Re: [radext] Extended IDs
Peter Deacon <peterd@iea-software.com> Wed, 13 December 2017 00:52 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E9C12711D for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 16:52:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46SPeuWfRU1G for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 16:52:50 -0800 (PST)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id 21D0C126CBF for <radext@ietf.org>; Tue, 12 Dec 2017 16:52:48 -0800 (PST)
Received: from smurf (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0006062020@aspen.iea-software.com>; Tue, 12 Dec 2017 16:52:47 -0800
Date: Tue, 12 Dec 2017 16:52:50 -0800
From: Peter Deacon <peterd@iea-software.com>
To: "Naiming Shen (naiming)" <naiming@cisco.com>
cc: "radext@ietf.org" <radext@ietf.org>
In-Reply-To: <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com>
Message-ID: <alpine.WNT.2.21.1.1712121615090.2252@smurf>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk> <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com>
User-Agent: Alpine 2.21.1 (WNT 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/IIIk15kOOrSa68X2AtWl6kvvbAg>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 00:52:52 -0000
On Wed, 13 Dec 2017, Naiming Shen (naiming) wrote: > Third, if assume an operation completely messed up, and leaking this > extended-ID towards the home-server, I still need to see a good example > on what the harm is that, and why this can not be debugged. The draft > I agree needs to add some text on various cases and how to debug > those in each of them. Offered an example in my initial response. More detail below. Request: [+Client] ---> [-Proxy A] ---> [+Proxy B] --> ... Response: ... ---> [+Proxy B] ---> [-Proxy A] ---> [+Client] + supports extended id - does not support extended id Assumptions: - Proxy A performs duplicate detection over (src ip/port) + id. - Requests transmitted from Client /w extended ID. - Client receives responses /w extended ID courtesy of Proxy B. This scenario can easily result in high numbers of intermittently dropped packets because Proxy A is intentionally dropping what it believes are duplicates. Proxy A does not implement extended id and so has no idea what is going on nor instrumented to know anything about extended id. Client is similarly clueless. It sees extended id requests AND extended id responses /w intermittent packet loss. It has no clue the upstream proxy it is directly communicating does not support extended id. There is no way for it to know. >From the client perspective it would in my experience likely be very difficult for an operator to troubleshoot this kind of intermittent failure one that gets progressively worse as load increases unless they had an unrealistically high degree of technical knowledge. This problem DOES NOT exist /w ORA because any and all such misconfiguration always results in client seeing no valid response at all. This is an acceptable response to misconfiguration. A client receiving bogus ORA from some other peer or no ORA at all is free to complain loudly explicitly alerting operators of misconfiguration. This option simply is not possible /w extended id. regards, Peter
- [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Robert Raszuk
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Astrid Smith
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stig Venaas
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Arran Cudbard-Bell
- Re: [radext] Extended IDs peter
- Re: [radext] Extended IDs Bernard Aboba
- Re: [radext] Extended IDs Alan DeKok
- [radext] FW: Extended IDs Albert Tian
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs David Carrel
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Jun Zhuang
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alexander Clouter