IETF Logo Mail Archive

Re: [radext] Proposed new charter text

Peter Deacon <peterd@iea-software.com> Mon, 23 March 2015 00:44 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF7E61A86F4 for <radext@ietfa.amsl.com>; Sun, 22 Mar 2015 17:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9OF92mowIa_X for <radext@ietfa.amsl.com>; Sun, 22 Mar 2015 17:44:05 -0700 (PDT)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2601A0046 for <radext@ietf.org>; Sun, 22 Mar 2015 17:44:05 -0700 (PDT)
Received: from SMURF.peterd.ws (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005964309@aspen.iea-software.com>; Sun, 22 Mar 2015 17:44:04 -0700
Date: Sun, 22 Mar 2015 17:44:10 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com>
Message-ID: <alpine.WNT.2.20.1.1503221518060.3600@SMURF>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com>
User-Agent: Alpine 2.20.1 (WNT 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="972663056-10393-1427064572=:3600"
Content-ID: <alpine.WNT.2.20.1.1503221549410.3600@SMURF>
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/PErdE5b1rZ_5Vso2bzjMxsuwDdI>
Cc: Winter Stefan <stefan.winter@restena.lu>, "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Proposed new charter text
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 00:44:06 -0000

On Sun, 22 Mar 2015, Alan DeKok wrote:

> On Mar 22, 2015, at 3:35 PM, Peter Deacon <peterd@iea-software.com> wrote:

>> While I generally support approach and associated draft 
>> draft-dekok-radext-coa-proxy-00.txt have some concerns and would prefer 
>> to keep some prescriptive details out of the charter.

>  What exactly is the benefit of making the charter more vague?  You have 
> “some concerns”.  Well.. I would appreciate discussing those concerns 
> openly, instead of changing the charter to address unspecified issues.

My understanding this would be a new item rather than change to an 
existing WG work item currently on the charter.  Stefan solicited feedback 
and I gave it.  The CoA draft as written would certainly continue to fall 
under my proposed change.  I am aware of nothing lost by proposed text.


Concern regards intent of Operator-NAS-Identifier.

Dynamic authorization allows multiple sessions to be influenced with 
single requests.  Sufficient / required session identifying attributes 
varies between NASes and sometimes across access technologies within the 
same NAS.  There are no further constraints expressed in draft on both 
required / acceptable session identifying attributes and method of initial 
authentication proxy (realm based or other policy based)

So I'll throw the question back at you.. how the heck is this supposed to 
work?

Proxy of DM following initial realm based auth proxy:

Operator-Name
Operator-NAS-Identifier
Acct-Session-Id
NAS-IP

Proxy of DM following initial policy based auth proxy:

Operator-Name
Operator-NAS-Identifier
User-Name
NAS-IP

When the upstream proxy in a forwarding chain gets the request how is it 
supposed to know whether it is safe to pass up the chain without either 
keeping a lot of state or verifying some kind of secure stateless 
signature/token conveyed within Operator-NAS-Identifier?

Section 3.1 of the draft makes it clear Operator-NAS-Identifier is not 
just a fungible label for a generic state attribute with the "20 octets" 
language and associated removal of NAS-Identifying attributes.


I see two opportunities:

Get to working by constraining both means of authentication proxy and 
session identifying attributes.

Or you can get there by keeping state at which point the language of 
Operator-NAS-Identifier in my judgment is insufficient.  While it may 
well resolve any ambiguities as to "where" the request is going it does so 
while missing the larger problem.

> The idea has been presented at meetings going back 3-4 years, IIRC.
> The only discussion of this topic has been supportive of this approach 
> taken here.

As earlier I also support the general "idea".

regards,
Peter

v2.23.0 | Report a Bug | By Email