IETF Logo Mail Archive

Re: [radext] Extended IDs

Alexander Clouter <alex+radext@digriz.org.uk> Fri, 15 December 2017 14:22 UTC

Return-Path: <alex@digriz.org.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EC391252BA for <radext@ietfa.amsl.com>; Fri, 15 Dec 2017 06:22:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digriz.org.uk header.b=GewLWpk7; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=R8LTrAtq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rE1O4eU03wBh for <radext@ietfa.amsl.com>; Fri, 15 Dec 2017 06:22:33 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BCA2128D3E for <radext@ietf.org>; Fri, 15 Dec 2017 06:22:33 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id C6C53208B8 for <radext@ietf.org>; Fri, 15 Dec 2017 09:22:32 -0500 (EST)
Received: from frontend1 ([10.202.2.160]) by compute1.internal (MEProxy); Fri, 15 Dec 2017 09:22:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digriz.org.uk; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=z/L3WYPyP4jV6Cvi0DdCtHmZFEOb0/RU+cDsybsUm us=; b=GewLWpk7XOslgigYkSy35oss27bAfGl8NKhk9epwGoio1UFOKfqV91ylU uYIxnnbnRUL70b5dBUFYu9EnwpaZ2s0hl6Br+csg6hHH5xd9SM7LpO+nuMGPyweQ b6EAgxqEJYhU8jfOZgdBdeZFwhA1WGIcwfcCDMdfPfFhfS+LwcGcmJYHpP13Zkky NeBs+gH8cw/VYXjM3OPtqn3a2ZPylEvCcJNTWIbC7EtupEFIO1jRYi7GwSTJe/xB WXkNb8l9KcxImSPPVw6jWHXLDS5khVOsbJysp/zkzPEz2WF9Rkk/9Nq2iqkb1MRl V0lqDzf3p7x6k4aOrxV2hj9fXIYGg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=z/L3WYPyP4jV6Cvi0 DdCtHmZFEOb0/RU+cDsybsUmus=; b=R8LTrAtqD9wi4hn/At/xsS3t6BRSXSmKR 3sUMDjhpy8N3rmOFpvVm/N1A809nkNvHPRbVh6VndScXYz9GLTJnT3WkRl0DHuU4 JYjz1rXQLHHxnykyeiFdG9+/ojZqgDyB8C0ux7t74LJfkFYfqnrbghqo7vPEwND/ 4zANm3JZDKGFUwUuYt5BTeVlJvWKphHAv8befiSd0mVc9UgpH9s/oG6q044wYQbT 7C9JBCWZ3bEWSoMvDTARChpsiVTV7CqtnLKKwpUpdWK1xcy2AfIyojxLu4pqmlMx VJkB5OUgLqIp60GXJzoE4KwngCzRddfxm7FEP0TRsMCqV9mXbTTcA==
X-ME-Sender: <xms:qNozWl3lZC6fA04dMOXfFMNwKZU3fP_IlrBcPjQFc0DATvT-BPxpyg>
Received: from quatermain.digriz.wormnet.eu (waffles.digriz.wormnet.eu [77.75.106.34]) by mail.messagingengine.com (Postfix) with ESMTPA id 512097E3D8 for <radext@ietf.org>; Fri, 15 Dec 2017 09:22:32 -0500 (EST)
Date: Fri, 15 Dec 2017 14:22:31 +0000
From: Alexander Clouter <alex+radext@digriz.org.uk>
To: radext@ietf.org
Message-ID: <20171215142231.rtwmryojskykwxj6@quatermain.digriz.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu>
X-Auto-Response-Suppress: OOF
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/NchVC0YQuI8pghP9wFQWTopJ4sE>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 14:22:35 -0000

> This email starts a two week call for adoption of at most one of the
> following two drafts:
>
> * draft-chen-radext-identifier-attr-02
> * draft-dekok-radext-request-authenticator-02
>
> Since the two drafts treat the same topic, at most one can be selected
> to serve as the basis for future work.

My post deadline £0.02...

Though on every ones lips is extending the ID, I would disagree that the drafts
cover the same topic and that draft-dekok only solves this problem indirectly.

draft-dekok covers a real problem, not considered by draft-chen, on how to 
handle late responses to authentications where the ID collides, this is 
something that should be firmed up.  Firming up with draft-dekok happens to 
mean there is no need to also push ahead with draft-chen.  Pushing with 
draft-chen, still leaves everyone with this ambiguity around ID collisions.

I do not perceive anything to indicate that draft-chen is easier to reason 
about than draft-dekok, they strike me as in effect identical as both return a 
special attribute in the *response*.

The request packet though is less interesting and for me irrelevant where the 
extra entropy appears from.  From an implementation perspective the difficulty 
exists at the NAS/proxy rather than the server.  The impact of doing duplicate 
work at the server is negligible compare to a NAS/proxy not being able to 
reconcile replies to their requests.

In regards to the draft its self, draft-chen looks straight forward, but having 
had the unsavoury experience of implementing a specification that states only 
the 'what' rather than the 'why' or 'how' (TACACS, I am looking at you...) I 
find it hard to rally behind something I am hesitant to believe is as simple as 
it looks.

draft-chen reads as "this is what is baked in an existing codebase" with no 
information on the 'what if' or detailing any edge cases the implementers 
experienced.

I need to know about problems and caveats I need to know about, I do not need 
to know how to clone an existing implementation, I have tcpdump for that :)

...draft-dekok gets my, no doubt too late for consideration, vote.

v2.23.0 | Report a Bug | By Email