
> Jim

>> None of the active probing mechanisms work at these timescales and they
>> should not be necessary to prevent this sort of problem from occurring.

>> TCP TLS provides reliable notification of shutdown DTLS does not.

Hi Jim,

Apologize if I gave a different impression than intended.  Did not intend 
to exclude or imply no notification only notification is unreliable.

Advocating mitigating with small changes to default settings or idle 
algorithm as in suggested text.

regards,
Peter

>>>  Do you have suggested text for the draft?
>>
>> 5.2...
>>
>> RADIUS/DTLS clients MAY proactively close sessions when they have been
> idle
>> for 60-86400 seconds if DTLS heartbeats or active watchdog probes are
> used.
>> When unused RADIUS/DTLS client SHOULD close sessions idle for 60 to no
>> longer than 600 seconds.
>>
>> 5.1.1...
>>
>> This session "idle timeout" SHOULD be exposed to the administrator as a
>> configurable setting. RADIUS servers SHOULD timeout after at least 600
>> seconds.
>>
>>     As UDP does not guarantee delivery of messages, RADIUS/DTLS servers
>>     MUST also maintain a "Last Packet" timestamp per DTLS session.  The
>>     timestamp MUST be updated on reception of a valid RADIUS/DTLS
>>     packet or DTLS heartbeat.  The timestamp MUST NOT be updated in other
>>     situations. The server SHOULD delete idle DTLS sessions after
>>     an "idle timeout".
>>
>>
>> 10.2
>>
>> While total number of sessions tracked exceeds the configured limit
> servers
>> SHOULD close idle sessions starting with highest idle time until a
> sufficient
>> number of sessions have been closed or lower idle timeout threshold of 60
>> seconds or more has been reached.

v2.39.1 | Report a Bug | By Email | System Status