Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Stefan Winter <stefan.winter@restena.lu> Fri, 23 August 2013 12:01 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77F011E80FF for <radext@ietfa.amsl.com>; Fri, 23 Aug 2013 05:01:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level:
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JygRz0huy1WB for <radext@ietfa.amsl.com>; Fri, 23 Aug 2013 05:01:27 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id D46F411E81B1 for <radext@ietf.org>; Fri, 23 Aug 2013 05:01:24 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 3BCD510589 for <radext@ietf.org>; Fri, 23 Aug 2013 14:01:22 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 2E33610581 for <radext@ietf.org>; Fri, 23 Aug 2013 14:01:22 +0200 (CEST)
Message-ID: <52174F0D.4040103@restena.lu>
Date: Fri, 23 Aug 2013 14:01:17 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: radext@ietf.org
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <52146E31.1030701@restena.lu> <5214AE3C.4010909@deployingradius.com> <5214C457.70204@restena.lu> <52160FB0.30208@deployingradius.com>
In-Reply-To: <52160FB0.30208@deployingradius.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="FrniBkPmoDMjwXhBievuUSI29HlVtmKCA"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 12:01:27 -0000

Hi,

>> That doesn't seem right. If a proxy supports RFC6929, but not the
>> fragmentation draft, it will not know that the T flag exists and can't
>> react accordingly. It will see an M flag and some gibberish in the
>> Reserved field (which RFC6929 says should simply be ignored). It will
>> observe that the M flag requirements are violated and has every right to
>> drop the packet.
> 
>   Yes.  That presumes (a) everyone implements RFC 6929, and (b) those
> implementations get deployed to proxies.

Most RADIUS servers are versaitle enough to act as server and proxy;
Radiator has hinted towards 6929 support soon, and I believe your
FreeRADIUS is a reference implementation of it since a long time. Both
can proxy, and both are in wide-spread use.

I think the issue is not artificial; it may well bite a deployment in
its backside.

That's not the end of the world though; simply adding a sentence in the
draft such a case exists and that deployments need to take care that
their deployed implementation(s) don't stumble over this.

>   I think initially the idea is to have fragmentation from server to
> server.  i.e. few (if any) APs will be implementing it.  So the issue
> becomes less relevant.

Aha! I had the impression that authz exchanges in the ABFAB world go all
the way from/to the RADIUS client that does the whole GSS EAP magic. And
that this is the equivalent of an "AP" in the non-network-access use case.

>   A server local to the AP can track a users session, including SSID.
> And then make proxy decisions based on that.  The proxies in the wider
> network will *not* know about the site's SSID, and will *not* be basing
> proxy decisions on it.

That's something I can live with. Again, documenting in the draft that
User-Name is the only proxying criterion would be enough for me then.
Maybe a second one explaining that client to first-server is not in
scope/has complexities that can make the use of this draft hard/unsuitable.

Greetings,

Stefan

> 
>   Alan DeKok.
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473