[radext] (belated) AD review of draft-ietf-radext-coa-proxy-04
Benjamin Kaduk <kaduk@mit.edu> Sat, 14 July 2018 22:22 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7DC130F16; Sat, 14 Jul 2018 15:22:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fL27606nqz2E; Sat, 14 Jul 2018 15:21:58 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 524D4130E6E; Sat, 14 Jul 2018 15:21:55 -0700 (PDT)
X-AuditID: 12074424-92fff70000002712-f7-5b4a77829752
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id AF.EA.10002.2877A4B5; Sat, 14 Jul 2018 18:21:54 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w6EMLqkh009345; Sat, 14 Jul 2018 18:21:53 -0400
Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6EMLnYK002750 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 14 Jul 2018 18:21:51 -0400
Date: Sat, 14 Jul 2018 17:21:49 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: draft-ietf-radext-coa-proxy.all@ietf.org
Cc: radext@ietf.org
Message-ID: <20180714222148.GP59001@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrAIsWRmVeSWpSXmKPExsUixCmqrdtU7hVt0DxB3OL8m//sFi2vZrI5 MHksWfKTKYAxissmJTUnsyy1SN8ugStj6r+1zAXLrSpWN+9lbGD8pdfFyMkhIWAi8aTxK1sX IxeHkMBiJok1ixpZIZyNjBLTZuyEcs4yScz/sJ8ZpIVFQFXizbZWdhCbTUBFoqH7MlhcREBH 4s6iqywgNrOAsMTGU+uZQGxhATuJ/q0Twep5gWo6DnUyQ9iCEidnPoGq15K48e8lUD0HkC0t sfwfB0hYVEBZYm/fIfYJjHyzkHTMQtIxC6FjASPzKkbZlNwq3dzEzJzi1GTd4uTEvLzUIl1z vdzMEr3UlNJNjKBgY3dR2cHY3eN9iFGAg1GJh7fCxitaiDWxrLgy9xCjJAeTkijvZSGgEF9S fkplRmJxRnxRaU5q8SFGCQ5mJRHeVeJAOd6UxMqq1KJ8mJQ0B4uSOG/uIsZoIYH0xJLU7NTU gtQimKwMB4eSBG9rGVCjYFFqempFWmZOCUKaiYMTZDgP0PA9IDW8xQWJucWZ6RD5U4zGHC8W 9Uxi5vjzfuokZiGWvPy8VClx3nqQUgGQ0ozSPLhpoIQhkb2/5hWjONBzwrxzQap4gMkGbt4r oFVMQKv0OjxBVpUkIqSkGhiVzIM3JzDcVHlXliO6Umw+S5Rrh8as+5HJu7fMMmU4tcij2u+K 12Snztkyj048inmxJD/2Ysrh2bNdNJSllSYz1QT+/O5+ja1N89/JtRPeNP1YkmKobNdnqp53 917dgtOXt/rwr5181ihqiflhpdPhq49uVFrbMuPXA5aPcdHyfn/+7jwgXLFNiaU4I9FQi7mo OBEAcYB6nvMCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Jc2kMV4T6THBtZ0ZhyvYWre8gAw>
Subject: [radext] (belated) AD review of draft-ietf-radext-coa-proxy-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jul 2018 22:22:00 -0000
Apologies for the long delay on this one; I had written up an AD review a month or two ago but it got lost in the ether. I've tried to reconstruct my comments based on notes I made on a paper printout, so there will be a few places where I imply that I changed my mind since the initial review. I have a couple of concerns about this document that I think should be resolved before I move it into IETF Last Call: This document lists RFC 5176 and RFC 2866 as informative references, possibly so as to avoid the awkwardness of a standards-track document making a normative downreference to informational documents. I think that at least RFC 5176 should be a normative reference, since it really must be understood in order to implement this document -- after all, we even Update it! Looking back again (for the third time, actually), it's less clear that the RFC 2866 reference is actually as problematic as it seemed on first read; as there is only a single reference and it is just explaining why this document has a MUST-level requirement. I don't think there's an actual issue with making 5176 a normative reference in terms of process; we just have to call out the "downref" during IETF Last Call and then it goes on the list of approved downrefs. I also think there needs to be some more clarity in the Requirements on Visited Networks (Section 4.2), in several ways: * First off, it refers to "all the checks discussed above for proxies", which presumatly is an artifact of subsection reordering. Even if it is changed to "below", though, I'm still unclear on exactly which checks are implied -- is this just the filtering from Section 4.3.2? * Furthermore, it's unclear what it actually means to have a MUST-level requirement to do some checks that are only SHOULD-level in Section 4.3.2. * I'm also a little fuzzy on where thse requirements apply, as a "Visited Network" is kind of a fuzzy concept, and is going to potentially involve things like a network perimeter/firewall, some form of proxies, RADIUS servers, etc. -- should we say something more specific about where the actions to meet these requirements will be taken? * I don't think I followed how assuming there's a proxy between the NAS and any external proxy implied a requirement for the Visited Network to perform "all of the checks". (Maybe if what the checks were was clarified this concern would go away, though.) * The second paragraph leaves me generally confused, mostly in that it is talking about somethinf "phrased more generically in Section 4.3.2", which is my best guess for the thing that the first paragraph is trying to require. So is this whole paragraph redundant? * Why is the cryptographically-strong requirement for Operator-NAS-Identity only SHOULD and not MUST? * Is there a conflict between the "without requiring to track ... in a database" in the third paragraph, and the text for the Value field in the Operator-NAS-Identifier definition, that says "either track these tokens in a database, or [...] create tokens which can be decoded"? I also think this document should probably switch over to the RFC 8174 boilerplate instead of the RFC 2119 boilerplate, if only to save all of the IESG and the genart reviewer from having to comment about it. Somewhat editorial, but with great potential for confusion: in Section 3.3, please insert text like "The new Operator-NAS-Identifier attribute is defined as follows" before the Description/Type/etc. Also in Section 3.3, I wondered if the "in practice" clarification for using a database or self-encrypted tokens was intentionally excluding the possibility of always using the same value for the token (e.g., if there is only one NAS in the Visited Network, which is admittedly unlikely in nontrivial deployments). Some editorial comments follow. As a general comment, the RFC Editor generally likes to distinguish between "which" (inate attributes that apply to all elements of a class) and "that" (attributes that only apply to a subset of the class, and thereby specifying a new restriction on what is being discussed). I don't really have a horse in the race, but if you want to avoid getting asked about it later, you could make a pass over the document looking for them. There's a couple spots in Section 4.3.1 that would probably change from "which" to "that", if you do. In Section 1, I think the second paragraph should start with "We partially correct" given the limitation made in the third paragraph. I might also reword the third paragraph to something like "This correction is limited to the use case of CoA proxying Realm-basec proxying [...]", as it's not exactly the use case that's being limited as much as the applicability of this document. (It looks like I had originally suggested reordering the second and third paragraphs, but that doesn't make sense to me now.) In Section 2.1, fourth paragraph, it may be useful to clarify whether "The RADIUS client" applies only to the endpoint (non-proxy) client or to the client portion of all entities participating in a proxy chain along the path. In Section 2.3, "there may be a different CoA server which could accept the packet", I assume that "accept the packet" is supposed to imply "and do something useful with it"; perhaps this could be reworded to something like "successfully process the packet". Additionally, it doesn't seem accurate to say that 5176 "is silent on the topic of 'session identification attributes'", since that phrase appears ten times; it seems like we are saying that it doesn't actually tell you how to use them or what they are, but just says that they can exist (kind of like the situation for CA proxying itself). The pedant in me takes issue with "impossible" in "impossible to send CoA packets to the Visited Network", in Section 3.1 -- I assume that there are other contrived and inefficient potential solutions. s/one ore more/one or more/ in Section 3.2 In Section 3.3, third paragraph, the references to 2865 and 2866 are both Section 4.1; we should probably say both "Section 4.1 of [2865], and of Section 4.1 of [2866]. It also seems that a reference to Section 4.1 (what a coincidence!) of RFC 5580 might be in order, to note the parallelism between Operator-NAS-Identifier and Operator-Name. In Section 4.2, third paragraph, presumably the non-requirement for tracking in a database "every individual value" applies only to those values that are actually issued. (That is, I'm asking to add "issued," in "every value of Operator-NAS-Identifier issued, in a database".) In Section 4.3.2, do we want to "specifically note" or "call out" instead of just "note" that the above requirements apply to future attributes added by a proxy (as well as the ones defined here)? (This is something of a style question, so it's up to you.) Section 5.1, s/xwill/will/ In the last paragraph of Section 5.1, do we need to say that the recording is done "if present"? Section 5.2, s/disconnecte/disconnected/; s/recieve/receive/; s/fromt he/from the/ Also in Section 5.2, do we want to add "next-hop" when talking about finding "the CoA server for that realm"? And, in the last paragraph, we say "Any response from the CoA server [...]", but isn't the CoA server required to send such a response? -Ben
- [radext] (belated) AD review of draft-ietf-radext… Benjamin Kaduk
- Re: [radext] (belated) AD review of draft-ietf-ra… Alan DeKok