IETF Logo Mail Archive

Re: [radext] Proposed new charter text

Alan DeKok <aland@deployingradius.com> Thu, 30 April 2015 11:40 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BEAA1AD241 for <radext@ietfa.amsl.com>; Thu, 30 Apr 2015 04:40:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rx0djMy79s-A for <radext@ietfa.amsl.com>; Thu, 30 Apr 2015 04:40:24 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id E21F71A1B2B for <radext@ietf.org>; Thu, 30 Apr 2015 04:40:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id B78F322406EB; Thu, 30 Apr 2015 13:40:22 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rv5cfOCAecII; Thu, 30 Apr 2015 13:40:22 +0200 (CEST)
Received: from [192.168.20.71] (198-84-181-115.cpe.teksavvy.com [198.84.181.115]) by power.freeradius.org (Postfix) with ESMTPSA id 923EF22403F5; Thu, 30 Apr 2015 13:40:21 +0200 (CEST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5541DB22.1070406@restena.lu>
Date: Thu, 30 Apr 2015 07:40:19 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <253A6A19-40D5-40DB-876F-1B6B8B81BBE8@deployingradius.com>
References: <5502B836.5000100@restena.lu> <5541DB22.1070406@restena.lu>
To: Winter Stefan <stefan.winter@restena.lu>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/ImGGdYpfTVxcQPGYMFPbfPXUBoo>
Cc: radext@ietf.org
Subject: Re: [radext] Proposed new charter text
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2015 11:40:26 -0000

On Apr 30, 2015, at 3:34 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
> Some folks want the spec to tackle RFC5176's "Authorization Issues"
> security consideration, and there are ideas around this floating on the
> mailing list. Others just want to solve the routing issue, and leave the
> security issues for another document.

  The "Authorization Issues" section of 5176 is missing authorization issues for proxies.  The CoA proxying document has to have text addressing this issue.

  The consensus on the list was that there were two ways of addressing this issue:

a) the "reverse path forwarding" check from 5176

  and/or

b) requiring that Operator-NAS-Identifier be cryptographically secure, and impossible to forge.

  The only counter-point that I recall was that these solutions would be insufficient, for unspecified reasons.

> From the discussions on the list so far, I'm not seeing a clear
> direction, but I also don't want this to hold up the recharter.

  We had multiple people agreeing that the above approach was sufficient for the CoA proxy document.

  We need this document to be done soon.  There is WG consensus on it, and all we need is an updated draft which can be submitted for publication. 

> So, may I suggest a more general text; and that we leave the exact shape
> of the document to the WG process once the document is in-charter and
> the individual draft adopted?

  I would be opposed to this.  There is a clear problem statement: CoA proxying is unspecified.  There is a clear solution: Operator-Realm and Operator-NAS-Identifier.  There is consensus that the approach works, and is secure.  There is an implementation of CoA proxying with Operator-Name.  This solution is deployed in running environments.  The solution has been discussed for years in RADEXT.  There is a draft (which needs updates to reflect the latest WG discussion).

  The counter-point is to extend the document to solve an unspecified problem, with no solution, no draft, no implementation, etc.  Well, that's what new documents are for.

  We have WG consensus on a path for the CoA proxy document.  I welcome additional documents to solve other, unrelated, problems.   Problems which *everyone agrees* are unrelated to the CoA proxying issue.

  We can update 5176 with multiple documents.  But I find it disturbing that progress on one document can be shut down because of *additional*, unspecified work.  Adding random things to specification documents is a process best left for politics.  Last-minute "riders" are well-known there, and are discouraged in the IETF.

  We do not need WG unanimity.   We have broad consensus for the existing document, I believe we should go with that.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email