Re: [radext] moving forward with draft-ietf-radext-coa-proxy
Alan DeKok <aland@deployingradius.com> Tue, 13 November 2018 12:14 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9911412D4EE; Tue, 13 Nov 2018 04:14:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OjS0XzKV8UEa; Tue, 13 Nov 2018 04:14:12 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 2BEA5129619; Tue, 13 Nov 2018 04:14:12 -0800 (PST)
Received: from [192.168.46.58] (198-84-237-221.cpe.teksavvy.com [198.84.237.221]) by mail.networkradius.com (Postfix) with ESMTPSA id E369C332; Tue, 13 Nov 2018 12:14:10 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <20181112234823.GG99562@kduck.kaduk.org>
Date: Tue, 13 Nov 2018 07:14:09 -0500
Cc: draft-ietf-radext-coa-proxy.all@ietf.org, radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <650E5AB0-662D-4A9D-95A3-54C1C9CFB3B0@deployingradius.com>
References: <20181112234823.GG99562@kduck.kaduk.org>
To: Benjamin Kaduk <kaduk@MIT.EDU>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/KY0jHCWwUmIypVfa1OqJIdQUIMw>
Subject: Re: [radext] moving forward with draft-ietf-radext-coa-proxy
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2018 12:14:15 -0000
On Nov 12, 2018, at 6:48 PM, Benjamin Kaduk <kaduk@MIT.EDU> wrote: > I also plan to change the target status to Informational (from Proposed > Standard); it is a little unfortunate to need to do so, but the IESG's > discussions convinced me that this is the sort of thing that the downref > policy was intended to avoid. OK. > There were a few things in the diff between the -05 and -07 that stuck out > to me, though, and might require further changes. > > In Section 3.2, > > We also update Section 5 of [RFC5580] to permit CoA-Request and > Disconnect-Request packets to contain zero or one instances of the > Operator-Name attribute. > > is not reflected in the Updates header and would require WG confirmation > and potentially re-running the IETF LC. > (Also, 5580 is Proposed Standard, so we'd have trouble doing this update > from an Informational document.) It's somewhat unclear to me exactly what > is being Updated, too, so I'd appreciate a bit of explanation (here in the > email thread). RFC 5580 defined, Operator-Name, and Section 5 forbade Operator-Name from occurring in CoA-Request packets. So something needs to be updated in order to allow it. > Section 3.3 introduces a new normative requirement: > > Some Home Networks will not have permission to send CoA packets to > the Visited Network. The CoA server SHOULD therefore also validate > the NAI contained in the User-Name attribute. If the Home Network is > not permitted to send CoA packets to this Visited Network, then the > CoA server MUST return a NAK packet that contains an Error-Cause > attribute having value 502 ("Request Not Routable"). > > Can the chairs confirm there is WG consensus for it? I'll leave that for the chairs. My $0.02 is that it's useful to signal routing errors. Tho this specific error number may or may not be appropriate. > In Section 3.4: > > Implementations supporting this attribute MUST be able to handle > between one (1) and thirty-two (32) octets of data. > Implementations creating an Operator-NAS-Identifier MUST NOT > create attributes with more than sixty-four octets of data. A > thirty-two octet string should be more than sufficient for future > uses. > > The bump from 20 to 32 octest is fine, but now we have MUST be able to > handle 32 and MUST NOT generate more than 64, which are different numbers. > (In the -05 the numbers were both 20.) Where did the 64 come from? IIRC, Adam Roaches discussion of creating tokens using modern ciphers. 64 bytes would be needed for that to occur. > Section 4.2 introduces a new normative requirement: > > The Visited Network MUST also ensure that the CoA packet sent to the > NAS contains one of the following attributes: NAS-IP-Address, NAS- > IPv6-Address, or NAS-Identifier. This step is the inverse of the > removal required above in Section 3.4. > > First off, is this "at least one" or "exactly one"? At least one. > And the same question of WG consensus applies. WG consensus is nice, but that text is required in order for this specification to be compatible with RFC 5176, and with NAS implementations. Failure to include *any* of those attributes in a CoA packet means that the NAS will reject the packet entirely. Alan DeKok.
- [radext] moving forward with draft-ietf-radext-co… Benjamin Kaduk
- Re: [radext] moving forward with draft-ietf-radex… Alan DeKok
- Re: [radext] moving forward with draft-ietf-radex… Benjamin Kaduk