IETF Logo Mail Archive

Re: [radext] Proposed new charter text

Alan DeKok <aland@deployingradius.com> Tue, 24 March 2015 11:59 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88D8F1B2E82 for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 04:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avciKS638aDF for <radext@ietfa.amsl.com>; Tue, 24 Mar 2015 04:59:51 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 458631B2E80 for <radext@ietf.org>; Tue, 24 Mar 2015 04:59:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 96EF522404DA; Tue, 24 Mar 2015 12:59:20 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7frmKvcSMM6; Tue, 24 Mar 2015 12:59:19 +0100 (CET)
Received: from dhcp-943f.meeting.ietf.org (dhcp-943f.meeting.ietf.org [31.133.148.63]) by power.freeradius.org (Postfix) with ESMTPSA id 887A422403D4; Tue, 24 Mar 2015 12:59:18 +0100 (CET)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <tsl4mpbb8r6.fsf@mit.edu>
Date: Tue, 24 Mar 2015 06:59:16 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <6C5BFB5E-133B-4D3A-AB80-81D1C0F9AE38@deployingradius.com>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com> <alpine.WNT.2.20.1.1503221518060.3600@SMURF> <2DB68EA1-97A6-4263-9E7F-9BD24B567C7A@deployingradius.com> <alpine.WNT.2.20.1.1503221852040.3600@SMURF> <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com> <alpine.WNT.2.20.1.1503230923000.3600@SMURF> <1A6EF1EA-3412-4AAA-9646-3FD18EC0C4E4@deployingradius.com> <tsl4mpbb8r6.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/M2Ss38e9ULAQ4L5U3IiB3drcWtI>
Cc: radext@ietf.org, Peter Deacon <peterd@iea-software.com>
Subject: Re: [radext] Proposed new charter text
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 11:59:52 -0000

On Mar 23, 2015, at 6:21 PM, Sam Hartman <hartmans@painless-security.com> wrote:
> I think solving this requirement would be necessary for moving COA to
> the standards track or removing the health warning in 5176.

  I agree.

  Let’s say that each proxy selectively forwards CoA packets based on it’s knowledge of the user sessions.  This means that every proxy has to maintain information on every user session, which is untenable.

  Or maybe the sessions contain some kind of state that the proxy can cryptographically verify.  That means sharing the cryptographic keys with all proxies, which is also untenable.

  In the end, I don’t see this as a session state problem.  It’s a routing problem.  For a situation Visited -> Proxy -> Home, packets are usually forwarded based on User-Name, and realm.  When the Home server wants to disconnect a user, it typically sends User-Name as part of the session identification attributes.  So all that’s needed is for the proxy to look up that realm.

  i.e. the algorithm is this:

forwarding proxy: receive packet with User-Name, look up realm, and forward packet to that realm.

CoA proxy: receive packet with Operator-Name and User-Name.  Look up realm from *User-Name*.  If the source of the packet does not match a known destination for that realm, then drop the packet as being non-compliant.  Otherwise, look up realm from *Operator-Name*, and forward the CoA packet there.

  This solution does have limitations.  It requires that the forwarding path contain information about CoA clients.  It requires that proxying is done on User-Name.

  However, I think that those restrictions are reasonable.  All of the cross-organization roaming I’m aware of is done via User-Name, so this solution imposes no operational changes on current systems.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email