Re: [radext] Eric Rescorla's No Objection on draft-ietf-radext-coa-proxy-05: (with COMMENT)
Alan DeKok <aland@freeradius.org> Wed, 15 August 2018 19:52 UTC
Return-Path: <aland@freeradius.org>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45390131055; Wed, 15 Aug 2018 12:52:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2bqaxMZWreK; Wed, 15 Aug 2018 12:51:58 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4491274D0; Wed, 15 Aug 2018 12:51:58 -0700 (PDT)
Received: from [192.168.20.38] (CPEf4cc55220745-CM64777ddff610.cpe.net.cable.rogers.com [173.32.191.82]) by mail.networkradius.com (Postfix) with ESMTPSA id 749673AC; Wed, 15 Aug 2018 19:51:56 +0000 (UTC)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_1995326C-0F3C-4BD4-8B6F-CE61897BB573"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail
From: Alan DeKok <aland@freeradius.org>
In-Reply-To: <ed9fcccc-ce7b-c90b-b1cd-a4826824aa17@nostrum.com>
Date: Wed, 15 Aug 2018 15:51:54 -0400
Cc: Eric Rescorla <ekr@rtfm.com>, radext-chairs@ietf.org, radext@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-radext-coa-proxy@ietf.org, Winter Stefan <stefan.winter@restena.lu>
Message-Id: <B12A14B7-9C47-4656-87C5-06198823B5B4@freeradius.org>
References: <153434610726.14442.18102779548524907034.idtracker@ietfa.amsl.com> <885EEC1B-966C-4B97-8556-43527C051956@freeradius.org> <CABcZeBMc=YbP21C=vy+P-DRvcZfOxgMqeS_snS8JKFPkN90fuA@mail.gmail.com> <E8303036-09B5-4C4E-9BF6-9696261C0912@freeradius.org> <CABcZeBPUEH2SjBDJ+0uthqnzpWXoE+vuik17FZZ=FdJfo5MLeA@mail.gmail.com> <ed9fcccc-ce7b-c90b-b1cd-a4826824aa17@nostrum.com>
To: Adam Roach <adam@nostrum.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/McA9gBV5eOlYB1uAm7g14uQbdCQ>
Subject: Re: [radext] Eric Rescorla's No Objection on draft-ietf-radext-coa-proxy-05: (with COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 19:52:01 -0000
On Aug 15, 2018, at 3:47 PM, Adam Roach <adam@nostrum.com> wrote: > > Alan -- > > Thanks for the new text. This is a nice set of improvements overall, but I still > have concerns relating to the contents of the Operator-NAS-Identifier attribute. > > --------------------------------------------------------------------------- > > §3.4: > > > Length > > > > 4 to 23. > > > > Implementations supporting this attribute MUST be able to handle > > between one (1) and thirty-two (32) octets of data. > > It seems to me that "4 to 23" needs updating here. Yes. I'll fix that. > Alternately, and this is my suggestion, remove "encrypt" entirely from this > section, replacing it with "obfuscate." Concretely: > > The second method is to obfuscate the NAS IP address using information > known locally by the Visited network; for example, by XORing it with a > bitmask. The output of that obfuscation operation is data that can be > used as the value of Operator-NAS-Identifier. On reception of a CoA > packet, the locally-known information can be used to un-obfuscate the > value of Operator-NAS-Identifier, in order to determine the actual NAS > IP address. > > Given that we've established that actual encryption isn't necessary here, this > seems easier than expanding the field to be large enough to actually encrypt > stuff. That sounds better. > --------------------------------------------------------------------------- > > §2.1: > > > In order to determing the "next hop" for a packet, the proxying > > Nit: "...determine..." Fixed. Alan DeKok.
- [radext] Eric Rescorla's No Objection on draft-ie… Eric Rescorla
- Re: [radext] Eric Rescorla's No Objection on draf… Alan DeKok
- Re: [radext] Eric Rescorla's No Objection on draf… Eric Rescorla
- Re: [radext] Eric Rescorla's No Objection on draf… Alan DeKok
- Re: [radext] Eric Rescorla's No Objection on draf… Eric Rescorla
- Re: [radext] Eric Rescorla's No Objection on draf… Adam Roach
- Re: [radext] Eric Rescorla's No Objection on draf… Alan DeKok