Re: [radext] Extended Identifiers: failure modes
Alan DeKok <aland@deployingradius.com> Fri, 15 December 2017 11:53 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E99D7126C26 for <radext@ietfa.amsl.com>; Fri, 15 Dec 2017 03:53:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OG3WeQKMjD0b for <radext@ietfa.amsl.com>; Fri, 15 Dec 2017 03:53:15 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id B311C126557 for <radext@ietf.org>; Fri, 15 Dec 2017 03:53:14 -0800 (PST)
Received: from [192.168.2.25] (198-84-205-59.cpe.teksavvy.com [198.84.205.59]) by mail.networkradius.com (Postfix) with ESMTPSA id AEA5854C; Fri, 15 Dec 2017 11:53:12 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <cec93d48-a554-ab29-3322-94830f0ffe8f@restena.lu>
Date: Fri, 15 Dec 2017 06:53:11 -0500
Cc: "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <45DD19BE-C331-4EBA-9EB2-44630716AEB2@deployingradius.com>
References: <bf0f5d3d-333c-b871-afbf-1a59be5d5bb1@restena.lu> <cec93d48-a554-ab29-3322-94830f0ffe8f@restena.lu>
To: Winter Stefan <stefan.winter@restena.lu>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/O3E3_f_z6SAOAAE5dJQIXlpLyZI>
Subject: Re: [radext] Extended Identifiers: failure modes
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 11:53:17 -0000
On Dec 15, 2017, at 2:30 AM, Stefan Winter <stefan.winter@restena.lu> wrote: > If there were only one draft, I'd happily care about this after WG > adoption. But considering that there are two competing concepts where > one of the main differences is apparently on this very question, and > where the difference is rooted in the /concept/ (i.e. not easy to fix > with draft revisions later on), I believe it makes sense to highlight > this right now. I'd like to have a larger discussion of not only failure modes, but implementation issues. I really do suspect that a large part of the push-back against draft-dekok is not just the "overloading" issue, but that the failure modes and implementation issues are *described*. Whereas in draft-chen, they're not. I also suspect that once we get into details, the issues with draft-chen won't be that different from draft-dekok. > We have seen many arguments going back and forth on this topic. I'm > trying to summarise those below. > > The failure modes possible in draft-dekok > a) are always local to the client/server pair that tries to communicate > b) are harder to see during packet inspection of the request; need to > correlate request and response I would phrase that as "there's no explicit indication in the request that the new method is being used". But all you need to do is observe one response containing the Original-Request-Authenticator, and you know that the draft is being used. If there is no such attribute... it's just traditional RADIUS. And if you can't see responses, well, you have other issues. So I would label (b) here as a non-issue. > c) correction of faulty configuration requires action of administrators The draft goes through fall-back in detail. Implementations are mandated to have failure modes that are compatible with existing RADIUS. i.e. no administrator intervention is required. > The failure modes possible in draft-chen > a) possibly transpire over an arbitrary amount of proxies To be fair, most of the time the attribute "leaks", nothing bad happens. But it does seem unfriendly. > b) are easier to see in a packet inspection in the request; no need to > correlate request and response You can see the new attribute in the request. But to track packets, you'd still need to correlate requests and responses. > c) correction of faulty configuration requires interaction of all > administrators along the affected proxy chain, who are not necessarily > otherwise in direct contact It's also not clear what the failure modes or fallback behaviour is for a client/server that communicate directly with each other. > In that light, it would seem that neither of the two drafts are perfect. Anything RADIUS is far from perfect. > draft-dekok has harder debugging on the local link, draft-chen may > involve parties across "the internet" (or rather the subset of RADIUS > servers on it). In the end, the question is which failure mode is "less > difficult" to handle. Implementation issues matter, too. If implementors are left to their own devices, we will have all kinds of deployment and inter-operability issues. If we leave these discussions until *after* we've chosen a draft, then we might discover that the draft has had unseen issues all along. Alan DeKok.
- [radext] Extended Identifiers: is manual configur… Stefan Winter
- Re: [radext] Extended Identifiers: is manual conf… Alan DeKok
- Re: [radext] Extended Identifiers: is manual conf… Enke Chen
- Re: [radext] Extended Identifiers: failure modes Stefan Winter
- Re: [radext] Extended Identifiers: failure modes Alan DeKok