Re: [radext] Proposed new charter text
Peter Deacon <peterd@iea-software.com> Mon, 23 March 2015 00:44 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF7E61A86F4 for <radext@ietfa.amsl.com>; Sun, 22 Mar 2015 17:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9OF92mowIa_X for <radext@ietfa.amsl.com>; Sun, 22 Mar 2015 17:44:05 -0700 (PDT)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2601A0046 for <radext@ietf.org>; Sun, 22 Mar 2015 17:44:05 -0700 (PDT)
Received: from SMURF.peterd.ws (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005964309@aspen.iea-software.com>; Sun, 22 Mar 2015 17:44:04 -0700
Date: Sun, 22 Mar 2015 17:44:10 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com>
Message-ID: <alpine.WNT.2.20.1.1503221518060.3600@SMURF>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com>
User-Agent: Alpine 2.20.1 (WNT 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="972663056-10393-1427064572=:3600"
Content-ID: <alpine.WNT.2.20.1.1503221549410.3600@SMURF>
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/PErdE5b1rZ_5Vso2bzjMxsuwDdI>
Cc: Winter Stefan <stefan.winter@restena.lu>, "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Proposed new charter text
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 00:44:06 -0000
On Sun, 22 Mar 2015, Alan DeKok wrote: > On Mar 22, 2015, at 3:35 PM, Peter Deacon <peterd@iea-software.com> wrote: >> While I generally support approach and associated draft >> draft-dekok-radext-coa-proxy-00.txt have some concerns and would prefer >> to keep some prescriptive details out of the charter. > What exactly is the benefit of making the charter more vague? You have > “some concerns”. Well.. I would appreciate discussing those concerns > openly, instead of changing the charter to address unspecified issues. My understanding this would be a new item rather than change to an existing WG work item currently on the charter. Stefan solicited feedback and I gave it. The CoA draft as written would certainly continue to fall under my proposed change. I am aware of nothing lost by proposed text. Concern regards intent of Operator-NAS-Identifier. Dynamic authorization allows multiple sessions to be influenced with single requests. Sufficient / required session identifying attributes varies between NASes and sometimes across access technologies within the same NAS. There are no further constraints expressed in draft on both required / acceptable session identifying attributes and method of initial authentication proxy (realm based or other policy based) So I'll throw the question back at you.. how the heck is this supposed to work? Proxy of DM following initial realm based auth proxy: Operator-Name Operator-NAS-Identifier Acct-Session-Id NAS-IP Proxy of DM following initial policy based auth proxy: Operator-Name Operator-NAS-Identifier User-Name NAS-IP When the upstream proxy in a forwarding chain gets the request how is it supposed to know whether it is safe to pass up the chain without either keeping a lot of state or verifying some kind of secure stateless signature/token conveyed within Operator-NAS-Identifier? Section 3.1 of the draft makes it clear Operator-NAS-Identifier is not just a fungible label for a generic state attribute with the "20 octets" language and associated removal of NAS-Identifying attributes. I see two opportunities: Get to working by constraining both means of authentication proxy and session identifying attributes. Or you can get there by keeping state at which point the language of Operator-NAS-Identifier in my judgment is insufficient. While it may well resolve any ambiguities as to "where" the request is going it does so while missing the larger problem. > The idea has been presented at meetings going back 3-4 years, IIRC. > The only discussion of this topic has been supportive of this approach > taken here. As earlier I also support the general "idea". regards, Peter
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Secure COA Alan DeKok
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Proposed new charter text Peter Deacon
- [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Stefan Winter