IETF Logo Mail Archive

Re: [radext] RADIUS case study

"Romascanu, Dan (Dan)" <dromasca@avaya.com> Wed, 22 February 2012 12:43 UTC

Return-Path: <radext-bounces@ietf.org>
X-Original-To: radext-archive-IeZ9sae2@lists.ietf.org
Delivered-To: ietfarch-radext-archive-IeZ9sae2@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89FC221F8702; Wed, 22 Feb 2012 04:43:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329914588; bh=FHVXcA07H/eXqLt60mGL+voYVsTo25udxxvbR1fhbgc=; h=MIME-Version:Date:Message-ID:In-Reply-To:References:From:To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=KBTZU5me6y7WT9i+qMwH4YoRgY/CS6o2+5G4Fd/DYSR7kJmWDMBEXbnl/G+mWZ1h/ cn4GfCETovj8dxiK64lb2/YRJKex4TViFU4yBC454GjaMJKWBhpXF+3AQoNuLcB9dQ uoWpx72NQk7HGyYK261W0XC4apomB7NnBvvY8jFY=
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8387421F8702 for <radext@ietfa.amsl.com>; Wed, 22 Feb 2012 04:43:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.355
X-Spam-Level:
X-Spam-Status: No, score=-103.355 tagged_above=-999 required=5 tests=[AWL=0.243, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5XfbfOvgbpnx for <radext@ietfa.amsl.com>; Wed, 22 Feb 2012 04:43:03 -0800 (PST)
Received: from de307622-de-outbound.net.avaya.com (de307622-de-outbound.net.avaya.com [198.152.71.100]) by ietfa.amsl.com (Postfix) with ESMTP id 79D9421F85C2 for <radext@ietf.org>; Wed, 22 Feb 2012 04:43:01 -0800 (PST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhgFAMPhRE/GmAcF/2dsb2JhbABDgk2nAgGJFYEHgXMBAQEBAxIKEQNZAgEIDQQEAQELBgwLAQYBRQkIAQEEARIIGodom1+cH4ligncIFkwDEYUiBUcGGoJZYwSbN4xvgVIFAw
X-IronPort-AV: E=Sophos; i="4.73,464,1325480400"; d="scan'208,217"; a="292689390"
Received: from unknown (HELO co300216-co-erhwest.avaya.com) ([198.152.7.5]) by de307622-de-outbound.net.avaya.com with ESMTP; 22 Feb 2012 07:42:59 -0500
Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.13]) by co300216-co-erhwest-out.avaya.com with ESMTP; 22 Feb 2012 07:36:14 -0500
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 22 Feb 2012 13:42:56 +0100
Message-ID: <EDC652A26FB23C4EB6384A4584434A04074ADAF2@307622ANEX5.global.avaya.com>
In-Reply-To: <BLU152-ds11958DA48659C34D48679693670@phx.gbl>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [radext] RADIUS case study
Thread-Index: AczwuIaWV3kRsIMFSi2g60l8HYt5QAApsxQg
References: <BLU152-ds11958DA48659C34D48679693670@phx.gbl>
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>, radext@ietf.org
Subject: Re: [radext] RADIUS case study
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1050145191938304792=="
Sender: radext-bounces@ietf.org
Errors-To: radext-bounces@ietf.org

Bernard,

 

This is an IAB document - what is its status? Was it approved by the
IAB? Is it still work-in-progress and you / the IAB are soliciting
comments? 

 

Dan

 

 

From: radext-bounces@ietf.org [mailto:radext-bounces@ietf.org] On Behalf
Of Bernard Aboba
Sent: Tuesday, February 21, 2012 6:52 PM
To: radext@ietf.org
Subject: [radext] RADIUS case study

 

The IAB is working on a document entitled  "Design Considerations for
Protocol Extensions"
<http://tools.ietf.org/html/draft-iab-extension-recs> , which includes a
RADIUS case study in Appendix A.2. 

The text of the RADIUS case study is included below.   Comments welcome.


 

A.2.  RADIUS Extensions

 

   The RADIUS [RFC2865] protocol was designed to be extensible via

   addition of Attributes to a Data Dictionary on the server, without

   requiring code changes.  However, this extensibility model assumed

   that Attributes would conform to a limited set of data types and that

   vendor extensions would be limited to use by vendors, in situations

   in which interoperability was not required.  Subsequent developments

   have stretched those assumptions.

 

   From the beginning, uses of the RADIUS protocol extended beyond the

   scope of the original protocol definition (and beyond the scope of

   the RADIUS Working Group charter).  In addition to rampant self-

   allocation within the limited RADIUS standard attribute space,

   vendors defined their own RADIUS commands.  This lead to the rapid

   proliferation of vendor-specific protocol variants.  To this day,

   many common implementation practices have not been documented.  As

   noted in "Extended RADIUS Practices" [RFC2882] Section 1:

 

      The RADIUS Working Group was formed in 1995 to document the

      protocol of the same name, and was chartered to stay within a set

      of bounds for dial-in terminal servers.  Unfortunately the real

      world of Network Access Servers (NASes) hasn't stayed that small

      and simple, and continues to evolve at an amazing rate.

 

      This document shows some of the current implementations on the

      market have already outstripped the capabilities of the RADIUS

      protocol.  A quite a few features have been developed completely

      outside the protocol.  These features use the RADIUS protocol

      structure and format, but employ operations and semantics well

      beyond the RFC documents.

 

   The limited set of data types defined in [RFC2865] has lead to

   subsequent documents defining new data types.  Since new data types

   are typically defined implicitly as part of defining a new attribute,

   and because RADIUS client and server implementations differ in their

   support of these additional specifications, there is no definitive

   registry of RADIUS data types and data type support has been

   inconsistent.  To catalog commonly implemented data types as well as

   to provide guidance for implementers as well as attribute designers,

   "RADIUS Design Guidelines" [RFC6158] Section 2.1 includes advice on

   basic and complex data types.  Unfortunately, these guidelines were

   published 14 years after the RADIUS protocol was first documented in

   [RFC2058].

 

   Section 6.2 of the RADIUS specification [RFC2865] defines a mechanism

   for Vendor-Specific extensions (Attribute 26), and states that use of

   Vendor-Specific extensions:

 

      should be encouraged instead of allocation of global attribute

      types, for functions specific only to one vendor's implementation

      of RADIUS, where no interoperability is deemed useful.

 

   However, in practice usage of Vendor-Specific Attributes (VSAs) has

   been considerably broader than this.  In particular, VSAs have been

   used by Standards Development Organizations (SDOs) to define their

   own extensions to the RADIUS protocol.  This has caused a number of

   problems.

 

   One issue concerns the data model for VSAs.  Since it was not

   envisaged that multi-vendor VSA implementations would need to

   interoperate, the RADIUS specification [RFC2865] does not define the

   data model for VSAs, and allows multiple sub- attributes to be

   included within a single Attribute of type 26.  Since this enables

   VSAs to be defined which would not be supportable by current

   implementations if placed within the standard RADIUS attribute space,

   this has caused problems in standardizing widely deployed VSAs, as

   discussed in "RADIUS Design Guidelines" BCP 158 [RFC6158].

 

   Another issue is how implementations should handle unknown VSAs.

   [RFC2865] Section 5.26 states:

 

      Servers not equipped to interpret the vendor-specific information

      sent by a client MUST ignore it (although it may be reported).

      Clients which do not receive desired vendor-specific information

      SHOULD make an attempt to operate without it, although they may do

      so (and report they are doing so) in a degraded mode.

 

   However, since VSAs do not contain a "mandatory" bit, RADIUS clients

   and servers may not know whether it is safe to ignore unknown VSAs.

   For example, in the case where VSAs pertain to security (e.g.

   Filters), it may not be safe to ignore them.  As a result, "Common

   Remote Authentication Dial In User Service (RADIUS) Implementation

   Issues and Suggested Fixes" [RFC5080] Section 2.5 includes the

   following caution:

 

      To avoid misinterpretation of service requests encoded within

      VSAs, RADIUS servers SHOULD NOT send VSAs containing service

      requests to RADIUS clients that are not known to understand them.

      For example, a RADIUS server should not send a VSA encoding a

      filter without knowledge that the RADIUS client supports the VSA.

 

   In addition to extending RADIUS by use of VSAs, SDOs have also

   defined new values of the Service-Type attribute in order to create

   new RADIUS commands.  Since the RADIUS specification [RFC2865]

   defined Service-Type values as being allocated First Come, First

   Served (FCFS), this permitted new RADIUS commands to be allocated

   without IETF review.  This oversight has since been fixed in "IANA

   Considerations for RADIUS" [RFC3575].


_______________________________________________
radext mailing list
radext@ietf.org
https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email