Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
Stefan Winter <stefan.winter@restena.lu> Wed, 21 August 2013 13:45 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D2011E83C9 for <radext@ietfa.amsl.com>; Wed, 21 Aug 2013 06:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.419
X-Spam-Level:
X-Spam-Status: No, score=-2.419 tagged_above=-999 required=5 tests=[AWL=0.180, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72AyE722pT52 for <radext@ietfa.amsl.com>; Wed, 21 Aug 2013 06:45:02 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 1B94711E83AD for <radext@ietf.org>; Wed, 21 Aug 2013 06:45:00 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 05F4810589; Wed, 21 Aug 2013 15:45:00 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id E401410581; Wed, 21 Aug 2013 15:44:59 +0200 (CEST)
Message-ID: <5214C457.70204@restena.lu>
Date: Wed, 21 Aug 2013 15:44:55 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: radext@ietf.org
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <52146E31.1030701@restena.lu> <5214AE3C.4010909@deployingradius.com>
In-Reply-To: <5214AE3C.4010909@deployingradius.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="VeBegtwmS3JNAQ7u9loQ15uCx4gSu9577"
X-Virus-Scanned: ClamAV
Cc: Alan DeKok <aland@deployingradius.com>
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 13:45:04 -0000
Hi, > The PMTU / 4096 octet problem is one which I think should be supported > by the draft. Telling operators to "fix their equipment" works in some > cases. In others, it's useful to be able to fragment at sizes which are > *known* to work. I don't have particularly hard feelings about this; so if there's use for it, the text can also stay as it is. > Fragmentation in this draft is only for authorization (Access-Request > / Access-Accept). CoA can be done via sending a CoA with "Service-Type > = Additional-Authorization". The client should then do fragmentation as > per the draft. It's just too much to add fragmentation in multiple > places in the protocol. That's how I understood the first two paras in the document. The third one seemed to deal with the CoA-ACK/NAK replies, but there I got lost why these would need to be fragmented. > Additional fragmentation in proxies can be done. But it likely > involves re-assembly and subsequent re-sending / re-fragmentation of the > entire data. Doing "on the fly" additional fragmentation is just too > hard (IMHO). So it would suffice to state that chunks are not supposed to be fragmented as-is; they need to be re-assembled into the long packet, and then that needs to be chunked again. > We need a new flag for extended-type attributes. Each Access-Request > / Access-Accept packet MUST be a perfect RADIUS packet in and of > itself. Some proxies MAY support RFC 6929, and will toss the packet if > it isn't formatted correctly. i.e. if the attribute fragments "fall > off" the end of a packet. That doesn't seem right. If a proxy supports RFC6929, but not the fragmentation draft, it will not know that the T flag exists and can't react accordingly. It will see an M flag and some gibberish in the Reserved field (which RFC6929 says should simply be ignored). It will observe that the M flag requirements are violated and has every right to drop the packet. > Fragmentation doesn't work with Access-Challenge. There was a lot of > discussion between the draft authors about this. The fragmentation is > *only* for authorization. And it carries *only* authorization data, not > authentication data. Think of it as pausing an existing RADIUS > conversation, and inserting a "fragmented data" exchange. That's understood; I didn't want Access-Challenge packets to be fragmented. My concern was that an initial (long) Access-Request needs to be fragmented, but that upon completing its reassembly, the server side finds that it is in the middle of an exchange which requires Access-Challenge as a subsequent packet. It must be possible to finalise the fragmented packet reassambly not just with an Accept or Reject; it may need to be a Challenge to complete the subsequent authentication that is done after the pre-authz. > We're assuming that proxy decisions are made via User-Name. If it's > done via anything else... well... sorry, but it won't work. There are > trade-offs which have to be made. > > And eduroam proxying via SSID is just weird. Isn't the SSID for > eduroam just "EDUROAM"? Sure it is. But you may be participating in more than one consortium with your hotspot. Imagine a single access point which is part of "eduroam" and "S-Mobile"; and emits both SSIDs. Both consortia use RADIUS auth; the access point is dumb and only knows "its" authentication server. At that point, the RADIUS server which gets the AP's packet needs to realise: if a user tried to log into the eduroam SSID, I'll proxy the packet to eduroam infrastructure; if the user tried S-Mobile, I'll proxy to their infrastructure. That's real life (but not on very many sites, as far as I can see). "Sorry" may well be the appropriate answer. But that answer should be written explicitly into the draft. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
- [radext] Adoption call for draft-perez-radext-rad… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Diego R. Lopez
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Sanchez, Mauricio
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Diego R. Lopez