Re: [radext] Meeting laundry list
Stefan Winter <stefan.winter@restena.lu> Wed, 20 March 2013 09:12 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A144D21F86DC for <radext@ietfa.amsl.com>; Wed, 20 Mar 2013 02:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJ7M6Hyll-Ok for <radext@ietfa.amsl.com>; Wed, 20 Mar 2013 02:12:12 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 86F4221F8667 for <radext@ietf.org>; Wed, 20 Mar 2013 02:12:12 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id E80D21058E for <radext@ietf.org>; Wed, 20 Mar 2013 10:12:11 +0100 (CET)
Received: from aragorn.restena.lu (unknown [IPv6:2001:a18:1:8:2c8d:1153:26f:7c78]) by smtprelay.restena.lu (Postfix) with ESMTPS id D510E1057F for <radext@ietf.org>; Wed, 20 Mar 2013 10:12:11 +0100 (CET)
Message-ID: <51497D67.2090604@restena.lu>
Date: Wed, 20 Mar 2013 10:12:07 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: radext@ietf.org
References: <alpine.WNT.2.00.1303130928300.1880@littlesmurf> <514824E0.1000506@restena.lu> <alpine.WNT.2.00.1303190718130.2600@SMURF> <51488260.7080002@deployingradius.com>
In-Reply-To: <51488260.7080002@deployingradius.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="----enig2UWETPPXFSPQQEREXNXUA"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] Meeting laundry list
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2013 09:12:13 -0000
Hi, >> I don't know that "overload" is applicable in this context or why it >> couldn't be used for multiple purposes concurrently. > > Yeah. Fill it with whatever makes you happy. > >> We don't really know generally what constitutes a "loop" or granularity >> of the system box (Parts of one server or entire groups of servers). >> Messages may be able to loop back for another round of processing after >> being sent outside the admin domain. > > I agree. I think using an opaque token is a good idea. Using an IP > address is more fragile, and prone to disclosing private information. Sure; my use of "(or other halfways unique ID)" is basically about cases where one needs to control granularity. E.g. I have two redundant servers in failover: tld1.eduroam.lu and tld2.eduroam.lu - the ID could then be "tld.eduroam.lu" to indicate that the packet went through either of the two already and shouldn't come back later. Of course even loops that ping-pong between multiple hops would eventually be detected, as soon as the packet comes back to one of the servers which used his own mark. So in effect any random value is good enough, doesn't have to be an IP address. It has to be random enough though, so that no two hops accidently use the same ID. >> Perhaps some general guidance or blunt tools like TTLs on stack of >> proxy-states. > > FreeRADIUS just has a config option which says "too many". It's good > for blunt checks. > > Having some guidance for detecting proxy loops would be good. Yes! It's good to hear that Peter's implementation does some magic with Proxy-State - but it would be even better to write down something like that for every implementation's benefit. E.g. in FreeRADIUS Proxy-State is not under config control and it doesn't do such clever comparisons yet. With a good spec, this could become a config switch "do_loop_checks" which would do all that Proxy-State magic automatically, without any fiddling with VSAs and such. I wonder if Peter feels like putting this into an I-D...? Greetings, Stefan Winter > > Alan DeKok. > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
- [radext] Meeting laundry list Peter Deacon
- Re: [radext] Meeting laundry list Alan DeKok
- Re: [radext] Meeting laundry list Stefan Winter
- Re: [radext] Meeting laundry list Peter Deacon
- Re: [radext] Meeting laundry list Alan DeKok
- Re: [radext] Meeting laundry list Stefan Winter