IETF Logo Mail Archive

Re: [radext] Feedback solicited: Acct-Session-Id, Acct-Multi-Session-Id, Accounting-On/Off and Subsystem-On/Off

Bernard Aboba <bernard_aboba@hotmail.com> Tue, 13 October 2015 18:43 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B1051A8754 for <radext@ietfa.amsl.com>; Tue, 13 Oct 2015 11:43:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.609
X-Spam-Level:
X-Spam-Status: No, score=-1.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id woEypPe5TL3V for <radext@ietfa.amsl.com>; Tue, 13 Oct 2015 11:43:24 -0700 (PDT)
Received: from BLU004-OMC1S30.hotmail.com (blu004-omc1s30.hotmail.com [65.55.116.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B60681A6F05 for <radext@ietf.org>; Tue, 13 Oct 2015 11:40:09 -0700 (PDT)
Received: from BLU181-W43 ([65.55.116.8]) by BLU004-OMC1S30.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 13 Oct 2015 11:40:08 -0700
X-TMN: [KCn7MXC1KzVIqie1h3h0D4vrwaQR426r]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU181-W43C8A4C06F5ECAA0EB75FD93300@phx.gbl>
Content-Type: multipart/alternative; boundary="_b15bf432-a63e-4ac0-a0c4-7f6c43719872_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "lionel.morand@orange.com" <lionel.morand@orange.com>, Nick Lowe <nick.lowe@lugatech.com>, "radext@ietf.org" <radext@ietf.org>
Date: Tue, 13 Oct 2015 11:40:08 -0700
Importance: Normal
In-Reply-To: <7190_1444233083_56153F7B_7190_15631_1_6B7134B31289DC4FAF731D844122B36E01D3D95B@OPEXCLILM43.corporate.adroot.infra.ftgroup>
References: <CAGnO3dpgytEmyf0Dk_0w9TbBM-6uav7z63LJ6WzpFoyw_jhKrw@mail.gmail.com>, <5654BCDA-9F97-44A4-97F1-EF0FBA3C715B@deployingradius.com>, <CAGnO3dogfPGcZNsrwqTp3nNvpAPtjx=5tvKvNH6xtvDfJb+kPQ@mail.gmail.com>, <BLU181-W342B673453E05BC255710C93370@phx.gbl>, <CAGnO3doM6m8WtU=KGJh+4hhPDu3f=t+6GE+bkVfLmgH0AanhvA@mail.gmail.com>, <CAGnO3dqEyjx9tFt_xW=Tp06a4aqS8Zm+KGWfqhFR8LtOb8xciw@mail.gmail.com>, <CAGnO3dqiyeUEi=1Gu3Y7pXiq0zy4-cLrvNDVWWAT2BOh7KfjJQ@mail.gmail.com>, <CAGnO3dqZLwwg5Bdcio+KdVHLaTTo1uHuiDWcFU-492ieivEvuw@mail.gmail.com>, <CAGnO3dpjmaDtr79YJr80HVz6OBHsSc4UjXg5MW=irwwM_uXHkw@mail.gmail.com>, <CAGnO3doVtTQqL3-ZOz8Oz4-8mnKno=FGUOuRMZMgp61wE5gLkg@mail.gmail.com>, <CAGnO3doQDfzRW-VjR5ZXm0cbaDJ7rnpdZSouLRpSmwkRjEq+yg@mail.gmail.com>, <CAGnO3drT+g7wGeRMsz0YXvPnLFA7tgKyZddxT7U6ofK0K78Qmg@mail.gmail.com>, <CAGnO3drQMCrVvzXZLhJ-R0F5mav8kLZuYSRLaFt1XK4URA34cg@mail.gmail.com>, <7190_1444233083_56153F7B_7190_15631_1_6B7134B31289DC4FAF731D844122B36E01D3D95B@OPEXCLILM43.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
X-OriginalArrivalTime: 13 Oct 2015 18:40:08.0854 (UTC) FILETIME=[960D8360:01D105E6]
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/EhvRTodoNuZBwgJ71f2Fevy9xfU>
Subject: Re: [radext] Feedback solicited: Acct-Session-Id, Acct-Multi-Session-Id, Accounting-On/Off and Subsystem-On/Off
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 18:43:32 -0000

I would also like to distinguish extensions to RFC 2866 (such as Accounting-On/Off) from revisions to RFC 2866. 
Assignment of new RADIUS op-codes requires Standards Action, so this cannot be done in an Informational RFC.  

Also, since RADIUS accounting is 20+ years old, revisions need to be backward compatible. 
> From: lionel.morand@orange.com
> To: nick.lowe@lugatech.com; radext@ietf.org
> Date: Wed, 7 Oct 2015 15:51:22 +0000
> Subject: Re: [radext] Feedback solicited: Acct-Session-Id, Acct-Multi-Session-Id, Accounting-On/Off and Subsystem-On/Off
> 
> Hi Nick,
> 
> To make the life easier for people not involved in previous (offline) discussions and receive feedback from RADEXT members, it would be better to:
> - have a separate email thread per proposed change, one for each attribute
> - provide a short summary of the issue triggering the proposed change
> - highlight the proposed changes (e.g. OLD/NEW)
> 
> Moreover, I have 2 short general comments:
> 
> - The proposed changes introduce the concept of " subsystem of NAS" that is not defined, nor in RFC2865/2865, nor in the proposed changes. It should be introduced somewhere. It would be then easier to understand the relationship between Called-Station-Id and NAS/subsystem as well as the proposed new values for Acct-Status-Type.
> 
> - For sake of clarity, it would be maybe easier to make the distinction between the definition of the attribute and how this attribute should be used depending on the context (with/without another attribute, etc.)
> 
> - It should be considered if everything related to session management could be captured in a separate section.
> 
> Regards,
> 
> Lionel
> 
> -----Message d'origine-----
> De : radext [mailto:radext-bounces@ietf.org] De la part de Nick Lowe
> Envoyé : mercredi 7 octobre 2015 15:35
> À : radext@ietf.org
> Objet : Re: [radext] Feedback solicited: Acct-Session-Id, Acct-Multi-Session-Id, Accounting-On/Off and Subsystem-On/Off
> 
> Reference to RFC 2866
> =====================
> 
> Acct-Status-Type
> 
>    Description
> 
>       This attribute indicates whether this Accounting-Request marks
>       the beginning of the user service (Start) or the end (Stop).
> 
>       It MAY be used by the client to mark the start of accounting for
>       the NAS (for example, upon booting) by specifying Accounting-On
>       and to mark the end of accounting for the NAS (for example, just
>       before a scheduled reboot) by specifying Accounting-Off.
> 
>       Where Accounting-On or Accounting-Off is specified, a
>       Called-Station-Id attribute SHOULD NOT be present.  In the case
>       that one is present, the value MUST apply to the whole NAS.
> 
>       It MAY be used by the client to mark the start of accounting for a
>       subsystem of the NAS (for example, when an IEEE 802.11 BSS becomes
>       available) by specifying Subsystem-On and to mark the end of
>       accounting for a subsystem of the NAS (for example, when an IEEE
>       802.11 BSS is no longer available) by specifying Subsystem-Off.
> 
>       Where Subsystem-On or Subsystem-Off is specified, a
>       Called-Station-Id attribute MUST be present.  The subsystem is
>       indicated by the value of the Called-Station-Id attribute.  It
>       MUST uniquely identify the subsystem to the NAS.
> 
>       It is strongly recommended that the value of the Called-Station-Id
>       attribute that is used for a session SHOULD match the value of the
>       Called-Station-Id that identifies the subsystem.
> 
>       The value of any Called-Station-Id attributes that are used in
>       accounting types that are session specific SHOULD match the value
>       used when Subsystem-On and Subsystem-Off are specified where they
>       come under the scope of that subsystem.
> 
>       A session MUST only come under the scope of one subsystem.
> 
>       For IEEE 802.11, this attribute SHOULD be used to store the
>       BSSID (upper case only) in ASCII format, with octet values
>       separated by a "-".
>       Example: "00-10-A4-23-19-C0".
>       Where the SSID is known, it SHOULD be appended to the BSSID in
>       UTF-8 format, separated from the BSSID with a ":".
>       Example "00-10-A4-23-19-C0:AP1".
> 
>       As IEEE 802.11 allows that SSIDs may be UTF-8 encoded, the SSID
>       MUST be UTF-8 encoded.
> 
>       Where transition occurs for user service from one one NAS to
>       another, the preceding session SHOULD end with a Stop and a new
>       session SHOULD begin with a Start.  This is strongly recommended.
>       An Acct-Multi-Session-Id SHOULD be present with the same value to
>       link together related sessions.  This is strongly recommended.
> 
>       Where transition occurs for user service from one one subsystem to
>       another, the preceding session MUST end with a Stop and a new
>       session MUST begin with a Start.  An Acct-Multi-Session-Id MUST be
>       present with the same value to link together related sessions.
> 
>       The Acct-Session-Id MUST be different for new sessions started
>       when transition occurs.
> 
>    A summary of the Acct-Status-Type attribute format is shown below.
>    The fields are transmitted from left to right.
> 
>     0                   1                   2                   3
>     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |     Type      |    Length     |             Value
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>               Value (cont)         |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> 
>    Type
> 
>       40 for Acct-Status-Type.
> 
>    Length
> 
>       6
> 
>    Value
> 
>       The Value field is four octets.
> 
>        1      Start
>        2      Stop
>        3      Interim-Update
>        7      Accounting-On
>        8      Accounting-Off
>        9-14   Reserved for Tunnel Accounting
>       15      Reserved for Failed
>       ??      Subsystem-On
>       ??      Subsystem-Off
> 
> Acct-Session-Id
> 
>    Description
> 
>       This attribute is a globally unique Accounting ID to make it
>       possible to match start and stop records.  The start and stop
>       records for a given session MUST have the same Acct-Session-Id.
>       An Accounting-Request packet MUST have an Acct-Session-Id.
>       An Access-Request packet MAY have an Acct-Session-Id; if it does,
>       then the NAS MUST use the same Acct-Session-Id in the
>       Accounting-Request packets for that session.
> 
>       It is strongly recommended that the Acct-Session-Id SHOULD contain
>       UTF-8 encoded 10646 [7] characters.  It MUST exhibit global and
>       temporal uniqueness.
> 
>       For example, an implementation may use a string with a UUID.
>       Other encodings are possible.
> 
>    A summary of the Acct-Session-Id attribute format is shown below.
>    The fields are transmitted from left to right.
> 
>     0                   1                   2
>     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |     Type      |    Length     |  Text ...
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> 
>    Type
> 
>       44 for Acct-Session-Id.
> 
>    Length
> 
>       >= 3
> 
>    String
> 
>       The String field SHOULD be a string of UTF-8 encoded 10646 [7]
>       characters.
> 
> Acct-Multi-Session-Id
> 
>    Description
> 
>       This attribute is a globally unique Accounting ID to make it
>       possible to link together multiple related sessions.  Each session
>       linked together would have a globally unique Acct-Session-Id but
>       the same Acct-Multi-Session-Id.
> 
>       It is strongly recommended that the Acct-Multi-Session-Id SHOULD
>       contain UTF-8 encoded 10646 [7] characters.  It MUST exhibit
>       global and temporal uniqueness.
> 
>       For example, an implementation may use a string with a UUID.
>       Other encodings are possible.
> 
>    A summary of the Acct-Session-Id attribute format is shown below.
>    The fields are transmitted from left to right.
> 
>     0                   1                   2
>     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |     Type      |    Length     |  String ...
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> 
>    Type
> 
>    50 for Acct-Multi-Session-Id.
>    Length
> 
>    >= 3
> 
>    String
> 
>    The String field SHOULD contain UTF-8 encoded 10646 [7] characters.
> 
> 
> Reference to RFC 3580
> =====================
> 
> Acct-Multi-Session-Id
> 
>    The purpose of this attribute is to make it possible to link together
>    multiple related sessions for IEEE 802.11.  While [IEEE8021X] does
>    not act on aggregated ports, it is possible for a Supplicant roaming
>    between Basic Service Sets or in failover accounting from one
>    Controller to another to cause multiple RADIUS accounting packets to
>    be sent by the same or different Access Points or Controllers.
> 
>    Where supported by the Access Points or the Controllers, the
>    Acct-Multi-Session-Id attribute can be used to link together the
>    multiple related sessions of a roaming Supplicant or in failover
>    accounting from one Controller to another.  In such a situation, if
>    the session context is transferred between Access Points or
>    Controllers, accounting packets MAY be sent without a corresponding
>    authentication and authorization exchange, provided that Association
>    has occurred.  However, in such a situation it is assumed that the
>    Acct-Multi-Session-Id is transferred between the Access Points or the
>    Controllers as part of the Inter-Access Point Protocol (IAPP) or
>    another handoff scheme.
> 
>    If the Acct-Multi-Session-Id were not globally unique between Access
>    Points and Controllers, then it is possible that the chosen
>    Acct-Multi-Session-Id will overlap with an existing value allocated
>    on that Access Point or Controller, and the Accounting Server would
>    therefore be unable to distinguish a roaming or failover session
>    from a multi-link session.
> 
>    In order to provide global uniqueness, it is suggested that the
>    Acct-Multi-Session-Id be a UUID that offers inherent global and
>    temporal uniqueness.
> 
>    An alternative construction for the Acct-Multi-Session-Id may be of
>    the form:
> 
>    BSSID | Supplicant MAC Address | NTP Timestamp
> 
>    Here "|" represents concatenation, the BSSID is the MAC address of
>    the BSS under which the session started, and the 64-bit NTP timestamp
>    indicates the beginning of the original session.  In order to provide
>    for consistency of the Acct-Multi-Session-Id between roaming or
>    failover sessions, the Acct-Multi-Session-Id may be moved between
>    Access Points or Controllers as part of IAPP or another handoff
>    scheme.
> 
>    The use of an Acct-Multi-Session-Id of this form should guarantee
>    uniqueness among all Basic Service Sets, Access Points, Supplicants,
>    Controllers and sessions.  Since the NTP timestamp does not wrap on
>    reboot, there is no possibility that a rebooted Access Point or
>    Controller could choose an Acct-Multi-Session-Id that could be
>    confused with that of a previous session once time synchronisation
>    has occurred.  The downside of this construction is that it is
>    dependent on time synchronisation having occurred.  For this reason,
>    a UUID is preferred.
> 
>    Since the Acct-Multi-Session-Id is of type String as defined in
>    [RFC2866], for use with IEEE 802.1X, it is encoded as an UTF-8 string
>    of Hex digits.  Example:  "00-10-A4-23-19-C0-00-12-B2-
>    14-23-DE-AF-23-83-C0-76-B8-44-E8"
> 
> Called-Station-Id
> 
>    For IEEE 802.1X Authenticators, this attribute is used to store the
>    bridge MAC address or IEEE 802.11 BSSID in ASCII format (upper case
>    only), with octet values separated by a "-".
>    Example: "00-10-A4-23-19-C0".
> 
>    For IEEE 802.11, where the SSID is known, it SHOULD be appended in
>    UTF-8 format to the BSSID, separated from the BSSID with a ":".
>    Example "00-10-A4-23-19-C0:AP1".
> 
>    As IEEE 802.11 allows that SSIDs may be UTF-8 encoded, the SSID MUST
>    be UTF-8 encoded.
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
> 
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email