IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Peter Deacon <peterd@iea-software.com> Wed, 21 August 2013 18:05 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A79AB11E83E3 for <radext@ietfa.amsl.com>; Wed, 21 Aug 2013 11:05:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-ULET4uWYf4 for <radext@ietfa.amsl.com>; Wed, 21 Aug 2013 11:05:20 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id 6F42F11E822C for <radext@ietf.org>; Wed, 21 Aug 2013 11:05:20 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005896216@aspen.internal.iea-software.com> for <radext@ietf.org>; Wed, 21 Aug 2013 11:05:19 -0700
Date: Wed, 21 Aug 2013 11:05:16 -0700
From: Peter Deacon <peterd@iea-software.com>
To: "radext@ietf.org" <radext@ietf.org>
In-Reply-To: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com>
Message-ID: <alpine.WNT.2.00.1308210755460.1748@SMURF>
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 18:05:26 -0000

On Fri, 9 Aug 2013, Jouni Korhonen wrote:

> Based on the discussion in Berlin we are ready to start another
> adoption call for the solution for fragmentation of RADIUS packets.

I would support this draft with narrower scope as interim solution 
addressing a specific use.

Have some concerns with draft as a general solution:

Section 2.

RFC5176 dynamic auth clients are not necessarily always RADIUS servers. 
We have production systems where CoA client and RADIUS server are separate 
with separate roles.  Seeing value in maintaining separation I do not 
favor Additional-Authorization.

Accounting proposal is not atomic and depends on assumptions about type of 
content.  (e.g long attribute not able to fit within 4096 byte limit 
cannot be transmitted)

Proposed 'T' bit in extended long attributes means existing systems 
supporting extended attributes may require enhancement to pass needed 
data.  Despite 'SHOULD' language from RFC6929 I do not believe it 
reasonable expectation proxy systems able to understand an attribute known 
to be broke would elect to forward such an attribute anyway.

General.

Attribute proxy not possible without proxy server modification to support 
draft.

Existing proxy servers not supporting draft may lose ability to 
understand/enforce policy when attribute fragmentation is used.

Section 5.

A policy of limiting large RADIUS UDP packets to MTU would about triple 
number of round trips needed to convey same information.

Section 10.

Message-Authenticator does not offer replay protection.  Recommend text 
"This signature prevents forging to the limits of the existing security."

regards,
Peter

v2.23.0 | Report a Bug | By Email