IETF Logo Mail Archive

Re: [radext] A proposal to allow more than 256 packets on any connection

Alan DeKok <aland@freeradius.org> Mon, 24 April 2017 21:57 UTC

Return-Path: <aland@freeradius.org>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62A9A131949 for <radext@ietfa.amsl.com>; Mon, 24 Apr 2017 14:57:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9o4RoqpZGvc for <radext@ietfa.amsl.com>; Mon, 24 Apr 2017 14:57:52 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id E6E71120227 for <radext@ietf.org>; Mon, 24 Apr 2017 14:57:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id 371E9B4F; Mon, 24 Apr 2017 21:57:51 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZVLn5aY_FHG; Mon, 24 Apr 2017 21:57:51 +0000 (UTC)
Received: from [192.168.120.42] (23-233-24-114.cpe.pppoe.ca [23.233.24.114]) by mail.networkradius.com (Postfix) with ESMTPSA id 995E1107; Mon, 24 Apr 2017 21:57:50 +0000 (UTC)
Content-Type: multipart/signed; boundary="Apple-Mail=_942380A3-FC50-401A-9CAB-92864AAE2315"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Pgp-Agent: GPGMail
From: Alan DeKok <aland@freeradius.org>
In-Reply-To: <201704242107.v3OL7GmV003413@cliff.eng.ascend.com>
Date: Mon, 24 Apr 2017 17:57:47 -0400
Message-Id: <A8D3E0FB-56A4-434C-A06F-D6D1AE369984@freeradius.org>
References: <149306333665.25840.6313986250597447759.idtracker@ietfa.amsl.com> <1AB9F08E-0739-4BE3-9827-3EA830DC113B@freeradius.org> <201704242107.v3OL7GmV003413@cliff.eng.ascend.com>
To: Ignacio Goyret <ignacio.goyret@nokia.com>, radext@ietf.org
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/BAo873mEjwkbWkxeMbHqaJvp26U>
Subject: Re: [radext] A proposal to allow more than 256 packets on any connection
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 21:57:54 -0000

On Apr 24, 2017, at 5:04 PM, Ignacio Goyret <ignacio.goyret@nokia.com> wrote:
> 
> At what point would a new header be better instead of hacking new attributes
> into the uniqueness equation?

 When you want to use Diameter.

> And at what point RADIUS becomes Diameter?

  When you change the header.

> Since this proposal would require non-trivial changes to both servers and
> clients to agree on a new algorithm,

  I don't know what you mean by "new algorithm".  *Any* change to RADIUS requires negotiation.  And any change requires changes on both the client and server.

> they might as well agree on a new header,

  Which requires *more* changes to clients and servers than my proposal.

> This way, the uniqueness function (src/dst ip/port + id) doesn't need to change.

  I'm proposing to change  (src/dst ip/port + id)  to  (src/dst ip/port + id + request-authenticator)

  Which is a smaller change than the one you propose.

  In this proposal, all RADIUS request packets are *identical* to existing RADIUS.  All RADIUS response packets contain one new attribute.  The responses are otherwise 100% standard RADIUS.

  There are *implementation* changes on client and server.  But again, they are largely limited to using "Request Authenticator" in the key that determines packet identity.  The encoding and decoding procedures are *exactly* the same as for standard RADIUS.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email