Re: [radext] Extended Identifiers: is manual configuration in scope?
Alan DeKok <aland@deployingradius.com> Thu, 14 December 2017 15:14 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46EF4126DED for <radext@ietfa.amsl.com>; Thu, 14 Dec 2017 07:14:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ufyFTjTnJ020 for <radext@ietfa.amsl.com>; Thu, 14 Dec 2017 07:14:04 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id AE7B012932A for <radext@ietf.org>; Thu, 14 Dec 2017 07:14:04 -0800 (PST)
Received: from [192.168.2.25] (198-84-205-59.cpe.teksavvy.com [198.84.205.59]) by mail.networkradius.com (Postfix) with ESMTPSA id 895D9AC4; Thu, 14 Dec 2017 15:14:03 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <bf0f5d3d-333c-b871-afbf-1a59be5d5bb1@restena.lu>
Date: Thu, 14 Dec 2017 10:14:01 -0500
Cc: "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E407FDC8-2DE3-4598-8801-23D645449FBA@deployingradius.com>
References: <bf0f5d3d-333c-b871-afbf-1a59be5d5bb1@restena.lu>
To: Winter Stefan <stefan.winter@restena.lu>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/FDcBTLNhF22xGm9PZbB-oJinD9k>
Subject: Re: [radext] Extended Identifiers: is manual configuration in scope?
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 15:14:07 -0000
On Dec 14, 2017, at 9:43 AM, Stefan Winter <stefan.winter@restena.lu> wrote: > Is a manually configured mode of operation considered in scope? Yes. https://tools.ietf.org/html/draft-dekok-radext-request-authenticator-03#section-8.1 Clients SHOULD have an configuration flag which lets administators statically configure this behavior for a server. Clients MUST otherwise negotiate this functionality before using it. > I.e. do you consider it a valid use case that an implementation presents > administrators with a configuration option "Enable Extended > Identifiers", and that the implementation starts making use of that > feature /without/ a capability negotiation using Status-Server with its > next-hop peer? Yes. We have manual configuration for many other things in RADIUS. I think it should be allowed unless there is a strong technical reason to forbid it. On a related note, I'd like a more detailed discussion about the subject of negotiation. What happens during negotiation? i.e. it's easy to say "send status-server and wait for access-accept with ACK or NACK". But what *else* happens? - are all *other* packets blocked until the client receives an ACK or a NACK? - i.e. does the client sit on all outgoing packets until such time as it receives a response? - what if the server doesn't support Status-Server and never responds? - when should the client time out? - should the client do the negotiation per connection (or for UDP src/dst IP/port combination) - if not, why not? - if so, why? - what happens if the client stops sending packets for a while? - should it restart negotiation if there have been no packets? - if so, what are the timeouts? - if the server sends an old-style reply after negotiating the functionality, can it be matched to an outstanding packet? My concern is that it's easy to say "negotiate functionality". The code changes may even be small. But the hard part of coding isn't implementing a particular piece of functionality. It's ensuring that the program behaves correctly in corner cases, or when things go wrong. Taking a look at the patch posted earlier: https://mailarchive.ietf.org/arch/msg/radext/BkXgD68MASxqD4vjXV1M2CaRWAY None of these issues are handled. I suspect that dealing with these corner cases will make the code much more complex. Much of the verbiage in draft-dekok is there in order to deal with these issues. As an implementor, the draft is written with an eye to dealing with *all* corner cases. It gives technical reasons for the decisions, it discusses the pros and cons of these decisions, and it gives guidelines for implementors. The result is a draft which is *much* more complex than "add a 32-bit ID to a packet". But that complexity highlights the complex nature of the protocol, instead of waving it away. I'd be happier with draft-chen if it could be shown that all of these issues are addressed in a *simpler* manner than in draft-dekok. While I'm concerned with the possibility of "leaking" the extended-ID, implementation simplicity should be a serious consideration, too. Alan DeKok.
- [radext] Extended Identifiers: is manual configur… Stefan Winter
- Re: [radext] Extended Identifiers: is manual conf… Alan DeKok
- Re: [radext] Extended Identifiers: is manual conf… Enke Chen
- Re: [radext] Extended Identifiers: failure modes Stefan Winter
- Re: [radext] Extended Identifiers: failure modes Alan DeKok