Re: [radext] Issue with draft-ietf-radext-radius-fragmentation, pre-authorization phase and authentication attributes.

Stefan Winter <stefan.winter@restena.lu> Sun, 02 March 2014 15:25 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 733141A07BA for <radext@ietfa.amsl.com>; Sun, 2 Mar 2014 07:25:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.446
X-Spam-Level:
X-Spam-Status: No, score=-2.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOZ5srpaUOkp for <radext@ietfa.amsl.com>; Sun, 2 Mar 2014 07:25:34 -0800 (PST)
Received: from smtp.restena.lu (legolas.restena.lu [IPv6:2001:a18:1::34]) by ietfa.amsl.com (Postfix) with ESMTP id AB8381A07C6 for <radext@ietf.org>; Sun, 2 Mar 2014 07:25:33 -0800 (PST)
Received: from smtp.restena.lu (localhost [127.0.0.1]) by smtp.restena.lu (Postfix) with ESMTP id F008E1486FD; Sun, 2 Mar 2014 16:25:29 +0100 (CET)
Received: from viper.local (unknown [158.64.15.194]) by smtp.restena.lu (Postfix) with ESMTPSA id C34B21486F5; Sun, 2 Mar 2014 16:25:29 +0100 (CET)
Message-ID: <53134D64.7080304@restena.lu>
Date: Sun, 02 Mar 2014 16:25:24 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Alejandro Perez Mendez <alex@um.es>, "radext@ietf.org" <radext@ietf.org>
References: <53107CBB.3020407@um.es>
In-Reply-To: <53107CBB.3020407@um.es>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="02PINPucxcC9VxqaDeTnCwN8WcxJXtl88"
X-Virus-Scanned: ClamAV
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/BE119O8UsHncwsSA8gtcXosuHjs
Subject: Re: [radext] Issue with draft-ietf-radext-radius-fragmentation, pre-authorization phase and authentication attributes.
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Mar 2014 15:25:37 -0000

Hi,

> However, in draft-ietf-radext-radius-fragmentation, the first chunk of
> the pre-authorization phase may not contain any of these attributes,
> as it would depend on the type of the attributes being transported, as
> well as the specific distribution of these attributes along the
> different chunks. This issue would be circumscribed to this first
> chunk, as the rest will contain a State attribute, accepted by RFC 2865.
>
> draft-ietf-radext-radius-fragmentation already states that compliant
> servers will postpone all authorization and authentication handling
> until all of the chunks have been received. We have added (for version
> 04, that will be uploaded next Monday when the submission process
> reopen) some lines clarifying that this postponement also includes
> disabling the verification of the inclusion of authentication
> attributes until the original large packet has been rebuilt. Hence,
> any server implementing draft-ietf-radext-radius-fragmentation would
> not fail if the first chunk does not contain any authentication
> attribute.
>
> We expect that proxies will not drop these packets either, as
> otherwise they will be precluding any future extension foreseen by RFC
> 2865.

Which they are allowed to do. It's very arguable whether a proxy should
police this particular RFC constraint at all; but if it does, the
fragmentation process will be permanently DoSed.

> In our opinion, these lines are sufficient to overcome RFC2865's
> restriction. However, if the WG members think they are not, then we
> might need to include some kind of phony authentication attribute on
> this first chunk, just to make it compliant with what it would be
> generally expected. For example, an empty EAP-Message attribute
> (called EAP-Start in RFC 3579), or a phony CHAP-Password.

I would be against phony authentication attributes - especially since
the frag draft is very explicitly stating that it does not do any
authentication at all. Omitting authentication attributes makes it easy
to spot that this is an authorization exchange; adding a "CHAP-Password"
makes it unnecessarily hard.

I don't understand yet what the issue is that prevents adding a phony
*State* though. Couldn't you just state that a first-fragment gets two
new attributes? One being Frag-Status; the other one being a State
attribute which could be a fixed 0x0 (or allow arbitrary values and
simply discard server-side).

State shouldn't be in the original Access-Request before splitting
(because State is used in echoing a *server's* State attribute back, and
has no reason for existence in the first Access-Request); so if you add
one together with Frag-Status, it would be the only one; so there should
be no ambiguity...

Greetings,

Stefan Winter