Re: Reminder for review of Design Guidelines document
Alan DeKok <aland@deployingradius.com> Wed, 31 March 2010 19:39 UTC
Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CEFCE3A68E6 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Wed, 31 Mar 2010 12:39:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.935
X-Spam-Level: *
X-Spam-Status: No, score=1.935 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOfikZ06w+DZ for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Wed, 31 Mar 2010 12:39:57 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A5B853A681E for <radext-archive-IeZ9sae2@lists.ietf.org>; Wed, 31 Mar 2010 12:39:57 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1Nx3g3-000F0T-6g for radiusext-data0@psg.com; Wed, 31 Mar 2010 19:34:11 +0000
Received: from [88.191.76.128] (helo=liberty.deployingradius.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <aland@deployingradius.com>) id 1Nx3g0-000EzB-Bb for radiusext@ops.ietf.org; Wed, 31 Mar 2010 19:34:08 +0000
Message-ID: <4BB3A3AA.8040504@deployingradius.com>
Date: Wed, 31 Mar 2010 21:34:02 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: "David B. Nelson" <dnelson@elbrys.com>
CC: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: Re: Reminder for review of Design Guidelines document
References: <4BB364DB.5090303@deployingradius.com> <FFE16317-7BD5-4A95-955E-06150BF4D676@elbrys.com>
In-Reply-To: <FFE16317-7BD5-4A95-955E-06150BF4D676@elbrys.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk
List-ID: <radiusext.ops.ietf.org>
David B. Nelson wrote:
> Section 1.3, Applicability, reads in part:
>
> It is RECOMMENDED that SDOs and vendors seek review of RADIUS
> attribute specifications from the IETF. However, when specifications
> are SDO specific, re-use existing data types, and follow these
> guidelines, they do not require IETF review.
>
> I assume that the phrase "they do not require IETF review" is not
> intended to Update RFC 3575, or to modify the RADIUS IANA considerations
> provisions thereof.
Yes. I'll see if I can clarify that. I have some text suggesting
more clearly that vendors own their own VSA space. The above text could
say:
a) anything they do in their own VSA space does not require review
b) referencing existing RFCs does not require review
That should be compatible with 3575, I think.
> Section ZZZ
>
> Placeholder that requires resolution?
To 3.1, I think.
> Section 2.1, Data Types, reads in part:
>
> Nested groups or attributes do not qualify as "basic data types", and
> SHOULD NOT be used.
>
> Should that read "groups *of* attributes"?
Hmm... maybe "groups of attributes or nested attributes".
> All other data formats are defined to be "complex data types", and
> are NOT RECOMMENDED. However, there may be situations where complex
> attributes are beneficial because they reduce complexity in the non-
> RADIUS systems. Unfortunately, there are no "hard and fast" rules
> for where the complexity would best be located. Each situation has
> to be decided on a case-by-case basis.
>
> Should the first sentence read ""are *generally* NOT RECOMMENDED"? It seems to me that the qualification of the remainder of this paragraph substantially qualifies the traditional RFC 2119 keyword NOT RECOMMENDED.
Possibly, yes.
> Section 3.1, RADIUS Operational Model, reads in part:
>
> * The protocol provices for authentication and integrity
> protection of packets;
>
> s/provices/provides/
Fixed, thanks.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Wed, 31 Mar 2010 19:34:58 +0000
Message-ID: <4BB3A3AA.8040504@deployingradius.com>
Date: Wed, 31 Mar 2010 21:34:02 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: "David B. Nelson" <dnelson@elbrys.com>
CC: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: Re: Reminder for review of Design Guidelines document
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
David B. Nelson wrote:
> Section 1.3, Applicability, reads in part:
>
> It is RECOMMENDED that SDOs and vendors seek review of RADIUS
> attribute specifications from the IETF. However, when specifications
> are SDO specific, re-use existing data types, and follow these
> guidelines, they do not require IETF review.
>
> I assume that the phrase "they do not require IETF review" is not
> intended to Update RFC 3575, or to modify the RADIUS IANA considerations
> provisions thereof.
Yes. I'll see if I can clarify that. I have some text suggesting
more clearly that vendors own their own VSA space. The above text could
say:
a) anything they do in their own VSA space does not require review
b) referencing existing RFCs does not require review
That should be compatible with 3575, I think.
> Section ZZZ
>
> Placeholder that requires resolution?
To 3.1, I think.
> Section 2.1, Data Types, reads in part:
>
> Nested groups or attributes do not qualify as "basic data types", and
> SHOULD NOT be used.
>
> Should that read "groups *of* attributes"?
Hmm... maybe "groups of attributes or nested attributes".
> All other data formats are defined to be "complex data types", and
> are NOT RECOMMENDED. However, there may be situations where complex
> attributes are beneficial because they reduce complexity in the non-
> RADIUS systems. Unfortunately, there are no "hard and fast" rules
> for where the complexity would best be located. Each situation has
> to be decided on a case-by-case basis.
>
> Should the first sentence read ""are *generally* NOT RECOMMENDED"? It seems to me that the qualification of the remainder of this paragraph substantially qualifies the traditional RFC 2119 keyword NOT RECOMMENDED.
Possibly, yes.
> Section 3.1, RADIUS Operational Model, reads in part:
>
> * The protocol provices for authentication and integrity
> protection of packets;
>
> s/provices/provides/
Fixed, thanks.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Wed, 31 Mar 2010 15:07:15 +0000
Message-ID: <4BB364DB.5090303@deployingradius.com>
Date: Wed, 31 Mar 2010 17:06:03 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: Reminder for review of Design Guidelines document
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
The guidelines document was updated significantly to address the open
concerns. The latest revision is available at:
http://tools.ietf.org/html/draft-ietf-radext-design-12
The high-level differences are an update as per the review from
Hannes. The outline is now:
introduction (2 pages)
guidelines (3 pages)
rationale (11 pages)
The "guidelines" section gives the guidelines with no supporting
arguments. All of the arguments are in the "rationale" section. We
hope that this organization makes the guidelines easier to understand.
The document still needs some minor editing, and also should integrate
comments from Issue #327. However, these changes are expected to be
minor, and we are looking for feedback on the current draft.
A diff is at:
http://tools.ietf.org/rfcdiff?url2=draft-ietf-radext-design-12.txt
The diff isn't that useful, as too much has changed.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Sun, 28 Mar 2010 22:35:00 +0000
Message-ID: <BLU137-W1312420228C50F37BB2B8093210@phx.gbl>
Content-Type: multipart/alternative; boundary="_44fd2e38-f555-4362-9b23-a4c57f89bbb1_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: Notes from IETF 77
Date: Sun, 28 Mar 2010 15:34:10 -0700
MIME-Version: 1.0
--_44fd2e38-f555-4362-9b23-a4c57f89bbb1_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
If you took notes at IETF 77=2C please send them to me.=20
=
--_44fd2e38-f555-4362-9b23-a4c57f89bbb1_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
If you took notes at IETF 77=2C please send them to me. <br><br><br><table =
style=3D"border-top: 1px solid black=3B font-weight: bold=3B font-family: '=
Segoe UI'=2CTahoma=2Csan-serif=3B"><tbody><tr><td><a href=3D"http://im.live=
.com/Messenger/IM/Home/?source=3DEML_WLHM_GreaterGood" style=3D"font-size: =
9pt=3B color: rgb(1=2C 132=2C 203)=3B text-decoration: none=3B"><span style=
=3D"padding: 0px 24px=3B font-size: 8pt=3B color: rgb(63=2C 181=2C 85)=3B t=
ext-decoration: underline=3B"></span></a><br></td></tr></tbody></table> =
</body>
</html>=
--_44fd2e38-f555-4362-9b23-a4c57f89bbb1_--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 22 Mar 2010 23:45:53 +0000
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Cc: radiusext@ops.ietf.org
Subject: I-D Action:draft-ietf-radext-design-12.txt
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20100322234502.0AA3C3A694C@core3.amsl.com>
Date: Mon, 22 Mar 2010 16:45:02 -0700 (PDT)
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the RADIUS EXTensions Working Group of the IETF.
Title : RADIUS Design Guidelines
Author(s) : G. Weber, A. DeKok
Filename : draft-ietf-radext-design-12.txt
Pages : 39
Date : 2010-03-22
This document provides guidelines for the design of attributes used
by the Remote Authentication Dial In User Service (RADIUS) protocol.
It is expected that these guidelines will prove useful to authors and
reviewers of future RADIUS attribute specifications, both within the
IETF as well as other Standards Development Organizations (SDOs).
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-12.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Message/External-body;
name="draft-ietf-radext-design-12.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2010-03-22163646.I-D@ietf.org>
--NextPart--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 22 Mar 2010 22:04:04 +0000
Date: Mon, 22 Mar 2010 15:03:39 -0700 (Pacific Daylight Time)
From: Peter Deacon <peterd@iea-software.com>
To: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: Re: draft-dekok-radext-dtls-02 comments
Message-ID: <alpine.WNT.2.00.1003221446070.9176@SMURF>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 22 Mar 2010, Alan DeKok wrote:
>> If so how does one implement new packet codes in the future or co-exist
>> with systems that do not support all currently allocated packet codes?
> RADIUS has traditionally had a strong relationship between destination
> port and packet codes. The list of packets allowed to be sent to port
> 1812 hasn't really changed in 15 years. When new codes are defined
> (e.g. CoA), new ports are defined, too. RDTLS follows this practice.
Well I have already said everything I wanted to. WRT port allocations
don't say that too loud the IANA might hear you :-)
regards,
Peter
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 22 Mar 2010 21:41:29 +0000
Message-ID: <4BA7E3DC.6050704@deployingradius.com>
Date: Mon, 22 Mar 2010 14:40:44 -0700
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Deacon <peterd@iea-software.com>
CC: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: Re: draft-dekok-radext-dtls-02 comments
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Peter Deacon wrote:
> On Mon, 22 Mar 2010, Alan DeKok wrote:
>> In DTLS, the crypto layer ensures that packets have not been modified.
>> Therefore, the only time that packets are malformed is when the sender
>> has sent bad data. When that happens, they should no longer be trusted
>> to do *anything*.
>
> I understand DTLS provides encryption and integrity protection. I don't
> understand why the peer should no longer be trusted?
If the peer manifestly fails to implement RADIUS, then it can no
longer be trusted to implement RADIUS.
> When this occurs
> is the client trusted to reestablish a DTLS session? If so why? Where
> is this trust defined? Administratively?
So long as the client implements RADIUS, it can be trusted. Since
more than one implementation may live at a particular IP address, *new*
connections from that IP cannot be forbidden if one misbehaves.
>> Yes. Too bad. If someone can't be bothered to implement RADIUS
>> properly, their software won't work that well.
>
> There are valid reasons to ignore a request. See RFC2138 Sec 3.
> "Unrecognized packet codes are silently discarded" If a server does not
> recognize a packet code sent by its peer does that mean the DTLS session
> needs to be dropped?
Why is the client sending non-RADIUS packets to a RADIUS server?
> If so how does one implement new packet codes in the future or co-exist
> with systems that do not support all currently allocated packet codes?
RADIUS has traditionally had a strong relationship between destination
port and packet codes. The list of packets allowed to be sent to port
1812 hasn't really changed in 15 years. When new codes are defined
(e.g. CoA), new ports are defined, too. RDTLS follows this practice.
This practice also means that servers *not* implementing a packet code
simply ignore *all* packets sent to a port... including DTLS connection
requests.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 22 Mar 2010 21:26:07 +0000
Date: Mon, 22 Mar 2010 14:25:43 -0700 (Pacific Daylight Time)
From: Peter Deacon <peterd@iea-software.com>
To: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: Re: draft-dekok-radext-dtls-02 comments
Message-ID: <alpine.WNT.2.00.1003221403210.9176@SMURF>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 22 Mar 2010, Alan DeKok wrote:
> Also, an *explicit* note that secrets should not be re-used is
> required, in my opinion. This forbids one "obvious" class of
> implementations, where there's only one secret for RADIUS && RDTLS.
>> Sec 4.1.1 -
>>
>> "Where the RADIUS specifications require that a
>> RADIUS packet received via the DTLS session is to be "silently
>> discarded", the entry in the tracking table corresponding to that
>> DTLS session MUST also be deleted, the DTLS session MUST be closed,
>> and any TLS session resumption parameters for that session MUST be
>> discarded."
>> Why is this still done when DTLS is used for a transport? IIRC in the
>> TCP mapped drafts this was done to mitigate possibility of loss of
>> protocol synchronization - not possible WRT DTLS.
> In DTLS, the crypto layer ensures that packets have not been modified.
> Therefore, the only time that packets are malformed is when the sender
> has sent bad data. When that happens, they should no longer be trusted
> to do *anything*.
I understand DTLS provides encryption and integrity protection. I don't
understand why the peer should no longer be trusted? When this occurs is
the client trusted to reestablish a DTLS session? If so why? Where is
this trust defined? Administratively?
>> There is an additional concern in that DTLS closure messages have no
>> retransmission timers and are not guaranteed to be delivered. When this
>> occurs future messages will be discarded by the peers DTLS stack until
>> the clients "lifetime" timer expires and the DTLS session is reestablished.
> Yes. Too bad. If someone can't be bothered to implement RADIUS
> properly, their software won't work that well.
There are valid reasons to ignore a request. See RFC2138 Sec 3.
"Unrecognized packet codes are silently discarded" If a server does not
recognize a packet code sent by its peer does that mean the DTLS session
needs to be dropped?
If so how does one implement new packet codes in the future or co-exist
with systems that do not support all currently allocated packet codes?
regards,
Peter
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 22 Mar 2010 21:00:39 +0000
Message-ID: <4BA7DA5E.2080806@deployingradius.com>
Date: Mon, 22 Mar 2010 14:00:14 -0700
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Deacon <peterd@iea-software.com>
CC: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: Re: draft-dekok-radext-dtls-02 comments
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Peter Deacon wrote:
> Sec 8.1 -
>
> "The previous RADIUS practice of using shared secrets that are minor
> variations of words is NOT RECOMMENDED, as it would negate nearly all
> of the security of DTLS."
>
> I think any statements WRT secret key strength should to be generalized
> and take into account the properties of the underlying PSK suite as some
> systems may or may not be subject to offline attack.
Do you have suggested text?
> "Any shared
> secret used for RADIUS MUST NOT be used for DTLS. Reusing a shared
> secret between RADIUS and DTLS would negate all of the benefits found
> by using DTLS."
>
> I wonder if a more general warning about the possibility of
> down-negotiation would be a better fit. I can see the same concept
> applying to administrative selection of cipher-suites.
Do you have suggested text?
Also, an *explicit* note that secrets should not be re-used is
required, in my opinion. This forbids one "obvious" class of
implementations, where there's only one secret for RADIUS && RDTLS.
> Sec 4.1.1 -
>
> "Where the RADIUS specifications require that a
> RADIUS packet received via the DTLS session is to be "silently
> discarded", the entry in the tracking table corresponding to that
> DTLS session MUST also be deleted, the DTLS session MUST be closed,
> and any TLS session resumption parameters for that session MUST be
> discarded."
>
> Why is this still done when DTLS is used for a transport? IIRC in the
> TCP mapped drafts this was done to mitigate possibility of loss of
> protocol synchronization - not possible WRT DTLS.
In DTLS, the crypto layer ensures that packets have not been modified.
Therefore, the only time that packets are malformed is when the sender
has sent bad data. When that happens, they should no longer be trusted
to do *anything*.
> My concern as with the TCP map is silently discarded messages can take
> down other unrelated exchanges. The inner RADIUS should speak up while
> the transport is being established if there is no intention on honoring
> the established channel.
A counter point is that systems not implementing RADIUS should not
talk to RADIUS servers. It's not really appropriate to add negotiation
to RADIUS where implementations indicate whether or not they support RADIUS.
> There is an additional concern in that DTLS closure messages have no
> retransmission timers and are not guaranteed to be delivered. When this
> occurs future messages will be discarded by the peers DTLS stack until
> the clients "lifetime" timer expires and the DTLS session is reestablished.
Yes. Too bad. If someone can't be bothered to implement RADIUS
properly, their software won't work that well.
> Sec 4.2 -
>
> "RDTLS clients SHOULD NOT send both normal RADIUS and RDTLS packets
> from the same source socket."
>
> " and increases the potential for
> security breaches due to implementation issues."
>
> WRT security only it seems to me servers must know better if not
> explicitly forbidden whether this is done or not. Encouraging (change
> SHOULD NOT to MAY) can only shine light on the issue and force
> implementors to address appropriately.
Hmm... allowing potentially bad behavior to highlight the fact that
bad behavior needs fixing. I'm not sure I agree with that.
Another argument is that allowing this increases the server processing
requirements for *every* packet. Instead of doing RADIUS / DTLS
detection on the first packet from a new socket, it has to be done for
*every* packet. This increases the number of cases that have to be
examined for potential RADIUS / DTLS overlap.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 22 Mar 2010 20:29:18 +0000
Date: Mon, 22 Mar 2010 13:28:28 -0700 (Pacific Daylight Time)
From: Peter Deacon <peterd@iea-software.com>
To: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: draft-dekok-radext-dtls-02 comments
Message-ID: <alpine.WNT.2.00.1003220936010.9176@SMURF>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Sec 8.1 -
"The previous RADIUS practice of using shared secrets that are minor
variations of words is NOT RECOMMENDED, as it would negate nearly all
of the security of DTLS."
I think any statements WRT secret key strength should to be generalized
and take into account the properties of the underlying PSK suite as some
systems may or may not be subject to offline attack.
"Any shared
secret used for RADIUS MUST NOT be used for DTLS. Reusing a shared
secret between RADIUS and DTLS would negate all of the benefits found
by using DTLS."
I wonder if a more general warning about the possibility of
down-negotiation would be a better fit. I can see the same concept
applying to administrative selection of cipher-suites.
Sec 4.1.1 -
"Where the RADIUS specifications require that a
RADIUS packet received via the DTLS session is to be "silently
discarded", the entry in the tracking table corresponding to that
DTLS session MUST also be deleted, the DTLS session MUST be closed,
and any TLS session resumption parameters for that session MUST be
discarded."
Why is this still done when DTLS is used for a transport? IIRC in the TCP
mapped drafts this was done to mitigate possibility of loss of protocol
synchronization - not possible WRT DTLS.
My concern as with the TCP map is silently discarded messages can take
down other unrelated exchanges. The inner RADIUS should speak up while
the transport is being established if there is no intention on honoring
the established channel.
There is an additional concern in that DTLS closure messages have no
retransmission timers and are not guaranteed to be delivered. When this
occurs future messages will be discarded by the peers DTLS stack until the
clients "lifetime" timer expires and the DTLS session is reestablished.
Sec 4.2 -
"RDTLS clients SHOULD NOT send both normal RADIUS and RDTLS packets
from the same source socket."
" and increases the potential for
security breaches due to implementation issues."
WRT security only it seems to me servers must know better if not
explicitly forbidden whether this is done or not. Encouraging (change
SHOULD NOT to MAY) can only shine light on the issue and force
implementors to address appropriately.
regards,
Peter
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 22 Mar 2010 16:24:44 +0000
Message-ID: <4BA799A3.4060308@deployingradius.com>
Date: Mon, 22 Mar 2010 09:24:03 -0700
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: [Fwd: New Version Notification for draft-dekok-radext-dtls-02]
Content-Type: multipart/mixed; boundary="------------080203020903010908080102"
This is a multi-part message in MIME format.
--------------080203020903010908080102
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
--------------080203020903010908080102
Content-Type: message/rfc822;
name="New Version Notification for draft-dekok-radext-dtls-02.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename*0="New Version Notification for draft-dekok-radext-dtls-02.eml"
X-Account-Key: account3
X-Mozilla-Keys:
Return-Path: <wwwrun@core3.amsl.com>
X-Original-To: aland@freeradius.org
Delivered-To: aland@freeradius.org
Received: from mail.ietf.org (mail.ietf.org [64.170.98.32])
by liberty.deployingradius.com (Postfix) with ESMTP id EAFD61234566
for <aland@freeradius.org>; Mon, 22 Mar 2010 17:00:15 +0100 (CET)
Received: by core3.amsl.com (Postfix, from userid 30)
id 9718C3A696C; Mon, 22 Mar 2010 08:59:57 -0700 (PDT)
From: IETF I-D Submission Tool <idsubmission@ietf.org>
To: aland@freeradius.org
Subject: New Version Notification for draft-dekok-radext-dtls-02
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
Message-Id: <20100322155957.9718C3A696C@core3.amsl.com>
Date: Mon, 22 Mar 2010 08:59:57 -0700 (PDT)
A new version of I-D, draft-dekok-radext-dtls-02.txt has been successfully submitted by Alan DeKok and posted to the IETF repository.
Filename: draft-dekok-radext-dtls
Revision: 02
Title: DTLS as a Transport Layer for RADIUS
Creation_date: 2010-03-22
WG ID: Independent Submission
Number_of_pages: 17
Abstract:
The RADIUS protocol [RFC2865] has limited support for authentication
and encryption of RADIUS packets. The protocol transports data "in
the clear", although some parts of the packets can have "hidden"
content. Packets may be replayed verbatim by an attacker, and
client-server authentication is based on fixed shared secrets. This
document specifies how the Datagram Transport Layer Security (DTLS)
protocol may be used as a fix for these problems. It also describes
how implementations of this proposal can co-exist with current RADIUS
systems.
The IETF Secretariat.
--------------080203020903010908080102--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Sun, 21 Mar 2010 17:48:14 +0000
Message-ID: <BLU137-W1283A52CEB7F1BF88D61E093280@phx.gbl>
Content-Type: multipart/alternative; boundary="_2597be0f-1806-43cb-bfdd-3c87d2f461a9_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: Slide Reminder
Date: Sun, 21 Mar 2010 10:47:23 -0700
MIME-Version: 1.0
--_2597be0f-1806-43cb-bfdd-3c87d2f461a9_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The RADEXT WG meeting is scheduled for Monday March 22=2C 2010 in the 5:40 =
-7:40 PM slot.=20
If you are on the agenda and haven't already submitted your slides=2C pleas=
e do so ASAP.=20
=
--_2597be0f-1806-43cb-bfdd-3c87d2f461a9_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
The RADEXT WG meeting is scheduled for Monday March 22=2C 2010 in the 5:40 =
-7:40 PM slot. <br><br>If you are on the agenda and haven't already submitt=
ed your slides=2C please do so ASAP. <br><table style=3D"border-top: 1px so=
lid black=3B font-weight: bold=3B font-family: 'Segoe UI'=2CTahoma=2Csan-se=
rif=3B"><tbody><tr><td><a href=3D"http://im.live.com/Messenger/IM/Home/?sou=
rce=3DEML_WLHM_GreaterGood" style=3D"font-size: 9pt=3B color: rgb(1=2C 132=
=2C 203)=3B text-decoration: none=3B"><span style=3D"padding: 0px 24px=3B f=
ont-size: 8pt=3B color: rgb(63=2C 181=2C 85)=3B text-decoration: underline=
=3B"></span></a><br></td></tr></tbody></table> </body>
</html>=
--_2597be0f-1806-43cb-bfdd-3c87d2f461a9_--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 19 Mar 2010 20:00:56 +0000
Message-ID: <BLU137-W194A6A55C396F3F124BE81932A0@phx.gbl>
Content-Type: multipart/alternative; boundary="_c09ae083-e6af-4bd1-a7a6-3acb22b02489_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: RADEXT WG Last Call on "TLS Encryption for RADIUS" (Experimental)
Date: Fri, 19 Mar 2010 12:59:40 -0700
MIME-Version: 1.0
--_c09ae083-e6af-4bd1-a7a6-3acb22b02489_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
This is an announcement of RADEXT WG last call on "TLS Encryption for RADIU=
S"=2C prior to sending the document to the IESG for publication as an Exper=
imental RFC.=20
The document is available for inspection here:
http://tools.ietf.org/html/draft-ietf-radext-radsec
The RADEXT WG last call will last until April 19=2C 2010. If you have com=
ments on the document=2C please send them to the RADEXT WG mailing list (ra=
diusext@ops.ietf.org) in the format described on the RADEXT Issues list (ht=
tp://www.drizzle.com/~aboba/RADEXT/ ). =20
=
--_c09ae083-e6af-4bd1-a7a6-3acb22b02489_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
This is an announcement of RADEXT WG last call on "TLS Encryption for RADIU=
S"=2C prior to sending the document to the IESG for publication as an Exper=
imental RFC. <br><br>The document is available for inspection here:<br>http=
://tools.ietf.org/html/draft-ietf-radext-radsec<br><br>The RADEXT WG last c=
all will last until April 19=2C 2010. =3B =3B If you have comments =
on the document=2C please send them to the RADEXT WG mailing list (radiusex=
t@ops.ietf.org) in the format described on the RADEXT Issues list (http://w=
ww.drizzle.com/~aboba/RADEXT/ ). =3B <br><br><table style=3D"border-top=
: 1px solid black=3B font-weight: bold=3B font-family: 'Segoe UI'=2CTahoma=
=2Csan-serif=3B"><tbody><tr><td><a href=3D"http://im.live.com/Messenger/IM/=
Home/?source=3DEML_WLHM_GreaterGood" style=3D"font-size: 9pt=3B color: rgb(=
1=2C 132=2C 203)=3B text-decoration: none=3B"><span style=3D"padding: 0px 2=
4px=3B font-size: 8pt=3B color: rgb(63=2C 181=2C 85)=3B text-decoration: un=
derline=3B"></span></a><br></td></tr></tbody></table> </body>
</html>=
--_c09ae083-e6af-4bd1-a7a6-3acb22b02489_--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 19 Mar 2010 13:46:35 +0000
Message-ID: <4BA37FD6.9010007@restena.lu>
Date: Fri, 19 Mar 2010 14:44:54 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0
MIME-Version: 1.0
To: radiusext@ops.ietf.org
Subject: Re: I-D Action:draft-ietf-radext-dynamic-discovery-02.txt
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig7F20B62321868E56D87A55C0"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7F20B62321868E56D87A55C0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi,
> Can you summarize which issues were closed and which are open?
> =20
Sure: That's my current list of open questions for this draft.
1) Scope of Document: AAA in general or RADIUS transports only? Discuss
in dime.
2) mention of 4282: better leave it out? Need to re-define usage of @ as
delimiter then.
3) S-NAPTR: is this the right thing to do? Please review current draft.
4) IPv6: shall we give guidance about which stack to prefer, or how to
resolve names to IPs? Not a RADIUS issue after all; up to IPv6 wgs to
make such suggestions.
Greetings,
Stefan Winter
> -----Original Message-----
> From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org=
] On
> Behalf Of Stefan Winter
> Sent: Friday, March 05, 2010 6:52 AM
> To: radiusext@ops.ietf.org
> Cc: TF-Mobility
> Subject: Re: I-D Action:draft-ietf-radext-dynamic-discovery-02.txt
>
> Hi,
>
> =20
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> =20
> directories.
> =20
>> This draft is a work item of the RADIUS EXTensions Working Group of th=
e
>> =20
> IETF.
> =20
>>
>> Title : NAI-based Dynamic Peer Discovery for RADIUS over
>> =20
> TLS and DTLS
> =20
>> Author(s) : S. Winter, M. McCauley
>> Filename : draft-ietf-radext-dynamic-discovery-02.txt
>> Pages : 9
>> Date : 2010-03-05
>>
>> This document specifies a means to find authoritative AAA servers for =
>> a given NAI realm. It can be used in conjunction with RADIUS over TLS=
=20
>> and RADIUS over DTLS.
>> =20
>> =20
> This draft contains new text for the issues discussed previously on the=
> list. It doesn't update any text on the remaining items which are still=
> unresolved.
>
> Greetings,
>
> Stefan
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - R=E9seau T=E9l=E9informatique de l'Education Nation=
ale et de
> la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
>
>
> =20
--------------enig7F20B62321868E56D87A55C0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkujf90ACgkQ+jm90f8eFWZ2GgCeNcf+TaFWK0/gJ7+WApfc7m0b
HvYAn0yM25eXylS35AENnDJgB08KILu/
=b/qu
-----END PGP SIGNATURE-----
--------------enig7F20B62321868E56D87A55C0--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Thu, 18 Mar 2010 15:33:10 +0000
Message-ID: <BLU137-W133A60C2D306DFF885AA81932B0@phx.gbl>
Content-Type: multipart/alternative; boundary="_c185708e-f2dc-49c1-85cc-2f121ee2e64a_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: Slide Request
Date: Thu, 18 Mar 2010 08:32:21 -0700
MIME-Version: 1.0
--_c185708e-f2dc-49c1-85cc-2f121ee2e64a_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The RADEXT WG meeting at IETF 77 will be held on Monday=2C March=20
22=2C 2010 in the 5:40 - 7:40 PM slot.
That is only 4 days from now!
So if you are on the agenda=2C please send your slides to Dave and=20
myself ASAP.=20
=
--_c185708e-f2dc-49c1-85cc-2f121ee2e64a_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
<br>The RADEXT WG meeting at IETF 77 will be held on Monday=2C March=20
22=2C 2010 in the 5:40 - 7:40 PM slot.<br>
<br>
That is only 4 days from now!<br>
<br>
So if you are on the agenda=2C please send your slides to Dave and=20
myself ASAP. <br><br><br><table style=3D"border-top: 1px solid black=3B fon=
t-weight: bold=3B font-family: 'Segoe UI'=2CTahoma=2Csan-serif=3B"><tbody><=
tr><td><a href=3D"http://im.live.com/Messenger/IM/Home/?source=3DEML_WLHM_G=
reaterGood" style=3D"font-size: 9pt=3B color: rgb(1=2C 132=2C 203)=3B text-=
decoration: none=3B"><span style=3D"padding: 0px 24px=3B font-size: 8pt=3B =
color: rgb(63=2C 181=2C 85)=3B text-decoration: underline=3B"></span></a><b=
r></td></tr></tbody></table> </body>
</html>=
--_c185708e-f2dc-49c1-85cc-2f121ee2e64a_--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 16 Mar 2010 01:14:12 +0000
Message-ID: <BLU137-W77528576E419A476C15AB932D0@phx.gbl>
Content-Type: multipart/alternative; boundary="_b857c37d-a77c-42ee-a748-36db7f90be31_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: <ietf@ietf.org>, <ietf-announce@ietf.org>
CC: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: RE: Last Call: draft-ietf-radext-status-server (Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol) to Informational RFC
Date: Mon, 15 Mar 2010 18:13:24 -0700
MIME-Version: 1.0
--_b857c37d-a77c-42ee-a748-36db7f90be31_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
An editorial comment on Section 2.=20
Section 2
Status-Server packets are sent by a RADIUS client to a RADIUS server
in order to test the status of that server. A Message-Authenticator
attribute MUST be included so as to provide per-packet authentication
and integrity protection. A single Status-Server packet MUST be
included within a UDP datagram. RADIUS proxies MUST NOT forward
Status-Server packets.
Since a Status-Server packet MUST NOT be forwarded by a RADIUS proxy
or server=2C the destination of a Status-Server packet is set to the IP
address of the server which is being tested. As a result=2C the client
is provided with an indication of the status of that server only=2C
since no RADIUS proxies are on the path between the RADIUS client and
server. Since servers respond to a Status-Server packet without
examining the User-Name attribute=2C the response to a Status-Server
packet cannot be used to infer any information about the reachability
of specific realms.
A RADIUS server or proxy implementing this specification SHOULD
respond to a Status-Server packet with an Access-Accept
(authentication port) or Accounting-Message (accounting port). An
Access-Challenge response is NOT RECOMMENDED. An Access-Reject
response MAY be used. The list of attributes that are permitted in
Status-Server and Access-Accept packets responding to Status-Server
packets are provided in the Section 6.
[BA] These three paragraphs are a bit disjoint. Recommend changing it
to the following:
Status-Server packets are sent by a RADIUS client to a RADIUS server
in order to test the status of that server. The destination of
a Status-Server packet is set to the IP address of the server that
is being tested. A single Status-Server packet MUST be included=20
within a UDP datagram. A Message-Authenticator attribute MUST be=20
included so as to provide per-packet authentication and integrity=20
protection.=20
RADIUS proxies or servers MUST NOT forward Status-Server packets.
A RADIUS server or proxy implementing this specification SHOULD
respond to a Status-Server packet with an Access-Accept
(authentication port) or Accounting-Response (accounting port). An
Access-Challenge response is NOT RECOMMENDED. An Access-Reject
response MAY be used. The list of attributes that are permitted in
Status-Server and Access-Accept packets responding to Status-Server
packets are provided in the Section 6.
Since a Status-Server packet MUST NOT be forwarded=20
by a RADIUS proxy or server=2C the client is provided with an indication=
=20
of the status of that server only=2C since no RADIUS proxies are on the=
=20
path between the RADIUS client and server. Since servers respond=20
to a Status-Server packet without examining the User-Name attribute=2C=20
the response to a Status-Server packet cannot be used to infer any=20
information about the reachability of specific realms.=20
> To: ietf-announce@ietf.org
> From: iesg-secretary@ietf.org
> CC: radiusext@ops.ietf.org
> Subject: Last Call: draft-ietf-radext-status-server (Use of Status-Server=
Packets in the Remote Authentication Dial In User Service (RADIUS) Protoco=
l) to Informational RFC
> Date: Mon=2C 15 Mar 2010 12:42:32 -0700
>=20
> The IESG has received a request from the RADIUS EXTensions WG (radext) to=
=20
> consider the following document:
>=20
> - 'Use of Status-Server Packets in the Remote Authentication Dial In User=
=20
> Service (RADIUS) Protocol '
> <draft-ietf-radext-status-server-06.txt> as an Informational RFC
>=20
> The IESG plans to make a decision in the next few weeks=2C and solicits
> final comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2010-03-29. Exceptionally=2C=20
> comments may be sent to iesg@ietf.org instead. In either case=2C please=20
> retain the beginning of the Subject line to allow automated sorting.
>=20
> The file can be obtained via
> http://www.ietf.org/internet-drafts/draft-ietf-radext-status-server-06.tx=
t
>=20
>=20
> IESG discussion can be tracked via
> https://datatracker.ietf.org/public/pidtracker.cgi?command=3Dview_id&dTag=
=3D17334&rfc_flag=3D0
>=20
>=20
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
=
--_b857c37d-a77c-42ee-a748-36db7f90be31_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
An editorial comment on Section 2. <br><br>Section 2<br><br> =3B =
=3B Status-Server packets are sent by a RADIUS client to a RADIUS server<br=
> =3B =3B in order to test the status of that server. =3B A Mes=
sage-Authenticator<br> =3B =3B attribute MUST be included so as to =
provide per-packet authentication<br> =3B =3B and integrity protect=
ion. =3B A single Status-Server packet MUST be<br> =3B =3B incl=
uded within a UDP datagram. =3B RADIUS proxies MUST NOT forward<br>&nbs=
p=3B =3B Status-Server packets.<br><br> =3B =3B Since a Status-=
Server packet MUST NOT be forwarded by a RADIUS proxy<br> =3B =3B o=
r server=2C the destination of a Status-Server packet is set to the IP<br>&=
nbsp=3B =3B address of the server which is being tested. =3B As a r=
esult=2C the client<br> =3B =3B is provided with an indication of t=
he status of that server only=2C<br> =3B =3B since no RADIUS proxie=
s are on the path between the RADIUS client and<br> =3B =3B server.=
 =3B Since servers respond to a Status-Server packet without<br> =
=3B =3B examining the User-Name attribute=2C the response to a Status-S=
erver<br> =3B =3B packet cannot be used to infer any information ab=
out the reachability<br> =3B =3B of specific realms.<br><br> =
=3B =3B A RADIUS server or proxy implementing this specification SHOULD=
<br> =3B =3B respond to a Status-Server packet with an Access-Accep=
t<br> =3B =3B (authentication port) or Accounting-Message (accounti=
ng port). =3B An<br> =3B =3B Access-Challenge response is NOT R=
ECOMMENDED. =3B An Access-Reject<br> =3B =3B response MAY be us=
ed. =3B The list of attributes that are permitted in<br> =3B =
=3B Status-Server and Access-Accept packets responding to Status-Server<br>=
 =3B =3B packets are provided in the Section 6.<br><br>[BA] These t=
hree paragraphs are a bit disjoint. =3B Recommend changing it<br>to the=
following:<br><br> =3B =3B Status-Server packets are sent by a RAD=
IUS client to a RADIUS server<br> =3B =3B in order to test the stat=
us of that server. =3B =3B The destination of<br> =3B =3B a=
Status-Server packet is set to the IP address of the server that<br> =
=3B =3B is being tested. =3B A single Status-Server packet MUST be =
included <br> =3B =3B within a UDP datagram. =3B A Message-Auth=
enticator attribute MUST be <br> =3B =3B included so as to provide =
per-packet authentication and integrity <br> =3B =3B protection. <b=
r><br> =3B =3B RADIUS proxies or servers MUST NOT forward Status-Se=
rver packets.<br> =3B =3B A RADIUS server or proxy implementing thi=
s specification SHOULD<br> =3B =3B respond to a Status-Server packe=
t with an Access-Accept<br> =3B =3B (authentication port) or Accoun=
ting-Response (accounting port). =3B An<br> =3B =3B Access-Chal=
lenge response is NOT RECOMMENDED. =3B An Access-Reject<br> =3B&nbs=
p=3B response MAY be used. =3B The list of attributes that are permitte=
d in<br> =3B =3B Status-Server and Access-Accept packets responding=
to Status-Server<br> =3B =3B packets are provided in the Section 6=
.<br><br> =3B =3B Since a Status-Server packet MUST NOT be forwarde=
d <br> =3B =3B by a RADIUS proxy or server=2C the client is provide=
d with an indication <br> =3B =3B of the status of that server only=
=2C since no RADIUS proxies are on the <br> =3B =3B path between th=
e RADIUS client and server. =3B Since servers respond <br> =3B =
=3B to a Status-Server packet without examining the User-Name attribute=2C =
<br> =3B =3B the response to a Status-Server packet cannot be used =
to infer any <br> =3B =3B information about the reachability of spe=
cific realms. <br><br><br><table style=3D"border-top: 1px solid black=3B fo=
nt-weight: bold=3B font-family: 'Segoe UI'=2CTahoma=2Csan-serif=3B"><tbody>=
<tr><td><a href=3D"http://im.live.com/Messenger/IM/Home/?source=3DEML_WLHM_=
GreaterGood" style=3D"font-size: 9pt=3B color: rgb(1=2C 132=2C 203)=3B text=
-decoration: none=3B"><span style=3D"padding: 0px 24px=3B font-size: 8pt=3B=
color: rgb(63=2C 181=2C 85)=3B text-decoration: underline=3B"></span></a><=
br></td></tr></tbody></table><br><br>>=3B To: ietf-announce@ietf.org<br>&=
gt=3B From: iesg-secretary@ietf.org<br>>=3B CC: radiusext@ops.ietf.org<br=
>>=3B Subject: Last Call: draft-ietf-radext-status-server (Use of Status-=
Server Packets in the Remote Authentication Dial In User Service (RADIUS) P=
rotocol) to Informational RFC<br>>=3B Date: Mon=2C 15 Mar 2010 12:42:32 -=
0700<br>>=3B <br>>=3B The IESG has received a request from the RADIUS E=
XTensions WG (radext) to <br>>=3B consider the following document:<br>>=
=3B <br>>=3B - 'Use of Status-Server Packets in the Remote Authentication=
Dial In User <br>>=3B Service (RADIUS) Protocol '<br>>=3B <=3B=
draft-ietf-radext-status-server-06.txt>=3B as an Informational RFC<br>>=
=3B <br>>=3B The IESG plans to make a decision in the next few weeks=2C a=
nd solicits<br>>=3B final comments on this action. Please send substanti=
ve comments to the<br>>=3B ietf@ietf.org mailing lists by 2010-03-29. Exc=
eptionally=2C <br>>=3B comments may be sent to iesg@ietf.org instead. In =
either case=2C please <br>>=3B retain the beginning of the Subject line t=
o allow automated sorting.<br>>=3B <br>>=3B The file can be obtained vi=
a<br>>=3B http://www.ietf.org/internet-drafts/draft-ietf-radext-status-se=
rver-06.txt<br>>=3B <br>>=3B <br>>=3B IESG discussion can be tracked =
via<br>>=3B https://datatracker.ietf.org/public/pidtracker.cgi?command=3D=
view_id&=3BdTag=3D17334&=3Brfc_flag=3D0<br>>=3B <br>>=3B <br>>=
=3B --<br>>=3B to unsubscribe send a message to radiusext-request@ops.iet=
f.org with<br>>=3B the word 'unsubscribe' in a single line as the message=
text body.<br>>=3B archive: <=3Bhttp://psg.com/lists/radiusext/>=3B<=
br> </body>
</html>=
--_b857c37d-a77c-42ee-a748-36db7f90be31_--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 15 Mar 2010 19:43:39 +0000
To: IETF-Announce <ietf-announce@ietf.org>
From: The IESG <iesg-secretary@ietf.org>
Reply-to: ietf@ietf.org
CC: <radiusext@ops.ietf.org>
Subject: Last Call: draft-ietf-radext-status-server (Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol) to Informational RFC
Message-Id: <20100315194232.AC7A93A69BE@core3.amsl.com>
Date: Mon, 15 Mar 2010 12:42:32 -0700 (PDT)
The IESG has received a request from the RADIUS EXTensions WG (radext) to
consider the following document:
- 'Use of Status-Server Packets in the Remote Authentication Dial In User
Service (RADIUS) Protocol '
<draft-ietf-radext-status-server-06.txt> as an Informational RFC
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2010-03-29. Exceptionally,
comments may be sent to iesg@ietf.org instead. In either case, please
retain the beginning of the Subject line to allow automated sorting.
The file can be obtained via
http://www.ietf.org/internet-drafts/draft-ietf-radext-status-server-06.txt
IESG discussion can be tracked via
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=17334&rfc_flag=0
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Wed, 10 Mar 2010 07:49:34 +0000
From: Maglione Roberta <roberta.maglione@telecomitalia.it>
To: Glen Zorn <gwz@net-zen.net>, "suresh.krishnan@ericsson.com" <suresh.krishnan@ericsson.com>, "alan.kavanagh@ericsson.com" <alan.kavanagh@ericsson.com>, "varga.balazs@telekom.hu" <varga.balazs@telekom.hu>, "jkaippal@huawei.com" <jkaippal@huawei.com>
CC: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Date: Wed, 10 Mar 2010 08:48:46 +0100
Subject: RE: comments on draft-maglione-radext-ipv6-acct-extensions-01
Thread-Topic: comments on draft-maglione-radext-ipv6-acct-extensions-01
Thread-Index: Acq/R0ohergv+PqsRSGlHd89lrAkpQA3VGig
Message-ID: <282BBE8A501E1F4DA9C775F964BB21FE3E7E61FCC1@GRFMBX704BA020.griffon.local>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Thanks for your comments.
Please see answers inline.
Regards,
Robert
-----Original Message-----
From: Glen Zorn [mailto:gwz@net-zen.net]
Sent: Tuesday, March 09, 2010 6:14 AM
To: Maglione Roberta; suresh.krishnan@ericsson.com; alan.kavanagh@ericsson.=
com; varga.balazs@telekom.hu; jkaippal@huawei.com
Cc: 'Glen Zorn'; ietf@ietf.org
Subject: comments on draft-maglione-radext-ipv6-acct-extensions-01
Not sure why this is Standards Track since both RFC 2866 & RFC 2869 are
Informational.
[RM] ok we can change to Informational.
It would be more in-line w/RADIUS tradition to name the Attributes
Acct-IPv6-* rather than IPv6-Acct-*.
[RM] ok fine.
References are pointers to objects, not the objects themselves. Suggest
changing all instances of constructs like "[RFC2866]and [RFC2869] specify"
to "RFC 2866 [RFC2866] and RFC 2869 [RFC2869] specify" or simply rewriting
the sentences so that the use of pointers makes sense, in this case perhaps
to "Existing documents (RFC2866], [RFC2869]) specify".
[RM] ok we will re-phrase it.
TYPO: s/the IPv6 in broadband environment/IPv6 in broadband environments/ i=
n
the Introduction.
TYPO: s/new RADIUS attribute have to be defined/new RADIUS attributes have
to be defined/ in the Introduction
[RM] ok we will correct these typos
The second paragraph of the Introduction says "This document describes
additional RADIUS attributes for collecting IPv6 specific statistics in
RADIUS Accounting messages"; suggest changing to "This document describes
additional RADIUS attributes for transporting IPv6-specific statistics in
RADIUS Accounting messages".
[RM] ok thanks for the suggestions we will re-phrase this sentence
Section 3, second paragraph says:
Existing RADIUS attributes like Acct-Input-Octets, Acct-Output-
Octets, Acct-Input-Packets, Acct-Output-Packets, Acct-Input-Gigawords
and Acct-Output-Gigawords, could be used to collect statistics for
all traffic(including IPv4, IPv6 and other protocols), while the
availability of IPv6 specific RADIUS attributes would allow the
collection of IPv6 statistics.
Suggest changing to:
Existing RADIUS attributes like Acct-Input-Octets, Acct-Output-
Octets, Acct-Input-Packets, Acct-Output-Packets, Acct-Input-Gigawords
and Acct-Output-Gigawords, could be used to collect statistics for
all traffic (including IPv4, IPv6 and other protocols), while the
availability of IPv6-specific RADIUS attributes would allow the
collection of IPv6 statistics.
[RM] ok
It's not at all clear to me why the first paragraph of section 4.1 exists.
The second paragraph of Section 4.1 says:
If the Accounting-Request packet includes a Framed-IPv6-Prefix, that
attribute MUST contain the IPv6 prefix allocated to the user. In
deployment scenarios where DHCPv6 prefix delegation is used, the
Accounting-Request packet will contain a Delegated-IPv6-Prefix
attribute that contains the IPv6 prefix delegated to the user.
The first sentence just repeats what RFC 3162 says about the
Framed-IPv6-Prefix Attribute. This seems unnecessary. The second sentence
says that "the Accounting-Request packet will contain a
Delegated-IPv6-Prefix attribute" but RFC 4818 doesn't say this. As one may
have guessed, I would prefer that section 4 be deleted altogether, but if
the authors feel it necessary for it to be included, I suggest modifying it
to at least be accurate and to include references to RFC 3962 and RFC 4818.
[RM] I may need to re-discuss this point with the other co-authors, we will=
get back to you on this
In sections 5.*, a blank line should be added before "Length" in the
Attribute summaries.
[RM] ok
In Section 7, an allocation policy must be specified; suggest just adding a
reference to RFC 3575.
[RM] ok.
Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle per=
sone indicate. La diffusione, copia o qualsiasi altra azione derivante dall=
a conoscenza di queste informazioni sono rigorosamente vietate. Qualora abb=
iate ricevuto questo documento per errore siete cortesemente pregati di dar=
ne immediata comunicazione al mittente e di provvedere alla sua distruzione=
, Grazie.
This e-mail and any attachments is confidential and may contain privileged =
information intended for the addressee(s) only. Dissemination, copying, pri=
nting or use by anybody else is unauthorised. If you are not the intended r=
ecipient, please delete this message and any attachments and advise the sen=
der by return e-mail, Thanks.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 09 Mar 2010 20:10:09 +0000
Message-ID: <BLU137-W1CBE20CE168A8C58FD45C93340@phx.gbl>
Content-Type: multipart/alternative; boundary="_58a2a7eb-2536-4948-8f4a-b8b2eac4f905_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: comments on draft-maglione-radext-ipv6-acct-extensions-01
Date: Tue, 9 Mar 2010 12:09:36 -0800
MIME-Version: 1.0
--_58a2a7eb-2536-4948-8f4a-b8b2eac4f905_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue=2C 9 Mar 2010 12:13:45 +0700
From: "Glen Zorn" <gwz@net-zen.net>
Subject: comments on draft-maglione-radext-ipv6-acct-extensions-01
To: <roberta.maglione@telecomitalia.it>=2C
<suresh.krishnan@ericsson.com>=2C <alan.kavanagh@ericsson.com>=2C
<varga.balazs@telekom.hu>=2C <jkaippal@huawei.com>
Not sure why this is Standards Track since both RFC 2866 & RFC 2869 are
Informational.
=20
It would be more in-line w/RADIUS tradition to name the Attributes
Acct-IPv6-* rather than IPv6-Acct-*.
=20
References are pointers to objects=2C not the objects themselves. Suggest
changing all instances of constructs like "[RFC2866]and [RFC2869] specify"
to "RFC 2866 [RFC2866] and RFC 2869 [RFC2869] specify" or simply rewriting
the sentences so that the use of pointers makes sense=2C in this case perha=
ps
to "Existing documents (RFC2866]=2C [RFC2869]) specify".
=20
TYPO: s/the IPv6 in broadband environment/IPv6 in broadband environments/ i=
n
the Introduction.
=20
TYPO: s/new RADIUS attribute have to be defined/new RADIUS attributes have
to be defined/ in the Introduction
=20
The second paragraph of the Introduction says "This document describes
additional RADIUS attributes for collecting IPv6 specific statistics in
RADIUS Accounting messages"=3B suggest changing to "This document describes
additional RADIUS attributes for transporting IPv6-specific statistics in
RADIUS Accounting messages".
=20
Section 3=2C second paragraph says:
Existing RADIUS attributes like Acct-Input-Octets=2C Acct-Output-
Octets=2C Acct-Input-Packets=2C Acct-Output-Packets=2C Acct-Input-Gigawo=
rds
and Acct-Output-Gigawords=2C could be used to collect statistics for
all traffic(including IPv4=2C IPv6 and other protocols)=2C while the
availability of IPv6 specific RADIUS attributes would allow the
collection of IPv6 statistics.
Suggest changing to:
Existing RADIUS attributes like Acct-Input-Octets=2C Acct-Output-
Octets=2C Acct-Input-Packets=2C Acct-Output-Packets=2C Acct-Input-Gigawo=
rds
and Acct-Output-Gigawords=2C could be used to collect statistics for
all traffic (including IPv4=2C IPv6 and other protocols)=2C while the
availability of IPv6-specific RADIUS attributes would allow the
collection of IPv6 statistics.
=20
It's not at all clear to me why the first paragraph of section 4.1 exists.
=20
The second paragraph of Section 4.1 says:
If the Accounting-Request packet includes a Framed-IPv6-Prefix=2C that
attribute MUST contain the IPv6 prefix allocated to the user. In
deployment scenarios where DHCPv6 prefix delegation is used=2C the
Accounting-Request packet will contain a Delegated-IPv6-Prefix
attribute that contains the IPv6 prefix delegated to the user.
The first sentence just repeats what RFC 3162 says about the
Framed-IPv6-Prefix Attribute. This seems unnecessary. The second sentence
says that "the Accounting-Request packet will contain a
Delegated-IPv6-Prefix attribute" but RFC 4818 doesn't say this. As one may
have guessed=2C I would prefer that section 4 be deleted altogether=2C but =
if
the authors feel it necessary for it to be included=2C I suggest modifying =
it
to at least be accurate and to include references to RFC 3962 and RFC 4818.
=20
In sections 5.*=2C a blank line should be added before "Length" in the
Attribute summaries.
=20
In Section 7=2C an allocation policy must be specified=3B suggest just addi=
ng a
reference to RFC 3575.
=
--_58a2a7eb-2536-4948-8f4a-b8b2eac4f905_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
<pre><br>Date: Tue=2C 9 Mar 2010 12:13:45 +0700<br>From: "Glen Zorn" <=3B=
gwz@net-zen.net>=3B<br>Subject: comments on draft-maglione-radext-ipv6-ac=
ct-extensions-01<br>To: <=3Broberta.maglione@telecomitalia.it>=3B=2C<br=
> <=3Bsuresh.krishnan@ericsson.com>=3B=2C <=3Balan.kavanagh@ericsson.=
com>=3B=2C<br> <=3Bvarga.balazs@telekom.hu>=3B=2C <=3Bjkaippal@huaw=
ei.com>=3B<br><br>Not sure why this is Standards Track since both RFC 286=
6 &=3B RFC 2869 are<br>Informational.<br> <br>It would be more in-line w=
/RADIUS tradition to name the Attributes<br>Acct-IPv6-* rather than IPv6-Ac=
ct-*.<br> <br>References are pointers to objects=2C not the objects themsel=
ves. Suggest<br>changing all instances of constructs like "[RFC2866]and [R=
FC2869] specify"<br>to "RFC 2866 [RFC2866] and RFC 2869 [RFC2869] specify" =
or simply rewriting<br>the sentences so that the use of pointers makes sens=
e=2C in this case perhaps<br>to "Existing documents (RFC2866]=2C [RFC2869])=
specify".<br> <br>TYPO: s/the IPv6 in broadband environment/IPv6 in broadb=
and environments/ in<br>the Introduction.<br> <br>TYPO: s/new RADIUS attrib=
ute have to be defined/new RADIUS attributes have<br>to be defined/ in the =
Introduction<br> <br>The second paragraph of the Introduction says "This do=
cument describes<br>additional RADIUS attributes for collecting IPv6 specif=
ic statistics in<br>RADIUS Accounting messages"=3B suggest changing to "Thi=
s document describes<br>additional RADIUS attributes for transporting IPv6-=
specific statistics in<br>RADIUS Accounting messages".<br> <br>Section 3=2C=
second paragraph says:<br> Existing RADIUS attributes like Acct-Input-Oc=
tets=2C Acct-Output-<br> Octets=2C Acct-Input-Packets=2C Acct-Output-Pack=
ets=2C Acct-Input-Gigawords<br> and Acct-Output-Gigawords=2C could be use=
d to collect statistics for<br> all traffic(including IPv4=2C IPv6 and ot=
her protocols)=2C while the<br> availability of IPv6 specific RADIUS attr=
ibutes would allow the<br> collection of IPv6 statistics.<br>Suggest chan=
ging to:<br> Existing RADIUS attributes like Acct-Input-Octets=2C Acct-Ou=
tput-<br> Octets=2C Acct-Input-Packets=2C Acct-Output-Packets=2C Acct-Inp=
ut-Gigawords<br> and Acct-Output-Gigawords=2C could be used to collect st=
atistics for<br> all traffic (including IPv4=2C IPv6 and other protocols)=
=2C while the<br> availability of IPv6-specific RADIUS attributes would a=
llow the<br> collection of IPv6 statistics.<br> <br>It's not at all clear=
to me why the first paragraph of section 4.1 exists.<br> <br>The second pa=
ragraph of Section 4.1 says:<br> If the Accounting-Request packet include=
s a Framed-IPv6-Prefix=2C that<br> attribute MUST contain the IPv6 prefix=
allocated to the user. In<br> deployment scenarios where DHCPv6 prefix =
delegation is used=2C the<br> Accounting-Request packet will contain a De=
legated-IPv6-Prefix<br> attribute that contains the IPv6 prefix delegated=
to the user.<br>The first sentence just repeats what RFC 3162 says about t=
he<br>Framed-IPv6-Prefix Attribute. This seems unnecessary. The second se=
ntence<br>says that "the Accounting-Request packet will contain a<br>Delega=
ted-IPv6-Prefix attribute" but RFC 4818 doesn't say this. As one may<br>ha=
ve guessed=2C I would prefer that section 4 be deleted altogether=2C but if=
<br>the authors feel it necessary for it to be included=2C I suggest modify=
ing it<br>to at least be accurate and to include references to RFC 3962 and=
RFC 4818.<br> <br>In sections 5.*=2C a blank line should be added before "=
Length" in the<br>Attribute summaries.<br> <br>In Section 7=2C an allocatio=
n policy must be specified=3B suggest just adding a<br>reference to RFC 357=
5.</pre><table style=3D"border-top: 1px solid black=3B font-weight: bold=3B=
font-family: 'Segoe UI'=2CTahoma=2Csan-serif=3B"><tbody><tr><td><a href=3D=
"http://im.live.com/Messenger/IM/Home/?source=3DEML_WLHM_GreaterGood" style=
=3D"font-size: 9pt=3B color: rgb(1=2C 132=2C 203)=3B text-decoration: none=
=3B"><span style=3D"padding: 0px 24px=3B font-size: 8pt=3B color: rgb(63=2C=
181=2C 85)=3B text-decoration: underline=3B"></span></a><br></td></tr></tb=
ody></table> </body>
</html>=
--_58a2a7eb-2536-4948-8f4a-b8b2eac4f905_--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 09 Mar 2010 19:01:24 +0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: AD review of draft-ietf-radext-status-server-06.txt
Date: Tue, 9 Mar 2010 20:00:11 +0100
Message-ID: <EDC652A26FB23C4EB6384A4584434A0401FFEFD8@307622ANEX5.global.avaya.com>
Thread-Topic: AD review of draft-ietf-radext-status-server-06.txt
Thread-Index: Acq/ur52dL8YmGwYRyGW/2lbLqA5AA==
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: <radiusext@ops.ietf.org>
I have reviewed the I-D draft-ietf-radext-status-server-06.txt. The
document is in good shape and ready to be sent to IETF Last Call. The
comments below can be considered together with the other comments
received during the IETF Last Call.=20
The comments are divided into Technical and Editorial.=20
T1. The document is using the Status-Server Code (12) which is
experimental. Why is not the intended status of the document
experimental?=20
T2. The following requirements seem to conflict:=20
- section 4.1: 'The client MAY increment packet counters as a result of
sending a
Status-Server request, or receiving a Response packet. '
- section 4.6.2: ' Clients implementing Status-Server MUST NOT increment
[RFC4668] or
[RFC4670] counters upon reception of Response packets to Status-
Server queries. '
I think that the later is better.=20
T3. The following requirements seem to conflict:=20
- section 4.2: 'The server MAY increment packet counters as a result of
receiving a
Status-Server, or sending a Response packet. '
- section 4.6.1: '...when a server fully implements
Status-Server, the counters defined in [RFC4669] and [RFC4671] MUST
be unaffected by the transmission or reception of packets relating to
Status-Server.'
I think that the later is better.=20
E1. I could not understand the logic of the different alignments of
paragraphs in Section 3.=20
E2. In section 4.1 I do not like the word 'Robust' in ' Robust
implementations SHOULD accept any Response packet ...'
E3. In the same section I think that 'should' in the following phrase
needs to be capitalized:=20
> That is, prior to accepting the response as valid, the client should
check that the Response packet Code field is either Access-Accept (2)
or Accounting-Response (5). =20
E4. In the same section I think that the MUST in the following phrase
needs not be capitalized:=20
> If the Response Authenticator is valid,
then the packet MUST be deemed to be a valid response from the
server.
E5. In Section 4.5 s/Each RADIUS Proxyhas/Each RADIUS Proxy has/
Thanks and Regards,
Dan
=20
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 09 Mar 2010 17:16:08 +0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: AD review of draft-ietf-radext-tcp-transport-05
Date: Tue, 9 Mar 2010 18:14:45 +0100
Message-ID: <EDC652A26FB23C4EB6384A4584434A0401FFEFAC@307622ANEX5.global.avaya.com>
Thread-Topic: AD review of draft-ietf-radext-tcp-transport-05
Thread-Index: Acq/rAP0GuWJ8F1RRmWfbki3HIknWw==
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: <radiusext@ops.ietf.org>
Please find below the AD review of AD review of
draft-ietf-radext-tcp-transport-05. I believe that the document will be
ready for IETF Last Call only after the issues raised in this review are
addressed.=20
The issues are divided into Technical (T) and Editorial (E).=20
T1. The document is marked as EXPERIMENTAL. It would be useful if it
mentions in one of the introductory sections what are the goals and
limitations (if any) of the experimental deployment and what would be
the success criteria of the experiment that would allow for taking the
document to the standards track later.=20
T2. Section 2.2:=20
> Since these ports are unused by existing RADIUS implementations, the
assigned values SHOULD be used as the default ports for RADIUS over
TCP.
Why is this a SHOULD and not a MUST?=20
T3. Section 2.3 needs a complete re-writing:=20
> The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670],
[RFC4671], [RFC4672], and [RFC4673] each contain only one reference
to UDP. These references are in the DESCRIPTION field of the MIB
Module definition, and are in the form of "The UDP port" or "the UDP
destination port".
Actually the count is not accurate. 4688 and 4670 have each two MIB
objects that refer to UDP ports, 4669 and 4671 have none, 4672 and 4673
have one each, but only in 4672 the port is referred to as UDP port
(although it is clear from the context that UDP is assumed).=20
> Implementations of RADIUS over TCP SHOULD re-use these MIB Modules to
perform statistics counting for RADIUS over TCP connections.
However, implementors are warned that there is no way for these MIB
Modules to distinguish between packets sent over UDP or over TCP
transport. =20
This does not work. One cannot know what current implementations do.
Some may behave as described here, but other may not and could count
statistics strictly over UDP as defined in the DESCRIPTION of the MIB
objects. You cannot count on that the agent implementations will do, so
there is no interoperability. =20
> Implementations of RADIUS over TCP SHOULD include the protocol (UDP)
or (TCP) in the radiusAuthServIdent, radiusAuthClientID,
radiusAuthClientIdentifier, radiusAccServIdent, radiusAccClientID, or
radiusAccClientIdentifier fields of the MIB Module. This information
can help the administrator distinguish capabilities of systems in the
network.
This is also broken. First it is a change in the semantics of the
respective objects. This cannot be done even in a MIB document that
updates the respective RFCs because of the SMIv2 rules. Then these
objects are of a syntax of SnmpAdminString - so including the protocol
is based on non-interoperable heuristics. Last, describing the
capabilities (UDP, TCP or both) does not indicate what runs and is
activated at a certain moment, not to speak cannot indicate anything
about specific sessions between clients and servers.=20
The correct solution is for the MIB documents to be updated in the
future with new MIB objects of appropriate syntax. For the time being
the only thing that this section should say is that the MIB modules do
not support RADIUS over TCP and that they will need to be updated in the
future.=20
T4. The following section in 2.6.1 is confusing:=20
> Much of the discussion in this section can be summarized by the
following requirement. RADIUS requests MAY be re-transmitted
verbatim only if the following 5-tuple (Client IP address, Client
port, Transport Protocol, Server IP address, Server port) remains the
same.=20
Actually this is not a retransmission on the same connection, so I do
not know why it needs to be mentioned at all. This aparently contradicts
the first paragraph of 2.6.1 which says 'As TCP is a reliable transport,
implementations MUST NOT retransmit RADIUS request packets over a given
TCP connection.'.=20
T5. The last paragraph in 2.6.1:=20
> The above requirement is necessary, but not sufficient in all cases.
Other specifications give additional situations where the packet is
to be considered as a new request. Those recommendations MUST also
be followed.
Having a MUST requirement over undefined 'other specification' is not
implementable. I would suggest to either clarify what are these 'other
specifications' or take this out.=20
E1. Please expand TLS at first occurrence.=20
E2. The Introduction section speaks about 'the default Internet MTU
(576). Strictly speaking this value is not standardized in any place,
and later in section 1.1 reference is made to RADIUS packets being
restricted to 1500 octets in size. Looks like an unnecessary
inconsistency.=20
E3. Section 1.2 - the syntax in the RADIUS server definition is
inconsistent with the syntax of the rest of the definitions
E4. Section 2.6.7:=20
> We RECOMMEND that implementors of this specification
familiarize themselves with TCP application programming concepts. We
RECOMMEND also that existing TCP applications be examined with an eye
to robustness, performance, scalability, etc.
The use of capitalized (a la 2119) keywords in a personalized phrase
does not make much sense. RECOMMEND is not a keyword actually. I suggest
rephrasing.=20
Regards,
Dan
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 08 Mar 2010 15:22:54 +0000
Message-ID: <BLU137-DS1A25CD691322C68F1348A93350@phx.gbl>
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: <radiusext@ops.ietf.org>
Subject: RADEXT WG Agenda for IETF 77 -- Take Two
Date: Mon, 8 Mar 2010 07:22:49 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_005E_01CABE90.2871B8B0"
Thread-Index: Acq9pnG8jvTU5Gw1Rt29XUSxBvrDGABLB40A
Content-Language: en-us
------=_NextPart_000_005E_01CABE90.2871B8B0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
IETF 77 RADEXT WG Meeting
Monday, March 22, 2010
1740 - 1940 Pacific Time
Redondo room
Anaheim, CA
Chairs: Bernard Aboba <mailto:Bernard_aboba@hotmail.com>
Bernard_aboba@hotmail.com
David Nelson <mailto:d.b.nelson%40comcast.net> d.b.nelson@comcast.net
Jabber room: radext at jabber.ietf.org (please join)
Agenda
17:40 - 17:50 PT: Preliminaries
Bluesheets
Attendance
Note takers
Agenda bash
Document Status
SECURE RADIUS TRANSPORT (30 minutes)
1750 - 1800 AM PT RTLS, Stefan Winter (10 minutes)
http://tools.ietf.org/html/draft-ietf-radext-radsec
1800 AM - 1810 PT NAI-Based Peer Discovery, Stefan Winter (10 minutes)
<http://tools.ietf.org/html/draft-ietf-radext-dynamic-discovery>
http://tools.ietf.org/html/draft-ietf-radext-dynamic-discovery
1810 - 1820 PT RADIUS over DTLS, Alan DeKok (10 minutes)
<http://tools.ietf.org/html/draft-dekok-radext-dtls>
http://tools.ietf.org/html/draft-dekok-radext-dtls
IPv6 (20 minutes)
1820 - 1830 RADIUS Attributes for IPv6 Networks, W. Dec (10 minutes)
http://tools.ietf.org/html/draft-ietf-radext-ipv6-access
1830 - 1840 Accounting Extensions for IPv6, R. Maglione (10 minutes)
http://tools.ietf.org/html/draft-maglione-radext-ipv6-acct-extensions
Design Guidelines (50 minutes)
1840 - 1930 Design Guidelines, Alan DeKok (50 minutes)
http://tools.ietf.org/html/draft-ietf-radext-design-guidelines
Wrap-up (10 minutes)
1930 - 1940 Discussion and Next Steps: WG Chairs & ADs (10 minutes)
------=_NextPart_000_005E_01CABE90.2871B8B0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal>IETF 77 RADEXT WG Meeting<o:p></o:p></p>
<p class=3DMsoNormal>Monday, March 22, 2010<o:p></o:p></p>
<p class=3DMsoNormal>1740 - 1940 Pacific Time<o:p></o:p></p>
<p class=3DMsoNormal>Redondo room<o:p></o:p></p>
<p class=3DMsoNormal>Anaheim, CA<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal><span style=3D'color:black'>Chairs: Bernard =
Aboba <a
href=3D"mailto:Bernard_aboba@hotmail.com"><span =
style=3D'color:black'>Bernard_aboba@hotmail.com</span></a><o:p></o:p></sp=
an></p>
<p class=3DMsoNormal><span style=3D'color:black'>David Nelson <a
href=3D"mailto:d.b.nelson%40comcast.net"><span =
style=3D'color:black'>d.b.nelson@comcast.net</span></a><o:p></o:p></span>=
</p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>Jabber room: radext at
jabber.ietf.org (please join)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'>Agenda<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>17:40 – 17:50 PT: =
Preliminaries <o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'>
Bluesheets<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'>
Attendance<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'> Note
takers<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'> Agenda
bash<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'> Document
Status<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>SECURE RADIUS TRANSPORT =
(30
minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>1750 – 1800 AM =
PT RTLS,
Stefan Winter (10 minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'>http://tools.ietf.org/html/draft-ietf-radext-radsec=
<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>1800 AM - 1810 PT =
NAI-Based Peer
Discovery, Stefan Winter (10 minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'><a
href=3D"http://tools.ietf.org/html/draft-ietf-radext-dynamic-discovery"><=
span
style=3D'color:black'>http://tools.ietf.org/html/draft-ietf-radext-dynami=
c-discovery</span></a><o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>1810 – 1820 PT =
RADIUS over DTLS,
Alan DeKok (10 minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'><a
href=3D"http://tools.ietf.org/html/draft-dekok-radext-dtls"><span
style=3D'color:black'>http://tools.ietf.org/html/draft-dekok-radext-dtls<=
/span></a><o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>IPv6 (20 =
minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>1820 – 1830 =
RADIUS
Attributes for IPv6 Networks, W. Dec (10 minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'>http://tools.ietf.org/html/draft-ietf-radext-ipv6-a=
ccess<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>1830 - 1840 =
Accounting
Extensions for IPv6, R. Maglione (10 minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'>http://tools.ietf.org/html/draft-maglione-radext-ip=
v6-acct-extensions<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>Design Guidelines (50 =
minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>1840 – 1930 =
Design
Guidelines, Alan DeKok (50 minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'>http://tools.ietf.org/html/draft-ietf-radext-design=
-guidelines<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>Wrap-up (10 =
minutes)<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:black'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:black'>1930 - 1940 =
Discussion and
Next Steps: WG Chairs & ADs (10 minutes)<o:p></o:p></span></p>
</div>
</body>
</html>
------=_NextPart_000_005E_01CABE90.2871B8B0--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Sun, 07 Mar 2010 03:30:23 +0000
Message-ID: <BLU137-DS134A87A5264FF32249C1AE93360@phx.gbl>
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: <radiusext@ops.ietf.org>
Subject: RADEXT WG Agenda for IETF 77 -- Take One
Date: Sat, 6 Mar 2010 19:29:50 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01CABD63.63D7CEE0"
Thread-Index: Acq9pnG8jvTU5Gw1Rt29XUSxBvrDGA==
Content-Language: en-us
------=_NextPart_000_0007_01CABD63.63D7CEE0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
IETF 77 RADEXT WG Meeting
Monday, March 22, 2010
1740 - 1940 Pacific Time
Redondo room
Anaheim, CA
Chairs: Bernard Aboba Bernard_aboba@hotmail.com
David Nelson d.b.nelson@comcast.net <mailto:d.b.nelson%40comcast.net>
Jabber room: radext at jabber.ietf.org (please join)
Agenda
17:40 - 17:50 PT: Preliminaries
Bluesheets
Attendance
Note takers
Agenda bash
Document Status
RADSEC (30 minutes)
1750 - 1805 AM PT RADSEC, Stefan Winter (15 minutes)
http://tools.ietf.org/html/draft-ietf-radext-radsec
1805 AM - 1820 PT NAI-Based Peer Discovery, Stefan Winter (15 minutes)
http://tools.ietf.org/html/draft-ietf-radext-dynamic-discovery
IPv6 (20 minutes)
1820 - 1830 RADIUS Attributes for IPv6 Networks, W. Dec (10 minutes)
http://tools.ietf.org/html/draft-ietf-radext-ipv6-access
1830 - 1840 Accounting Extensions for IPv6, R. Maglione (10 minutes)
http://tools.ietf.org/html/draft-maglione-radext-ipv6-acct-extensions
Design Guidelines (50 minutes)
1840 - 1930 Design Guidelines, Alan DeKok (50 minutes)
http://tools.ietf.org/html/draft-ietf-radext-design-guidelines
Wrap-up (10 minutes)
1930 - 1940 Discussion and Next Steps: WG Chairs & ADs (10 minutes)
------=_NextPart_000_0007_01CABD63.63D7CEE0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal>IETF 77 RADEXT WG Meeting<o:p></o:p></p>
<p class=3DMsoNormal>Monday, March 22, 2010<o:p></o:p></p>
<p class=3DMsoNormal>1740 - 1940 Pacific Time<o:p></o:p></p>
<p class=3DMsoNormal>Redondo room<o:p></o:p></p>
<p class=3DMsoNormal>Anaheim, CA<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Chairs: Bernard Aboba <a
href=3D"mailto:Bernard_aboba@hotmail.com">Bernard_aboba@hotmail.com</a><o=
:p></o:p></p>
<p class=3DMsoNormal>David Nelson <a =
href=3D"mailto:d.b.nelson%40comcast.net">d.b.nelson@comcast.net</a><o:p><=
/o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Jabber room: radext at jabber.ietf.org (please =
join)<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Agenda<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>17:40 – 17:50 PT: Preliminaries =
<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal> Bluesheets<o:p></o:p></p>
<p class=3DMsoNormal> Attendance<o:p></o:p></p>
<p class=3DMsoNormal> Note takers<o:p></o:p></p>
<p class=3DMsoNormal> Agenda bash<o:p></o:p></p>
<p class=3DMsoNormal> Document =
Status<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>RADSEC (30 minutes)<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>1750 – 1805 AM PT RADSEC, Stefan Winter =
(15
minutes)<o:p></o:p></p>
<p =
class=3DMsoNormal>http://tools.ietf.org/html/draft-ietf-radext-radsec<o:p=
></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>1805 AM - 1820 PT NAI-Based Peer Discovery, Stefan =
Winter
(15 minutes)<o:p></o:p></p>
<p =
class=3DMsoNormal>http://tools.ietf.org/html/draft-ietf-radext-dynamic-di=
scovery<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>IPv6 (20 minutes)<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>1820 – 1830 RADIUS Attributes for IPv6 =
Networks,
W. Dec (10 minutes)<o:p></o:p></p>
<p =
class=3DMsoNormal>http://tools.ietf.org/html/draft-ietf-radext-ipv6-acces=
s<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>1830 - 1840 Accounting Extensions for IPv6, =
R.
Maglione (10 minutes)<o:p></o:p></p>
<p =
class=3DMsoNormal>http://tools.ietf.org/html/draft-maglione-radext-ipv6-a=
cct-extensions<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Design Guidelines (50 minutes)<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>1840 – 1930 Design Guidelines, =
Alan DeKok
(50 minutes)<o:p></o:p></p>
<p =
class=3DMsoNormal>http://tools.ietf.org/html/draft-ietf-radext-design-gui=
delines<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Wrap-up (10 minutes)<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>1930 - 1940 Discussion and Next Steps: =
WG Chairs
& ADs (10 minutes)<o:p></o:p></p>
</div>
</body>
</html>
------=_NextPart_000_0007_01CABD63.63D7CEE0--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Sun, 07 Mar 2010 03:09:18 +0000
Message-ID: <BLU137-DS15CF81DF768A1481959F3093360@phx.gbl>
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: <radiusext@ops.ietf.org>
Subject: Request for Minutes
Date: Sat, 6 Mar 2010 19:07:08 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0002_01CABD60.3B483B20"
Thread-Index: Acq9o0R1jq/PRvlvQyOjaEbA0ED1Bg==
Content-Language: en-us
------=_NextPart_000_0002_01CABD60.3B483B20
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
If you took minutes at the Virtual Interim, please send them to Dave Nelson
and myself.
------=_NextPart_000_0002_01CABD60.3B483B20
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal>If you took minutes at the Virtual Interim, please =
send them
to Dave Nelson and myself. <o:p></o:p></p>
</div>
</body>
</html>
------=_NextPart_000_0002_01CABD60.3B483B20--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 05 Mar 2010 15:54:19 +0000
Message-ID: <BLU137-DS579DBB5E70C8B7CB81B3D93380@phx.gbl>
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: "'Stefan Winter'" <stefan.winter@restena.lu>, <radiusext@ops.ietf.org>
Subject: RE: I-D Action:draft-ietf-radext-dynamic-discovery-02.txt
Date: Fri, 5 Mar 2010 07:53:25 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thread-Index: Acq8dAnKFGsOUjLGRtqgXqHvLoUdvQAB+ZOQ
Content-Language: en-us
Can you summarize which issues were closed and which are open?
-----Original Message-----
From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] =
On
Behalf Of Stefan Winter
Sent: Friday, March 05, 2010 6:52 AM
To: radiusext@ops.ietf.org
Cc: TF-Mobility
Subject: Re: I-D Action:draft-ietf-radext-dynamic-discovery-02.txt
Hi,
> A New Internet-Draft is available from the on-line Internet-Drafts
directories.
> This draft is a work item of the RADIUS EXTensions Working Group of =
the
IETF.
>
>
> Title : NAI-based Dynamic Peer Discovery for RADIUS over
TLS and DTLS
> Author(s) : S. Winter, M. McCauley
> Filename : draft-ietf-radext-dynamic-discovery-02.txt
> Pages : 9
> Date : 2010-03-05
>
> This document specifies a means to find authoritative AAA servers for=20
> a given NAI realm. It can be used in conjunction with RADIUS over TLS =
> and RADIUS over DTLS.
> =20
This draft contains new text for the issues discussed previously on the
list. It doesn't update any text on the remaining items which are still
unresolved.
Greetings,
Stefan
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - R=E9seau T=E9l=E9informatique de l'Education =
Nationale et de
la Recherche 6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 05 Mar 2010 14:52:17 +0000
Message-ID: <4B911A7D.5090803@restena.lu>
Date: Fri, 05 Mar 2010 15:51:41 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0
MIME-Version: 1.0
To: radiusext@ops.ietf.org
CC: TF-Mobility <mobility@terena.org>
Subject: Re: I-D Action:draft-ietf-radext-dynamic-discovery-02.txt
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig159DA82E79CE5FC3BEAE2065"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig159DA82E79CE5FC3BEAE2065
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Hi,
> A New Internet-Draft is available from the on-line Internet-Drafts dire=
ctories.
> This draft is a work item of the RADIUS EXTensions Working Group of the=
IETF.
>
>
> Title : NAI-based Dynamic Peer Discovery for RADIUS over TLS=
and DTLS
> Author(s) : S. Winter, M. McCauley
> Filename : draft-ietf-radext-dynamic-discovery-02.txt
> Pages : 9
> Date : 2010-03-05
>
> This document specifies a means to find authoritative AAA servers for
> a given NAI realm. It can be used in conjunction with RADIUS over
> TLS and RADIUS over DTLS.
> =20
This draft contains new text for the issues discussed previously on the
list. It doesn't update any text on the remaining items which are still
unresolved.
Greetings,
Stefan
--=20
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - R=E9seau T=E9l=E9informatique de l'Education National=
e et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
--------------enig159DA82E79CE5FC3BEAE2065
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuRGoEACgkQ+jm90f8eFWYTxQCfWfVHzG90TZjng2No01ZMvvxH
iOIAnil2YQKk+PMd8w19gsZ08b8meDCh
=ecX8
-----END PGP SIGNATURE-----
--------------enig159DA82E79CE5FC3BEAE2065--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 05 Mar 2010 14:45:56 +0000
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Cc: radiusext@ops.ietf.org
Subject: I-D Action:draft-ietf-radext-dynamic-discovery-02.txt
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20100305144501.C3D5B28C132@core3.amsl.com>
Date: Fri, 5 Mar 2010 06:45:01 -0800 (PST)
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the RADIUS EXTensions Working Group of the IETF.
Title : NAI-based Dynamic Peer Discovery for RADIUS over TLS and DTLS
Author(s) : S. Winter, M. McCauley
Filename : draft-ietf-radext-dynamic-discovery-02.txt
Pages : 9
Date : 2010-03-05
This document specifies a means to find authoritative AAA servers for
a given NAI realm. It can be used in conjunction with RADIUS over
TLS and RADIUS over DTLS.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-radext-dynamic-discovery-02.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Message/External-body;
name="draft-ietf-radext-dynamic-discovery-02.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2010-03-05063605.I-D@ietf.org>
--NextPart--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 05 Mar 2010 12:36:39 +0000
Message-ID: <4B90FABC.5020803@restena.lu>
Date: Fri, 05 Mar 2010 13:36:12 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0
MIME-Version: 1.0
To: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: Issue 324: Proposed new name resolution with S-NAPTR
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 8bit
Hi,
after issue 324's reminder about NAPTR, the following text might address
the issue:
"2.2. DNS RR definition
DNS definitions of RADIUS/TLS servers can be either S-NAPTR records
(see [RFC3958]) or SRV records. When both are defined, the
resolution algorithm prefers S-NAPTR results (see section Section 2.3
below).
This specification defines two S-NAPTR service tag: a general-purpose
tag "nai-roaming" and a special-purpose tag "eduroam" for the eduroam
roaming consortium. This specification defines two S-NAPTR protocol
tags: "radius.tls" for RADIUS over TLS [I-D.ietf-radext-radsec] and
"radius.dtls" for RADIUS over DTLS [I-D.dekok-radext-dtls].
This specification defines the SRV prefix "_radiustls._tcp" for
RADIUS over TLS [I-D.ietf-radext-radsec] and "_radiustls._udp" for
RADIUS over DTLS [I-D.dekok-radext-dtls]. It is expected that in
most cases, the label used for the records is the DNS representation
(punycode) of the literal realm name for which the server is the AAA
server."
Accompanied by an IANA Consideration section:
"4. IANA Considerations
This document requests IANA registration of the following S-NAPTR
parameters:
o Application Service Tags
* nai-roaming
* eduroam
o Application Protocol Tags
* radius.tls
* radius.dtls"
This is one of three ways how I could see the resolution happen. They are
1) a single "nai-roaming" service tag, and if some consortium needs its
own, use x-<identifier>
2) a generic "nai-roaming" service tag, and further labels allocated per
their own RFC - I define my own one inline in this document
3) a tag+subtag mechanism (see also my mail to Leslie Daigle, forwarded
by Bernard) to allow e.g.:
nai-roaming_eduroam.org
nai-roaming_3gppnetworks.org
nai-roaming_wimaxforum.com
Number 1 is always possible, but a bailout to unregulated space, with
possible clashes due to the freeform x-...
Number 2 is cumbersome for roaming consortia, because they need their
own RFC to describe themselves.
Number 3 would be cool, but would require allocation of a wildcard
"subspace" within the S-NAPTR service tag space. I'm unsure whether this
is foreseen.
I've put number 2 in the draft to have a starting point, but would
prefer 3 if we can sort it out.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 05 Mar 2010 12:26:33 +0000
Message-ID: <4B90F83C.7010309@restena.lu>
Date: Fri, 05 Mar 2010 13:25:32 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
CC: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: Re: Review of draft-ietf-radext-dynamic-discovery-01
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi,
> [BA] References aren't allowed in the abstract. Also, this is only abo=
ut RADIUS, not AAA in general, no?
> =20
I've purged the reference in the upcoming revision. As for AAA vs.
RADIUS, there is still no conclusion about the dime vs. this approach,
and whether they can be united. Discussion continues; probably at the
dime meeting in Anaheim.
> 1.2
>
> RadSec node: a RadSec client or server
>
> RadSec Client: a RadSec instance which initiates a new connection.
>
> RadSec Server: a RadSec instance which listens on a RadSec port and
> accepts new connections
>
> [BA] As we discussed at IETF 75, RadSec is a product name. Can we use =
"RADIUS over TLS" and "RADIUS over DTLS"=20
> (or maybe RAD-TLS and RAD-DTLS) instead?
> =20
I've purged the references to "RadSec" in the upcoming revision. It is
now RADIUS over TLS, as in the corresponding draft.
> Section 2.1
>
> Dynamic server discovery as defined in this document is only
> applicable for AAA transactions where a AAA server receives a reques=
t
> with a NAI realm for which no home AAA server is known. I.e. where
> static server configuration does not contain a known home
> authentication server, or where the server configuration explicitly
> states that the realm destination is to be looked up dynamically.
> Furthermore, it is only applicable for new user sessions, i.e. for
> the initial Access-Request. =20
>
> [BA] Is this about AAA in general (including Diameter) or just about RA=
DIUS?
> =20
Again, subject to further discussion.
>
> 2.2. DNS RR definition
>
>
>
> DNS definitions of RadSec servers can be either NAPTR records or SRV=
> records. When both are defined, the resolution algorithm prefers
> NAPTR results (see section Section 2.3 <http://tools.ietf.org/html/d=
raft-ietf-radext-dynamic-discovery-01#section-2.3> below). The NAPTR ser=
vice
> field used is "AAAS+RADSECT". The SRV prefix used is "_radsec._tcp"=
=2E
> It is expected that in most cases, the label used for the records is=
> the DNS representation (punycode) of the literal realm name for whic=
h
> the server is the AAA server.
>
> [BA] Given that RadSec is a product name, what should the SRV prefixes =
be?=20
> _radtls._tcp? _raddtls._udp?=20
> =20
The _raddtls indicates datagram transport, so the _udp looks halfways
redundant and thus not clean.
I have preliminarily used _radiustls._tcp and _radiustls._udp in the draf=
t.
> bank-rupt.com
>
> [BA] Suggest use of an example.com domain instead (e.g. bank.example.co=
m).=20
> =20
I switched to the TLD "example" and a consortium member "bad" in the
upcoming revision.
>
> 2.3. Realm to AAA server resolution algorithm
>
>
>
> Input I to the algorithm is a User-Name in the form of a NAI as
> defined in [RFC4282 <http://tools.ietf.org/html/rfc4282>] as extract=
ed from the User-Name attribute in an
> Access-Request. Output O of the algorithm is a set of hostname:port=
> and an assoiciated order/preference; the set can be empty.
>
> Note well: The attribute User-Name does not necessarily contain well=
-
> formed NAIs and may not even contain well-formed UTF-8 strings. Thi=
s
> document describes server discovery only for well-formed NAIs in
> UTF-8 encoding. The result of all other possible contents of User-
> Name is unspecified; this includes, but is not limited to:
>
> [BA] Given the problems with RFC 4282 described by Alan at IETF 73, I'd=
suggest not referencing RFC 4282
> if possible, just focusing on the User-Name attribute, which is defined=
as UTF-8 by RFC 2865.=20
> =20
There is still a need to talk about the local vs. realm separator
character. 4282's primary merit for the purposes of the NAI discovery
draft lies in defining the @ character to find the realm. I can drop the
literal reference to 4282, but would then need to write (duplicate) text
from 4282 about the @ character. Is that acceptable?
> As far as I can tell here, the issue here is whether it is possible to =
utilize the realm-name in UTF-8
> to resolve the address of the RADTLS/DTLS server. As noted in the IAB =
document, there are several possible
> ways that this resolution could take place:
>
> a. An A/AAAA query could be sent via mDNS and/or LLMNR, using the realm=
encoded in UTF-8.=20
> b. An A/AAAA query could be sent, by converting the realm in UTF-8 to p=
unycode, using ToASCII().=20
> c. An A/AAAA query could be sent, using the realm encoded in UTF-8.=20
>
> When attempting resolution via b), it is possible that the conversion w=
ill fail. If none of the other=20
> resolution mechanisms are attempted, or if they fail too, then resoluti=
on of the server will not be=20
> possible.
> =20
The input to the algorithm is a UTF-8 string. The draft then merely
mentions the "host's name resolution library". IMHO, it is then that
library's business to try several mechanism in some host-defined order
and for those, either convert the UTF-8 input into a form of its liking,
or use it directly. Especially after reading the IAB document, it seems
to me that going into more detail or prescribing a particular behaviour
will not work.
The case of the name resolution failing is mentioned in the sentence "If
name resolution returns with error, O =3D { }. Terminate."
Do you think more text is needed in this area?
> Now that the IDNAbis documents are headed toward WG last call, my recom=
mendation is to reference these,
> rather than IDNA.=20
> =20
Hm, I don't think I managed IDNA explicitly at all. It only came to play
in the example where tu-m=FCnchen was resolved to punycode. Related to my=
argument above, whether or not a host name resultion library uses IDNA
(or -bis) is depending on the local host configuration for name
resolution. I'd rather not touch IDNA specialities at all, if that's
possible.
>
> 2.3. Realm to AAA server resolution algorithm
>
>
>
> In addition to the material here, I recommend providing advice on IPv4/=
IPv6 usage. One issue that
> has been encountered in IPv6 implementations is that attempting to conn=
ect via IPv6 preferentially
> is problematic. Even though a AAAA RR might be available, and IPv6 mig=
ht be supported and available
> on a link, this doesn't mean that IPv6 connectivity exists, due to rout=
ing table issues. As a result,
> attempting bring up an IPv6 connection before failing over to IPv4 will=
often result in a performance
> problem. A better approach (implemented in MacOS X) is to attempt to b=
ring up both IPv4 and IPv6
> connections and then use the connection that comes up first.=20
>
> Section 3
>
> [Note:
> assuming here that a hypothetical RADIUS/UDP SRV discovery will NOT
> deliver the shared secret in the DNS response!]
>
> [BA] I certainly hope not. This somewhat begs the question of when serv=
er resolution is useful. Presumably,
> this is primarily for use with certificate-based authentication, no? I=
'd assume that if TLS PSK is being
> used then you'd have static configuration, correct?
> =20
Mostly so, I guess. You could construct wild ideas about a consortium
having one PSK (or RADIUS shared secret) for all its realms, so using
some dynamic discovery might work across the consortium. But that's
really ugly. I suppose it's best to delete the UDP+SRV, and PSK+SRV text
completely.
=20
> Section 4
>
> This document contains no actions for IANA. Maybe. Not sure about
> the labels "AAAS+RADSECT" and "_radsec._tcp.".
>
> [BA] What about RADIUS over DTLS? Does this document apply to that as =
well?=20
> =20
This section was completely re-written to consider the S-NAPTR "stuff".
More on that in a separate mail.
Greetings,
Stefan Winter
--=20
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - R=E9seau T=E9l=E9informatique de l'Education National=
e et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 05 Mar 2010 09:59:24 +0000
Message-ID: <4B90D5A7.90900@restena.lu>
Date: Fri, 05 Mar 2010 10:57:59 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0
MIME-Version: 1.0
To: radiusext@ops.ietf.org
CC: TF-Mobility <mobility@terena.org>
Subject: Re: I-D Action:draft-ietf-radext-radsec-06.txt
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig03B1854301C40493E76461E5"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig03B1854301C40493E76461E5
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Hi,
> A New Internet-Draft is available from the on-line Internet-Drafts dire=
ctories.
> This draft is a work item of the RADIUS EXTensions Working Group of the=
IETF.
>
>
> Title : TLS encryption for RADIUS
> Author(s) : S. Winter, et al.
> Filename : draft-ietf-radext-radsec-06.txt
> Pages : 17
> Date : 2010-03-05
>
> This document specifies security on the transport layer (TLS) for the
> RADIUS protocol when transmitted over TCP. This enables dynamic
> trust relationships between RADIUS servers.
> =20
This version fixes the issues 306, 308 and 323 with text as recently
proposed on the list.
Since issue 307 was discussed in the Virtual Interim and dismissed as no
viable alternative, the text does not contain any changes to address this=
=2E
This should close all the filed issues against the draft. This revision
was created outside of my sponsor project's time.
Comments as always welcome,
Stefan Winter
--=20
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - R=E9seau T=E9l=E9informatique de l'Education National=
e et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
--------------enig03B1854301C40493E76461E5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuQ1awACgkQ+jm90f8eFWZJSQCdH8yXDSN+0cyTannEfJCUzc9l
734An0+zYRgiGbf16qQCMsMCqCxZB+LA
=sTtm
-----END PGP SIGNATURE-----
--------------enig03B1854301C40493E76461E5--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Fri, 05 Mar 2010 08:31:04 +0000
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Cc: radiusext@ops.ietf.org
Subject: I-D Action:draft-ietf-radext-radsec-06.txt
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20100305083001.ED85228C1F8@core3.amsl.com>
Date: Fri, 5 Mar 2010 00:30:01 -0800 (PST)
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the RADIUS EXTensions Working Group of the IETF.
Title : TLS encryption for RADIUS
Author(s) : S. Winter, et al.
Filename : draft-ietf-radext-radsec-06.txt
Pages : 17
Date : 2010-03-05
This document specifies security on the transport layer (TLS) for the
RADIUS protocol when transmitted over TCP. This enables dynamic
trust relationships between RADIUS servers.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-radext-radsec-06.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Message/External-body;
name="draft-ietf-radext-radsec-06.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2010-03-05001952.I-D@ietf.org>
--NextPart--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Wed, 03 Mar 2010 20:19:25 +0000
Date: Wed, 3 Mar 2010 12:18:47 -0800 (Pacific Standard Time)
From: Peter Deacon <peterd@iea-software.com>
To: "Wojciech Dec (wdec)" <wdec@cisco.com>
cc: radiusext@ops.ietf.org
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Message-ID: <alpine.WNT.2.00.1003031205030.2788@littlesmurf>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Wed, 3 Mar 2010, Wojciech Dec (wdec) wrote:
>> My suggestion WRT an accounting restriction is based on a scenario:
>> Accounting system relies on RFC 3162 to report client IP.
>> NAS decides to send IPv6-Framed-Address rather than RFC 3162 method.
>> Accounting system requires modification to continue to
>> understand the same information.
> Yes, I see your point. Don't you think however that this could be
> handled by a client knob/implementation? I.E. If in an access-accept a
> server sends the IPv6-Framed-Address, then the NAS client can interpret
> it to mean that its ok to use this attribute in accounting messages. If
> an IPv6-Framed-Address does not come down in an access-accept, then the
> NAS would use by default "whatever it uses today", unless it has been
> explicitly configured to send accounting info with using
> IPv6-Framed-Address.
> This would seem to cover your concerns. What do you think?
Yes, sounds reasonable.
regards,
Peter
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Wed, 03 Mar 2010 16:05:54 +0000
Message-ID: <BLU137-DS149D0590C466A831945B97933A0@phx.gbl>
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: <radiusext@ops.ietf.org>
Subject: Request for help in developing a tool that may be helpful to WG chairs (fwd)
Date: Wed, 3 Mar 2010 08:05:37 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0185_01CABAA8.4F02DC20"
Thread-Index: Acq661zeFaBGvwHiSxebS69aBTqz3A==
Content-Language: en-us
------=_NextPart_000_0185_01CABAA8.4F02DC20
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
-----Original Message-----
From: Scott O. Bradner
Sent: Wednesday, March 03, 2010 7:36 AM
To: wgchairs@ietf.org
Subject: Request for help in developing a tool that may be helpful to WG
chairs
IETF working group chairs;
We are developing an open-source tool for monitoring the status and
progress of conflicts in on-line working groups (WG). The tool works by
analyzing the WG mailing list. When developed, this tool should be
helpful to WG chairs trying to understand the status of WG discussions
(how close to consensus is the WG, what is the distribution of
participation, etc).
As part of the development process we have been using a prototype tool
to analyze IETF WG mailing list archives to determine the amount of
conflict and how effective this conflict is being (has been) resolved.
As the first step, we need to understand the relationship between the
conflicts in a working group and the structure of the communication
network in that group. While having conflicts is not necessarily a bad
thing for a working group effort, some conflicts can escalate into
disasters. We are interested in finding the communication patterns
related to the evolution of group conflicts. Results from this study
will provide the base for the development of the tool that helps working
group chairs to decide when to intervene with an internal conflict
before it becomes irreversibly negative as well as being a tool that may
help determine where there is consensus on a particular topic.
We would like your help in understanding the level of conflicts within
your working groups and how the conflicts affect productivity and group
members' perception on the working group. It will be greatly appreciated
if you could ask your WG members to anonymously fill a short survey at
https://spreadsheets.google.com/viewform?hl=en&formkey=dExTbEU5QmRncnhFbjhQU
VR4bzBGMEE6MA
Thank you!
Best Regards,
Bin Zhu, Mark Gaynor, Scott Bradner, and Jialun Qin
------=_NextPart_000_0185_01CABAA8.4F02DC20
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText>-----Original Message-----<br>
From: Scott O. Bradner<br>
Sent: Wednesday, March 03, 2010 7:36 AM<br>
To: wgchairs@ietf.org<br>
Subject: Request for help in developing a tool that may be helpful to WG =
chairs<o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText>IETF working group chairs;<o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText>We are developing an open-source tool for =
monitoring the
status and<o:p></o:p></p>
<p class=3DMsoPlainText>progress of conflicts in on-line working groups =
(WG).
The tool works by<o:p></o:p></p>
<p class=3DMsoPlainText>analyzing the WG mailing list. When =
developed, this tool
should be<o:p></o:p></p>
<p class=3DMsoPlainText>helpful to WG chairs trying to understand the =
status of
WG discussions<o:p></o:p></p>
<p class=3DMsoPlainText>(how close to consensus is the WG, what is the
distribution of<o:p></o:p></p>
<p class=3DMsoPlainText>participation, etc).<o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText>As part of the development process we have been =
using a
prototype tool<o:p></o:p></p>
<p class=3DMsoPlainText>to analyze IETF WG mailing list archives to =
determine the
amount of<o:p></o:p></p>
<p class=3DMsoPlainText>conflict and how effective this conflict is =
being (has
been) resolved.<o:p></o:p></p>
<p class=3DMsoPlainText>As the first step, we need to understand the =
relationship
between the<o:p></o:p></p>
<p class=3DMsoPlainText>conflicts in a working group and the structure =
of the
communication<o:p></o:p></p>
<p class=3DMsoPlainText>network in that group. While having conflicts is =
not
necessarily a bad<o:p></o:p></p>
<p class=3DMsoPlainText>thing for a working group effort, some conflicts =
can
escalate into<o:p></o:p></p>
<p class=3DMsoPlainText>disasters. We are interested in finding the =
communication
patterns<o:p></o:p></p>
<p class=3DMsoPlainText>related to the evolution of group conflicts. =
Results from
this study<o:p></o:p></p>
<p class=3DMsoPlainText>will provide the base for the development of the =
tool
that helps working<o:p></o:p></p>
<p class=3DMsoPlainText>group chairs to decide when to intervene with an =
internal
conflict<o:p></o:p></p>
<p class=3DMsoPlainText>before it becomes irreversibly negative as well =
as being
a tool that may<o:p></o:p></p>
<p class=3DMsoPlainText>help determine where there is consensus on a =
particular
topic.<o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText>We would like your help in understanding the =
level of
conflicts within<o:p></o:p></p>
<p class=3DMsoPlainText>your working groups and how the conflicts affect
productivity and group<o:p></o:p></p>
<p class=3DMsoPlainText>members’ perception on the working group. =
It will
be greatly appreciated<o:p></o:p></p>
<p class=3DMsoPlainText>if you could ask your WG members to anonymously =
fill a
short survey at <o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p =
class=3DMsoPlainText>https://spreadsheets.google.com/viewform?hl=3Den&=
;formkey=3DdExTbEU5QmRncnhFbjhQUVR4bzBGMEE6MA<o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText>Thank you!<o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText>Best Regards, <o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoPlainText>Bin Zhu, Mark Gaynor, Scott Bradner, and Jialun =
Qin<o:p></o:p></p>
<p class=3DMsoPlainText><o:p> </o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
</body>
</html>
------=_NextPart_000_0185_01CABAA8.4F02DC20--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Wed, 03 Mar 2010 09:21:28 +0000
Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Date: Wed, 3 Mar 2010 10:19:14 +0100
Message-ID: <A16B9A4922C4A544A94565E870362B50015A269D@XMB-AMS-111.cisco.com>
Thread-Topic: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Thread-Index: Acq6TKjqHVRfGaseRw6WJ1YaPaLHxQAZTd9g
From: "Wojciech Dec (wdec)" <wdec@cisco.com>
To: "Peter Deacon" <peterd@iea-software.com>
Cc: <radiusext@ops.ietf.org>
>=20
> > Given the above examples/reasons, would you still see a need to=20
> > restrict the use/naming of the attribute as suggested. What is your=20
> > concern with the proposed use?
>=20
> None WRT assignment/auth, thank you.
>=20
> My suggestion WRT an accounting restriction is based on a scenario:
>=20
> Accounting system relies on RFC 3162 to report client IP.
>=20
> NAS decides to send IPv6-Framed-Address rather than RFC 3162 method.
> Accounting system requires modification to continue to=20
> understand the same information.
Yes, I see your point. Don't you think however that this could be
handled by a client knob/implementation? I.E. If in an access-accept a
server sends the IPv6-Framed-Address, then the NAS client can interpret
it to mean that its ok to use this attribute in accounting messages. If
an IPv6-Framed-Address does not come down in an access-accept, then the
NAS would use by default "whatever it uses today", unless it has been
explicitly configured to send accounting info with using
IPv6-Framed-Address.
This would seem to cover your concerns. What do you think?
-Woj.
>=20
>=20
> From an accounting perspective specific to any one NAS with a known=20
> behavior use of IPv6-Framed-Address can certainly simplify matters.
>=20
> Globally it can have the opposite effect as an additional=20
> attribute/RFC=20
> possibly needs to be consulted to figure out the users=20
> IP..especially in=20
> instances where NAS are not under direct administrative control.
>=20
>=20
> Perhaps another way to resolve is to make a SHOULD/MAY=20
> recommendation to=20
> also send Framed-IPv6-Prefix/128 for accounting. =20
> Realistically IMHO its=20
> still early WRT IPv6 deployment and not likely to be a big=20
> deal either=20
> way.
>=20
> regards,
> Peter
>=20
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 02 Mar 2010 21:10:25 +0000
Date: Tue, 2 Mar 2010 13:09:25 -0800 (Pacific Standard Time)
From: Peter Deacon <peterd@iea-software.com>
To: "Wojciech Dec (wdec)" <wdec@cisco.com>
cc: radiusext@ops.ietf.org
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Message-ID: <alpine.WNT.2.00.1003021143010.2316@SMURF>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
On Tue, 2 Mar 2010, Wojciech Dec (wdec) wrote:
> Well, so rfc3162 was perhaps a bit too generous with the options here.
> It pretty much allows any combination of Framed-IPv6-Prefix,
> Framed-Interface-Id and Framed-IPv6-Pool to be used. A couple of
> examples:
> Things get interesting for a server given that we have the possibility
> of the NAS picking a prefix/address from a pool, and then sending an
> accounting record which may contain that address encoded as
> a) nothing (ie for the pool option the accounting record does not
> include the address, but only the pool name)
> b) a combination of a /64 ipv6-prefix and 64 bit interface-id
> c) a /128 in the ipv6-prefix (possibly coming also with a 64 interface
> id)
> D) Various vendor VSAs (which have been devised to work around the
> ambiguities of the above)
> A non trivial story applies for the client when the "to be assigned"
> numeral address can come down by any of the latter combinations, which
> the client needs to interpret for their sanity (eg how should a /120
> ipv6-prefix with a /64 interface id be handled). This is further
> compounded by the issue of having to potentially assign multiple
> addresses to a client (say a GUA and a ULA), using different methods
> (SLAAC and DHCP).
> With hindsight it may have been better to simply call out for a fixed
> length /128 address attribute to simplify some of these situations,
> especially when the intent is really that of communicating the exact
> /128 address. That's the role I see for the framed-ipv6-address
> attribute. It's role is to:
> 1) Be semantically very clear that this address doesn't need to be
> combined with some other attribute to form an address (it's a fixed
> length 128 field)
> 2) Allow for a distinction between multiple address assignment
> mechanisms on the interface and their source info (pretty much why
> rfc4818 could not have used the framed-ipv6-prefix attribute, even
> though all it does is communicate a prefix)
> 3) Allow for the /128 address to be un-ambiguously communicated in
> accounting messages (as opposed to having to guess between the
> combinations)
>> Paradoxically I like the idea of the new attribute...
>> Ideas:
>> Make IPv6-Framed-Address valid for authentication only.
>> Relabel the attribute (ie IPv6-Framed-DHCP-Address)
> Given the above examples/reasons, would you still see a need to restrict
> the use/naming of the attribute as suggested. What is your concern with
> the proposed use?
None WRT assignment/auth, thank you.
My suggestion WRT an accounting restriction is based on a scenario:
Accounting system relies on RFC 3162 to report client IP.
NAS decides to send IPv6-Framed-Address rather than RFC 3162 method.
Accounting system requires modification to continue to understand the same
information.
>From an accounting perspective specific to any one NAS with a known
behavior use of IPv6-Framed-Address can certainly simplify matters.
Globally it can have the opposite effect as an additional attribute/RFC
possibly needs to be consulted to figure out the users IP..especially in
instances where NAS are not under direct administrative control.
Perhaps another way to resolve is to make a SHOULD/MAY recommendation to
also send Framed-IPv6-Prefix/128 for accounting. Realistically IMHO its
still early WRT IPv6 deployment and not likely to be a big deal either
way.
regards,
Peter
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 02 Mar 2010 19:17:27 +0000
Authentication-Results: ams-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Date: Tue, 2 Mar 2010 20:16:50 +0100
Message-ID: <A16B9A4922C4A544A94565E870362B50015A2469@XMB-AMS-111.cisco.com>
Thread-Topic: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Thread-Index: Acq6HP1Oqr1jPsKxRKWfutMXEdMTLAACYpAA
From: "Wojciech Dec (wdec)" <wdec@cisco.com>
To: "Peter Deacon" <peterd@iea-software.com>
Cc: <radiusext@ops.ietf.org>
=20
> -----Original Message-----
> From: Peter Deacon [mailto:peterd@iea-software.com]=20
> Sent: 02 March 2010 16:28
> To: Wojciech Dec (wdec)
> Cc: radiusext@ops.ietf.org
> Subject: RE: RADEXT WG last call on RADIUS attributes for=20
> IPv6 Access Networks
>=20
> On Tue, 2 Mar 2010, Wojciech Dec (wdec) wrote:
>=20
> >> If the /128 prefix approach is used should I expect that=20
> an IP would=20
> >> be assigned to the end user?
> >> Just don't want existing stuff to become broken :(
>=20
> > Precisely that's the reason for having the new attribute as=20
> opposed to=20
> > overloading the previous one for the case when the full=20
> /128 is to be=20
> > passed down instead of a /64 (or less) for use in SLAAC. Having the=20
> > two separated ensures that existing stuff doesn't get broken.
>=20
> Up until the point where the draft is accepted, how would=20
> someone have assigned or accounted for a single IPv6 address?
Well, so rfc3162 was perhaps a bit too generous with the options here.
It pretty much allows any combination of Framed-IPv6-Prefix,
Framed-Interface-Id and Framed-IPv6-Pool to be used. A couple of
examples:
Things get interesting for a server given that we have the possibility
of the NAS picking a prefix/address from a pool, and then sending an
accounting record which may contain that address encoded as=20
a) nothing (ie for the pool option the accounting record does not
include the address, but only the pool name)=20
b) a combination of a /64 ipv6-prefix and 64 bit interface-id=20
c) a /128 in the ipv6-prefix (possibly coming also with a 64 interface
id)
D) Various vendor VSAs (which have been devised to work around the
ambiguities of the above)
A non trivial story applies for the client when the "to be assigned"
numeral address can come down by any of the latter combinations, which
the client needs to interpret for their sanity (eg how should a /120
ipv6-prefix with a /64 interface id be handled). This is further
compounded by the issue of having to potentially assign multiple
addresses to a client (say a GUA and a ULA), using different methods
(SLAAC and DHCP).
With hindsight it may have been better to simply call out for a fixed
length /128 address attribute to simplify some of these situations,
especially when the intent is really that of communicating the exact
/128 address. That's the role I see for the framed-ipv6-address
attribute. It's role is to:
1) Be semantically very clear that this address doesn't need to be
combined with some other attribute to form an address (it's a fixed
length 128 field)
2) Allow for a distinction between multiple address assignment
mechanisms on the interface and their source info (pretty much why
rfc4818 could not have used the framed-ipv6-prefix attribute, even
though all it does is communicate a prefix)
3) Allow for the /128 address to be un-ambiguously communicated in
accounting messages (as opposed to having to guess between the
combinations)
>=20
> From my read of RFC 3162 there is no mention of an underlying=20
> technology association with Framed-IPv6-Prefix - be it=20
> SLAAC/ND, DHCPv6 or a future technology yet to exist.
Well, the Framed-Interface-Id is quite specific to its use with PPP and
IPCPv6, so one could say that the underlying technology is being
reflected in Radius...
>=20
> Given the design of IPv6 is a shift to assignment and=20
> identification via prefix it seems reasonable /128 prefixes=20
> would already be used in this way at the very least in=20
> accounting messages for sessions or sub-sessions involving=20
> individual hosts.
>=20
> Paradoxically I like the idea of the new attribute...
>=20
> Ideas:
>=20
> Make IPv6-Framed-Address valid for authentication only.
>=20
> Relabel the attribute (ie IPv6-Framed-DHCP-Address)
Given the above examples/reasons, would you still see a need to restrict
the use/naming of the attribute as suggested. What is your concern with
the proposed use?
Thanks,
Woj.
>=20
> regards,
> Peter
>=20
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 02 Mar 2010 15:28:54 +0000
Date: Tue, 2 Mar 2010 07:27:55 -0800 (Pacific Standard Time)
From: Peter Deacon <peterd@iea-software.com>
To: "Wojciech Dec (wdec)" <wdec@cisco.com>
cc: radiusext@ops.ietf.org
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Message-ID: <alpine.WNT.2.00.1003020450400.2316@SMURF>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
On Tue, 2 Mar 2010, Wojciech Dec (wdec) wrote:
>> If the /128 prefix approach is used should I expect that an
>> IP would be assigned to the end user?
>> Just don't want existing stuff to become broken :(
> Precisely that's the reason for having the new attribute as opposed to
> overloading the previous one for the case when the full /128 is to be
> passed down instead of a /64 (or less) for use in SLAAC. Having the two
> separated ensures that existing stuff doesn't get broken.
Up until the point where the draft is accepted, how would someone have
assigned or accounted for a single IPv6 address?
>From my read of RFC 3162 there is no mention of an underlying technology
association with Framed-IPv6-Prefix - be it SLAAC/ND, DHCPv6 or a future
technology yet to exist.
Given the design of IPv6 is a shift to assignment and identification via
prefix it seems reasonable /128 prefixes would already be used in this way
at the very least in accounting messages for sessions or sub-sessions
involving individual hosts.
Paradoxically I like the idea of the new attribute...
Ideas:
Make IPv6-Framed-Address valid for authentication only.
Relabel the attribute (ie IPv6-Framed-DHCP-Address)
regards,
Peter
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 02 Mar 2010 11:31:31 +0000
Authentication-Results: ams-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Date: Tue, 2 Mar 2010 12:29:55 +0100
Message-ID: <A16B9A4922C4A544A94565E870362B50015A219E@XMB-AMS-111.cisco.com>
Thread-Topic: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Thread-Index: Acq5lRI4QPEo2MDlSLeyKnpRCWkZygAZlZkQ
From: "Wojciech Dec (wdec)" <wdec@cisco.com>
To: "Peter Deacon" <peterd@iea-software.com>, "Bernard Aboba" <bernard_aboba@hotmail.com>
Cc: <radiusext@ops.ietf.org>
=20
> -----Original Message-----
> From: owner-radiusext@ops.ietf.org=20
> [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Peter Deacon
> Sent: 02 March 2010 00:15
> To: Bernard Aboba
> Cc: radiusext@ops.ietf.org
> Subject: RE: RADEXT WG last call on RADIUS attributes for=20
> IPv6 Access Networks
>=20
> On Mon, 1 Mar 2010, Bernard Aboba wrote:
>=20
> > Yes, there is a difference. Framed-IPv6-Prefix is specifically for=20
> > use within a Router Advertisement. So if the RADIUS server were to=20
> > send a Framed-IPv6-Prefix of /128 to the NAS, this would be=20
> inserted=20
> > in the RA by the NAS (which is probably not what you want).
>=20
> RFC3162 does not mention which underlying technology is used=20
> for assignment.
>=20
> > An IPv6-Framed-Address on the other hand, is for use within=20
> the NAS's=20
> > embedded DHCPv6 server.
>=20
> DHCPv6 is capable of assignment of both single addresses and prefixes.
>=20
> > Note that it is possible for a NAS to support *both* stateless=20
> > autoconfig and DHCPv6, so that both attributes could be=20
> present in the=20
> > same Access-Accept. This is yet another reason why distinct=20
> > attributes are required -- how else could the NAS figure out which=20
> > attribute is to be used for what purpose?
>=20
> The way I see consistancy is leaving "how" up to the NAS and=20
> authorization attributes "what" (Prefixes, Ipv6 or both) up=20
> to the draft.
>=20
> A more to the point and salient question - what is the=20
> expected difference in behavior for an access server should=20
> Framed-IPv6-Prefix /128 be used in lieu of IPv6-Framed-Address?
>=20
> If the /128 prefix approach is used should I expect that an=20
> IP would be assigned to the end user?
>=20
> Just don't want existing stuff to become broken :(
Precisely that's the reason for having the new attribute as opposed to
overloading the previous one for the case when the full /128 is to be
passed down instead of a /64 (or less) for use in SLAAC. Having the two
separated ensures that existing stuff doesn't get broken.
Regards,
Woj.
>=20
> regards,
> Peter
>=20
> > -----Original Message-----
> > From: owner-radiusext@ops.ietf.org=20
> > [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Peter Deacon
> > Sent: Monday, March 01, 2010 12:12 PM
> > To: radiusext@ops.ietf.org
> > Subject: Re: RADEXT WG last call on RADIUS attributes for=20
> IPv6 Access=20
> > Networks
> >
> > On Mon, 1 Mar 2010, Bernard Aboba wrote:
> >
> >> This is an announcement of RADEXT WG last call on "RADIUS=20
> attributes=20
> >> for IPv6 Access Networks" before sending the document off=20
> to the IESG=20
> >> for consideration as a Proposed Standard. A copy of the=20
> document is=20
> >> available for inspection here:
> >
> >> http://tools.ietf.org/html/draft-ietf-radext-ipv6-access
> >
> > 3.1.
> >
> > I'm confused on IPv6-Framed-Address and Framed-IPv6-Prefix=20
> from RFC 3162.
> > It looks as if both attributes accomplish the same goal. =20
> Is there a=20
> > difference between IPv6-Framed-Address and=20
> Framed-IPv6-Prefix of /128?
> >
> > regards,
> > Peter
> >
> >
>=20
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Tue, 02 Mar 2010 10:45:14 +0000
Message-ID: <BLU137-W844B84C4106ACFF4C043E933B0@phx.gbl>
Content-Type: multipart/alternative; boundary="_6bf603e7-78de-41bc-9ba0-4c3bc5bce7f6_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: <peterd@iea-software.com>
CC: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Date: Tue, 2 Mar 2010 02:44:27 -0800
MIME-Version: 1.0
--_6bf603e7-78de-41bc-9ba0-4c3bc5bce7f6_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
> DHCPv6 is capable of assignment of both single addresses and prefixes.
Delegation is addressed in RFC 4818.
=20
> If the /128 prefix approach is used should I expect that an IP would be a=
ssigned to the end user?
You should not expect a DHCPv6 address to be assigned. On some NASes I wou=
ldn't expect *any* address to be assigned.
=
--_6bf603e7-78de-41bc-9ba0-4c3bc5bce7f6_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
--></style>
</head>
<body class=3D'hmmessage'>
>=3B DHCPv6 is capable of assignment of both single addresses and prefixe=
s.<br><br>Delegation is addressed in RFC 4818.<br> =3B<br>>=3B If the=
/128 prefix approach is used should I expect that an IP would be assigned =
to the end user?<br><br>You should not expect a DHCPv6 address to be assign=
ed. =3B On some NASes I wouldn't expect *any* address to be assigned.<b=
r> </body>
</html>=
--_6bf603e7-78de-41bc-9ba0-4c3bc5bce7f6_--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 01 Mar 2010 23:15:10 +0000
Date: Mon, 1 Mar 2010 15:14:43 -0800 (Pacific Standard Time)
From: Peter Deacon <peterd@iea-software.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>
cc: radiusext@ops.ietf.org
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Message-ID: <alpine.WNT.2.00.1003011339340.2788@littlesmurf>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="263493264-16920-1267485283=:2788"
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--263493264-16920-1267485283=:2788
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
On Mon, 1 Mar 2010, Bernard Aboba wrote:
> Yes, there is a difference. Framed-IPv6-Prefix is specifically for use
> within a Router Advertisement. So if the RADIUS server were to send a
> Framed-IPv6-Prefix of /128 to the NAS, this would be inserted in the RA
> by the NAS (which is probably not what you want).
RFC3162 does not mention which underlying technology is used for
assignment.
> An IPv6-Framed-Address on the other hand, is for use within the NAS's
> embedded DHCPv6 server.
DHCPv6 is capable of assignment of both single addresses and prefixes.
> Note that it is possible for a NAS to support *both* stateless
> autoconfig and DHCPv6, so that both attributes could be present in the
> same Access-Accept. This is yet another reason why distinct attributes
> are required -- how else could the NAS figure out which attribute is to
> be used for what purpose?
The way I see consistancy is leaving "how" up to the NAS and authorization
attributes "what" (Prefixes, Ipv6 or both) up to the draft.
A more to the point and salient question - what is the expected difference
in behavior for an access server should Framed-IPv6-Prefix /128 be used in
lieu of IPv6-Framed-Address?
If the /128 prefix approach is used should I expect that an IP would be
assigned to the end user?
Just don't want existing stuff to become broken :(
regards,
Peter
> -----Original Message-----
> From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Peter Deacon
> Sent: Monday, March 01, 2010 12:12 PM
> To: radiusext@ops.ietf.org
> Subject: Re: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
>
> On Mon, 1 Mar 2010, Bernard Aboba wrote:
>
>> This is an announcement of RADEXT WG last call on âRADIUS attributes for IPv6
>> Access Networksâ before sending the document off to the IESG for
>> consideration as a Proposed Standard. A copy of the document is available
>> for inspection here:
>
>> http://tools.ietf.org/html/draft-ietf-radext-ipv6-access
>
> 3.1.
>
> I'm confused on IPv6-Framed-Address and Framed-IPv6-Prefix from RFC 3162.
> It looks as if both attributes accomplish the same goal. Is there a
> difference between IPv6-Framed-Address and Framed-IPv6-Prefix of /128?
>
> regards,
> Peter
>
>
--263493264-16920-1267485283=:2788--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 01 Mar 2010 20:49:14 +0000
Message-ID: <BLU137-DS37F6470B23B0440097973933C0@phx.gbl>
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: "'Peter Deacon'" <peterd@iea-software.com>, <radiusext@ops.ietf.org>
Subject: RE: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Date: Mon, 1 Mar 2010 12:48:56 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Thread-Index: Acq5fB+Obds5AhCTR6if6IjJVBKJiwAA/9rw
Content-Language: en-us
Yes, there is a difference. Framed-IPv6-Prefix is specifically for use =
within a Router Advertisement.=20
So if the RADIUS server were to send a Framed-IPv6-Prefix of /128 to the =
NAS, this would be inserted
in the RA by the NAS (which is probably not what you want).=20
An IPv6-Framed-Address on the other hand, is for use within the NAS's =
embedded DHCPv6 server. =20
Note that it is possible for a NAS to support *both* stateless =
autoconfig and DHCPv6, so that both
attributes could be present in the same Access-Accept. This is yet =
another reason why distinct
attributes are required -- how else could the NAS figure out which =
attribute is to be used for what
purpose?
-----Original Message-----
From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] =
On Behalf Of Peter Deacon
Sent: Monday, March 01, 2010 12:12 PM
To: radiusext@ops.ietf.org
Subject: Re: RADEXT WG last call on RADIUS attributes for IPv6 Access =
Networks
On Mon, 1 Mar 2010, Bernard Aboba wrote:
> This is an announcement of RADEXT WG last call on =E2=80=9CRADIUS =
attributes for IPv6
> Access Networks=E2=80=9D before sending the document off to the IESG =
for
> consideration as a Proposed Standard. A copy of the document is =
available
> for inspection here:
> http://tools.ietf.org/html/draft-ietf-radext-ipv6-access
3.1.
I'm confused on IPv6-Framed-Address and Framed-IPv6-Prefix from RFC =
3162.=20
It looks as if both attributes accomplish the same goal. Is there a=20
difference between IPv6-Framed-Address and Framed-IPv6-Prefix of /128?
regards,
Peter
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 01 Mar 2010 20:24:05 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1267475025; bh=Rhfxe8QTEvbneAj98ctdkrAxE7Ck9+ekzMsuv536afU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=h/4zyTDYdHi1G8Ulwmnc61k0/LL5Gbt5waPxEuG3j4LrO0pfEIu9wqoguFGTyq+NJMV+gr5ipuMrYelwIGwu6spq2FB+thOo0tKZA9TsWP3SBsO+yZB1dBFDFWL8JlhKLV1c3Di+fFaf7pPaXGBB0bd4tEqgPJjfD8/9tUxCtbI=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=I+ZmD1mbGMSFSsnkXzPvd661+YwqYksEqmVXtnNZhawFCMcEFnqo6zbK5XxZQoJ51uafuhKB1WVxL4vcC5oELTpQzGRlXaz/DD7bmRr6hxLksIUSGlTmm3o6Y/gEOiacE7Q/3VMH7VISh0TvGcX2cpYp9UQkWKNF/tHXLX2qCeE=;
Message-ID: <614825.71188.qm@web111413.mail.gq1.yahoo.com>
Date: Mon, 1 Mar 2010 12:23:45 -0800 (PST)
From: Behcet Sarikaya <behcetsarikaya@yahoo.com>
Reply-To: Behcet Sarikaya <sarikaya@ieee.org>
Subject: Re: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
To: Peter Deacon <peterd@iea-software.com>, radiusext@ops.ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi Peter,=0A=0A=0A=0A----- Original Message ----=0A> From: Peter Deacon <pe=
terd@iea-software.com>=0A> To: radiusext@ops.ietf.org=0A> Sent: Mon, March =
1, 2010 2:12:20 PM=0A> Subject: Re: RADEXT WG last call on RADIUS attribute=
s for IPv6 Access Networks=0A> =0A> On Mon, 1 Mar 2010, Bernard Aboba wrote=
:=0A=0A> This is an announcement of =0A> RADEXT WG last call on =E2=80=9CRA=
DIUS attributes for IPv6=0A> Access Networks=E2=80=9D =0A> before sending t=
he document off to the IESG for=0A> consideration as a =0A> Proposed Standa=
rd. =C2=A0A copy of the document is available=0A> for inspection =0A> here:=
=0A=0A> =0A> http://tools.ietf.org/html/draft-ietf-radext-ipv6-access=0A=0A=
3.1.=0A=0AI'm =0A> confused on IPv6-Framed-Address and Framed-IPv6-Prefix f=
rom RFC 3162. It looks =0A> as if both attributes accomplish the same goal.=
=C2=A0 Is there a difference =0A> between IPv6-Framed-Address and Framed-IP=
v6-Prefix of =0A> /128?=0A=0AI don't think Framed-IPv6-Prefix was intended =
to be an attribute for an address. Yes Framed-IPv6-Prefix=C2=A0could become=
like an address but /128 is the only case, data point.=0A=0ARegards,=0A=0A=
Behcet=0A=0A=0A
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 01 Mar 2010 20:12:59 +0000
Date: Mon, 1 Mar 2010 12:12:20 -0800 (Pacific Standard Time)
From: Peter Deacon <peterd@iea-software.com>
To: radiusext@ops.ietf.org
Subject: Re: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Message-ID: <alpine.WNT.2.00.1003011200180.2316@SMURF>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="322033740-21444-1267474340=:2316"
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--322033740-21444-1267474340=:2316
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
On Mon, 1 Mar 2010, Bernard Aboba wrote:
> This is an announcement of RADEXT WG last call on âRADIUS attributes for IPv6
> Access Networksâ before sending the document off to the IESG for
> consideration as a Proposed Standard. Â A copy of the document is available
> for inspection here:
> http://tools.ietf.org/html/draft-ietf-radext-ipv6-access
3.1.
I'm confused on IPv6-Framed-Address and Framed-IPv6-Prefix from RFC 3162.
It looks as if both attributes accomplish the same goal. Is there a
difference between IPv6-Framed-Address and Framed-IPv6-Prefix of /128?
regards,
Peter
--322033740-21444-1267474340=:2316--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 01 Mar 2010 19:43:27 +0000
Message-ID: <BLU137-DS10984B808F980DCD000E11933C0@phx.gbl>
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: <radiusext@ops.ietf.org>
Subject: RADEXT WG last call on RADIUS attributes for IPv6 Access Networks
Date: Mon, 1 Mar 2010 11:43:05 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0141_01CAB934.5B6F28D0"
Thread-Index: Acq5d2k0OLvRL0J3QCy/3nifmQFDmQ==
Content-Language: en-us
------=_NextPart_000_0141_01CAB934.5B6F28D0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
This is an announcement of RADEXT WG last call on "RADIUS attributes for
IPv6 Access Networks" before sending the document off to the IESG for
consideration as a Proposed Standard. A copy of the document is available
for inspection here:
http://tools.ietf.org/html/draft-ietf-radext-ipv6-access
The RADEXT WG last call will last until March 21, 2010. Please send
comments to the RADEXT WG mailing list using the format described in the
RADEXT Issues list (http://www.drizzle.com/~aboba/RADEXT )
------=_NextPart_000_0141_01CAB934.5B6F28D0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal>This is an announcement of RADEXT WG last call on =
“RADIUS
attributes for IPv6 Access Networks” before sending the document =
off to
the IESG for consideration as a Proposed Standard. A copy of the =
document
is available for inspection here:<o:p></o:p></p>
<p class=3DMsoNormal><a
href=3D"http://tools.ietf.org/html/draft-ietf-radext-ipv6-access">http://=
tools.ietf.org/html/draft-ietf-radext-ipv6-access</a><o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>The RADEXT WG last call will last until March 21,
2010. Please send comments to the RADEXT WG mailing =
list
using the format described in the RADEXT Issues list (<a
href=3D"http://www.drizzle.com/~aboba/RADEXT">http://www.drizzle.com/~abo=
ba/RADEXT</a>
)<o:p></o:p></p>
</div>
</body>
</html>
------=_NextPart_000_0141_01CAB934.5B6F28D0--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 01 Mar 2010 19:01:14 +0000
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Cc: radiusext@ops.ietf.org
Subject: I-D ACTION:draft-ietf-radext-ipv6-access-00.txt
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20100301190001.33F2B28C175@core3.amsl.com>
Date: Mon, 1 Mar 2010 11:00:01 -0800 (PST)
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the RADIUS EXTensions Working Group of the IETF.
Title : RADIUS attributes for IPv6 Access Networks
Author(s) : B. Lourdelet, W. Dec, B. Sarikaya, G. Zorn, D. Miles
Filename : draft-ietf-radext-ipv6-access-00.txt
Pages : 12
Date : 2010-3-1
IPv6 nodes can have configuration information provided to them using
DHCPv6 and/or Router Advertisements. This document specifies RADIUS
attributes that complement RFC3162 for use with DHCPv6 and/or Router
Advertisements (SLAAC) for use in broadband network access.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-radext-ipv6-access-00.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Message/External-body;
name="draft-ietf-radext-ipv6-access-00.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2010-3-1105513.I-D@ietf.org>
--NextPart--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
Envelope-to: radiusext-data0@psg.com
Delivery-date: Mon, 01 Mar 2010 14:29:15 +0000
Message-ID: <4B8BCEEE.1060505@restena.lu>
Date: Mon, 01 Mar 2010 15:27:58 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
CC: radiusext@ops.ietf.org
Subject: Re: Issue RADSEC certificate handling
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4520108A54041EBBC2CAC18F"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig4520108A54041EBBC2CAC18F
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi,
> Requested change:
>
> 1. The discussion of TLS cipher suites is broken apart into several
> places in the document, some of them normative and some of them
> informative. I believe the normative and informative information is
> reversed. The implementation requirements for supported cipher suites
> should go in this section.
> =20
Looking at the current text, the following is said in normative (2.2):
" * The client MUST NOT negotiate cipher suites which only provide=
integrity protection.
* The TLS session MAY use mutual PSKs for connection setup.
* Negotiation of compression for the TLS session is OPTIONAL.
* RADIUS over TLS implementations MUST support the mandatory to
implement cipher suites specified in TLS (i.e.
TLS_RSA_WITH_3DES_EDE_CBC_SHA). For purposes of compatibility
with some current deployments implementations SHOULD support
TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_128_CBC_SHA as
well (see Section 3.2 (1) )."
The following is said in informative (3.2):
"3.2. Ciphersuites and Compression Negotiation Considerations
Not all TLS ciphersuites in [RFC5246] are supported by available TLS
tool kits, and licenses may be required in some cases. The existing
implementations of RADIUS over TLS use OpenSSL as cryptographic
backend, which supports all of the ciphersuites listed in the rules
in the normative section.
The TLS ciphersuite TLS_RSA_WITH_3DES_EDE_CBC_SHA is mandatory-to-
implement according to [RFC5246] and thus has to be supported by
RADIUS over TLS nodes.
The two other ciphersuites in the normative section are widely
implemented in TLS toolkits and are considered good practice to
implement."
This text doesn't contain any additional requirements to be mentioned in
normative text IMO (note that the one named ciphersuite here is also
already mentioned in the normative part).
The security considerations section has some additional text:
" Some TLS ciphersuites only provide integrity validation of their
payload, and provide no encryption. This specification forbids the
use of such ciphersuites. Since the RADIUS payload's shared secret
is fixed and well-known, failure to comply with this requirement will
expose the entire datagram payload in plain text, including User-
Password, to intermediate IP nodes."
and the constraint mentioned in that section is reflected in the MUST in
the first bullet of the normative section already.
I am unsure what specifically should be changed here, and suggest to
leave the text as-is.
> 2. When is it acceptable not to validate the SRV entry in the
> certificate?=20
> =20
To formulate it positively: it *only* makes sense when DNS SRV
resolution was used to arrive at this TLS peer. In all other cases, the
a subjectAltName:SRV can be ignored. The current text doesn't contain
this latter sentence. I suggest to add that sentence.
> 3. The section should state that matching should be done against locall=
y
> configured names (as opposed to information retrieved from DNS).=20
> =20
I have extended the sentence in that section:
Certificate validation MUST include the verification rules as per <xref
target=3D"RFC5280" />, using information from trusted sources only (e.g.
locally configured names).
I hope that addresses the issue.
> 4. Is there any particular URI type that would be useful for RADIUS?=20
> =20
I don't think there is any RADIUS-global answer to this question. A
roaming consortium decides which X.509 certificate holders to trust. It
will determine the eligibility via *some* handle in the certificate. A
plausible candidate for subjectAltName:URI is a URL pointing to some
kind of consortium policy.
It is also thinkable that a consortium defines a specific certificate
policy statement for its CA(s), and uses the Policy OID field to point
to these policies. A peer would then check for the presence of this
policy OID.
It just seems prudent for an implementation to expose as many fields
from the incoming certificate as possible to the application layer, so
that an Administrator has a handle to check the incoming connection for
eligibility according to whatever policy is defined for the consortium.
The same text as earlier in the document should be applicable here:
In X.509 certificate operation, at least the following parameters of
the TLS connection should be exposed:
o Originating IP address
o Certificate Fingerprint
o Issuer
o Subject
o all X509v3 Extended Key Usage
o all X509v3 Subject Alternative Name
o all X509v3 Certificate Policies
In TLS-PSK operation, at least the following parameters of the TLS
connection should be exposed:
o Originating IP address
o TLS Identifier
(this is from my proposed text for NAS Identity Issue)
Would the proposed changes address your concerns?
Greetings,
Stefan Winter
>
>
>
>
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
> =20
--=20
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - R=E9seau T=E9l=E9informatique de l'Education National=
e et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
--------------enig4520108A54041EBBC2CAC18F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuLzvQACgkQ+jm90f8eFWbsVQCdG77I94KK3E+BCQ5sUWHMaBHj
71sAnR5u31mzONQc6K03s+1iDGaT6BN5
=YoZ2
-----END PGP SIGNATURE-----
--------------enig4520108A54041EBBC2CAC18F--
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>