IETF Logo Mail Archive

Re: [radext] New WGLC for RADIUSv11

Matthew Newton <matthew-ietf@newtoncomputing.co.uk> Thu, 07 March 2024 21:39 UTC

Return-Path: <matthew-ietf@newtoncomputing.co.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA736C14F6BC for <radext@ietfa.amsl.com>; Thu, 7 Mar 2024 13:39:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=newtoncomputing.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NYZ5ei5RpLn for <radext@ietfa.amsl.com>; Thu, 7 Mar 2024 13:39:51 -0800 (PST)
Received: from mail.newtoncomputing.co.uk (mail.newtoncomputing.co.uk [IPv6:2001:8b0:b2:1::140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F423C14F697 for <radext@ietf.org>; Thu, 7 Mar 2024 13:39:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=newtoncomputing.co.uk; s=feb2010; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=X9tyl3NgKfgcV3GRMmjyCGuc7i7pH4dBarUCafLTZaU=; b=FO9m+Gwf8DNL0PmnI7vpN5JKJd gwalqo7nWF4Xa4Jn7OfGIMjMAmsKeEHVT5dZ+c2f3LXDG6p9cxkQcod01FrtR6rQjfiYN8n9Qv84B utyjefteKcYhw63/eOpLwYGJ43XSbUM6U1UuG1iIsOjIEG7JD60Ab2XDqEjUvCKsvVW0=;
Received: from [2001:8b0:b2:1:d9f6:ab88:c16d:f68b] by mail.newtoncomputing.co.uk with esmtpsa (Exim 4.92 #3 (Debian)) id 1riLSq-0002hK-Gw; Thu, 07 Mar 2024 21:39:44 +0000
Message-ID: <821d42cf-2bab-40f5-8ca1-c273576de6e5@newtoncomputing.co.uk>
Date: Thu, 07 Mar 2024 21:39:42 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Alan DeKok <aland@deployingradius.com>
Cc: radext@ietf.org
References: <A9DCF202-6963-4069-A9F1-7F79860FF405@gmail.com> <50dba6a8-9f9c-43aa-9e97-79c72e68f796@newtoncomputing.co.uk> <9D812B30-4036-4F0F-9F96-60304A935B54@deployingradius.com>
Content-Language: en-GB
From: Matthew Newton <matthew-ietf@newtoncomputing.co.uk>
In-Reply-To: <9D812B30-4036-4F0F-9F96-60304A935B54@deployingradius.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-NC-Fw-Sig: d28eb7783fcaa8a96965cdcb17b1e1fe matthew-ietf@newtoncomputing.co.uk
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/KotIbLDU49iyMJFAh0locnVkr1M>
Subject: Re: [radext] New WGLC for RADIUSv11
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 21:39:55 -0000

On 07/03/2024 19:57, Alan DeKok wrote:
> On Mar 7, 2024, at 10:29 AM, Matthew Newton <matthew-ietf@newtoncomputing.co.uk> wrote:
>> ("signaling" rather than "signalling" throughout the document grates rather, but I suspect those over the pond would disagree!)
> 
>    It is definitely a point of concern, albeit a minor one.

:)

>> This paragraph is not clear to me. I think it is trying to say that multiple Codes are permitted per connection, but the Token is unique on that connection connection (e.g. you can NOT have an Access-Request with Token A and an Accounting-Request with the same Token A). However the last sentence seems to say that an implementation sending both Access-Requests and Accounting-Requests on the same connection is not permitted.
> 
>    The first part of that is right.  But the second part isn't.  An implementation can send multiple codes over the same connection. It cannot use the same Token value for two different Codes.

OK yes agreed, that was my understanding.

>    How about this:
> 
> In contrast, the Token field MUST be managed solely on a per-connection basis, independent of any packet Code.  An implementation can, for example, send both an Access-Request and an Accounting-Request over one connection at the same time, but those two packets MUST use different values for the Token field.  That is, the method for generating new Token values MUST be independent of the packet Code.
> 
> Systems generating the Token can do so via any method they choose.  For simplicity, it is RECOMMENDED that the Token values be generated from a 32-bit counter which is unique to each connection.  Such a counter SHOULD be initialized to a random value, taken from a random number generator, whenever a new connection is opened.  The counter can then be incremented for every new packet that the client sends.  This method ensures that the Tokens are unique, and are also independent of any packet Code.

That works for me, it's much clearer.

With those updates, I SUPPORT publication.

Thanks,

-- 
Matthew

v2.23.0 | Report a Bug | By Email