IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Alejandro Perez Mendez <alex@um.es> Wed, 16 October 2013 07:01 UTC

Return-Path: <alex@um.es>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D8AD11E815C for <radext@ietfa.amsl.com>; Wed, 16 Oct 2013 00:01:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.998
X-Spam-Level:
X-Spam-Status: No, score=-5.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnZvzCW5CUcn for <radext@ietfa.amsl.com>; Wed, 16 Oct 2013 00:00:57 -0700 (PDT)
Received: from xenon11.um.es (xenon11.um.es [155.54.212.165]) by ietfa.amsl.com (Postfix) with ESMTP id 800ED21F9D44 for <radext@ietf.org>; Wed, 16 Oct 2013 00:00:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon11.um.es (Postfix) with ESMTP id DD990537C7 for <radext@ietf.org>; Wed, 16 Oct 2013 09:00:53 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon11.um.es
Received: from xenon11.um.es ([127.0.0.1]) by localhost (xenon11.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id C-Fni2Qvh9nY for <radext@ietf.org>; Wed, 16 Oct 2013 09:00:53 +0200 (CEST)
Received: from [155.54.205.8] (inf-205-8.inf.um.es [155.54.205.8]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon11.um.es (Postfix) with ESMTPSA id 52F035376D for <radext@ietf.org>; Wed, 16 Oct 2013 09:00:52 +0200 (CEST)
Message-ID: <525E39A4.7030201@um.es>
Date: Wed, 16 Oct 2013 09:00:52 +0200
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: radext@ietf.org
References: <CE8378C2.4C67D%mauricio.sanchez@hp.com>
In-Reply-To: <CE8378C2.4C67D%mauricio.sanchez@hp.com>
Content-Type: multipart/alternative; boundary="------------030000060108060908050007"
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 07:01:02 -0000

El 16/10/13 08:01, Sanchez, Mauricio escribió:
> Now that the the Perez, et.al. draft has made it into WG draft status we
> see that discussion turned to what the scope of solution should be.  Can
> the authors of the draft summarize their current understanding of the
> situation and what their suggested/planned next steps are?  I expect that
> one or more of the authors will be at IETF 88 to add this draft to the
> agenda, so please confirm availability.
>
> As a reminder, we are on the 1st day (Monday) at 1300.
>
> -Mauricio & Jouni

Dear Mauricio & Jouni,

the scope of this draft is to provide a means for the transmission of 
large amounts of authorization data between two RADIUS endpoints. The 
reasons why it is focused only on authorization data are described in 
the "Scope of this document" section on the draft, and can be summarized 
on the following sentence: "Other exchanges (i.e. authentication and 
accounting) do not require of such a mechanism". This is justified on 
the following premises:

1) Authentication exchanges already deal with fragmentation (e.g. 
RADIUS-EAP). Moreover, as they represent the most critical part of a 
RADIUS conversation, it is preferable to not introduce any modification 
to their operation that may affect existing equipment.
2) There not documented need for fragmentation of accounting data so far.

Additionally, other of the cornerstone points of this mechanism is to 
work through unmodified proxies, thus:
* It should be based on UDP
* It should not require of any change to the RADIUS specification
* It should conform with current RADIUS attribute & packet formats

Those are the basis of our draft, and the requirements that have guided 
the definition of the current fragmentation mechanism.

However, it does not provide a perfect solution. In particular, it 
requires proxying to be done based on the User-Name attribute (although 
the most typical case, specific scenarios may have a different 
configuration), it requires proxies to not drop unrecognised attributes 
(who does not?), it requires proxies to not try to modify the contents 
of a packet (apart of inserting Proxy-State attributes), and the 
receptor do not know how much data will arrive until it  actually 
receives it.

Taking into account aforementioned restrictions it seems that, for new 
deployments where keeping the infrastructure unmodified is not a MUST, a 
different approach of using RADIUS TCP, *and* changing RADIUS 
specification to increase the maximum packet length from 4 KiB to 64 KiB 
may provide a simpler solution.

 From my perspective, both solutions could coexists. While the TCP-based 
solution may provide a simpler solution, in scenarios where existing 
infrastructure cannot be easily upgraded, an UDP-based solution is still 
needed.

We are currently finishing a new version which clarifies some points 
that were raised on the mailing list, mainly related to the mentioned 
limitations. It is our intention to have it ready before the IETF meeting.

I will not personally attend the meeting, but I will be available via 
Jabber.

Regards,
Alejandro


>
>
>
>
>
> On 8/26/13 12:35 AM, "Jouni Korhonen" <jouni.nospam@gmail.com> wrote:
>
>> Folks,
>>
>> We got some support and none going against the adoption. There were
>> already some very detailed discussion on aspects people want to see
>> changed in the document, which is a really good start.
>>
>> We will take draft-perez-radext-radius-fragmentation-06 as the _basis_
>> for the WG solution. Now the WG needs to come up with text that everybody
>> agrees with. whether we need further documents on fragmentation, e.g. as
>> a generic long term solution is to be seen and discussed.
>>
>> - Jouni & Mauricio
>>
>>
>> On Aug 9, 2013, at 3:02 PM, Jouni Korhonen <jouni.nospam@gmail.com> wrote:
>>
>>> Folks,
>>>
>>> Based on the discussion in Berlin we are ready to start another
>>> adoption call for the solution for fragmentation of RADIUS packets.
>>>
>>> This email starts a two week consensus call on adopting:
>>>
>>> Filename:         draft-perez-radext-radius-fragmentation
>>> Revision:         06
>>> Title:            Support of fragmentation of RADIUS packets
>>> Creation date:    2013-07-02
>>>
>>> Express your concerns or support by 23rd August EOB on the mailing list.
>>>
>>> - Jouni & Mauricio
>> _______________________________________________
>> radext mailing list
>> radext@ietf.org
>> https://www.ietf.org/mailman/listinfo/radext
>>
>>
>> _______________________________________________
>> radext mailing list
>> radext@ietf.org
>> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email