IETF Logo Mail Archive

Re: [radext] Extended IDs

Peter Deacon <peterd@iea-software.com> Wed, 13 December 2017 00:52 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E9C12711D for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 16:52:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46SPeuWfRU1G for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 16:52:50 -0800 (PST)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id 21D0C126CBF for <radext@ietf.org>; Tue, 12 Dec 2017 16:52:48 -0800 (PST)
Received: from smurf (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0006062020@aspen.iea-software.com>; Tue, 12 Dec 2017 16:52:47 -0800
Date: Tue, 12 Dec 2017 16:52:50 -0800
From: Peter Deacon <peterd@iea-software.com>
To: "Naiming Shen (naiming)" <naiming@cisco.com>
cc: "radext@ietf.org" <radext@ietf.org>
In-Reply-To: <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com>
Message-ID: <alpine.WNT.2.21.1.1712121615090.2252@smurf>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk> <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com>
User-Agent: Alpine 2.21.1 (WNT 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/IIIk15kOOrSa68X2AtWl6kvvbAg>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 00:52:52 -0000

On Wed, 13 Dec 2017, Naiming Shen (naiming) wrote:

> Third, if assume an operation completely messed up, and leaking this
> extended-ID towards the home-server, I still need to see a good example
> on what the harm is that, and why this can not be debugged. The draft
> I agree needs to add some text on various cases and how to debug
> those in each of them.

Offered an example in my initial response.  More detail below.

Request:
[+Client]  ---> [-Proxy A] ---> [+Proxy B] --> ...

Response:
... ---> [+Proxy B] ---> [-Proxy A] ---> [+Client]

+ supports extended id
- does not support extended id


Assumptions:

- Proxy A performs duplicate detection over (src ip/port) + id.
- Requests transmitted from Client /w extended ID.
- Client receives responses /w extended ID courtesy of Proxy B.


This scenario can easily result in high numbers of intermittently dropped 
packets because Proxy A is intentionally dropping what it believes are 
duplicates.  Proxy A does not implement extended id and so has no idea 
what is going on nor instrumented to know anything about extended id.

Client is similarly clueless.  It sees extended id requests AND extended 
id responses /w intermittent packet loss.  It has no clue the upstream 
proxy it is directly communicating does not support extended id.  There is 
no way for it to know.

>From the client perspective it would in my experience likely be very 
difficult for an operator to troubleshoot this kind of intermittent 
failure one that gets progressively worse as load increases unless they 
had an unrealistically high degree of technical knowledge.


This problem DOES NOT exist /w ORA because any and all such 
misconfiguration always results in client seeing no valid response at all. 
This is an acceptable response to misconfiguration.

A client receiving bogus ORA from some other peer or no ORA at all is free 
to complain loudly explicitly alerting operators of misconfiguration. 
This option simply is not possible /w extended id.

regards,
Peter

v2.23.0 | Report a Bug | By Email