IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Alan DeKok <aland@deployingradius.com> Mon, 02 September 2013 20:23 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1397121F9D0D for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 13:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wGqfpXmkg1N for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 13:23:36 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 22C7821F9CE2 for <radext@ietf.org>; Mon, 2 Sep 2013 13:23:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 359FC22400FB; Mon, 2 Sep 2013 22:23:27 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wanm0LxYWszw; Mon, 2 Sep 2013 22:23:26 +0200 (CEST)
Received: from Thor-2.local (unknown [70.50.218.116]) by power.freeradius.org (Postfix) with ESMTPSA id 75F0122400EF; Mon, 2 Sep 2013 22:23:26 +0200 (CEST)
Message-ID: <5224F3BE.4070902@deployingradius.com>
Date: Mon, 02 Sep 2013 16:23:26 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Deacon <peterd@iea-software.com>
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF> <5224AB2B.7000808@deployingradius.com> <alpine.WNT.2.00.1309020919250.2692@SMURF>
In-Reply-To: <alpine.WNT.2.00.1309020919250.2692@SMURF>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Sep 2013 20:23:42 -0000

Peter Deacon wrote:
> Seems like a fairly common and obvious security 101 precaution in our
> (my) space you just don't forward what you know to be broke especially
> where it involves authentication/authorization parameters.  I see no
> reason at all to allow such behavior to take place.

  As I've said before, that attitude could prevent *any* new
functionality from being deployed.

  Some proxy implementations discarded any attributes which were not in
the local dictionary.  This idiocy isn't forbidden by the previous RFCs,
but is finally discouraged by 6929.  It prevents *any* changes to
RADIUS, which is madness.

> My opinion there certainly is value in administrative configuration
> allowing forwarding of unknown attributes.  I encourage all vendors to
> provide such an option to their customers.
> 
> Whether this is done or not seems to be orthogonal to the issue of
> rejecting a known attribute you know to be malformed.

  No.  A known attribute which uses fields that had previously been
marked "reserved".  And even if it is malformed, there are ways to deal
with it.

> Regarding #2
> 
> As far as I'm concerned this is ancient history, has been for years and
> irrelevant in 2013.

  No.  Vendors still ship equipment which poaches on the standard space.
 Deployments still rely on those attributes.  Eduroam was running into
issues with these attributes in the recent past.  With widely-used,
in-support commercial RADIUS servers.

> As with #1 the underlying issue seems to be orthogonal.  With this issue
> the conflict is invoked by systems not agreeing on attribute "type". In
> case of fragment draft "type" is not in question.  The problem here a
> type's format has been changed retroactively in an incompatible manner.

  I disagree, for reasons I've stated.

> My recommendation going forward is to find an alternative option which
> does not depend on incompatible M flag behavior.
> 
> One option in the definition of any long attributes to convey
> eduroam/SAML data specify how partial content should be handled and
> allocate new flags to effect inter-packet continuation without changing
> existing behavior.

  Where would those "new flags" exist?  In a new attribute format?

  Creating a brand-new incompatible standard isn't a solution to another
(allegedly) incompatible standard.

  For me, it's a simple principle.  Proxies have NO BUSINESS mucking
around with attributes they don't understand.  If the RADIUS packet is
well formed, the attributes (understood or not) should be sent onwards.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email