Re: [radext] WGLC for draft-ietf-radext-bigger-packets-01

Alan DeKok <aland@deployingradius.com> Wed, 22 October 2014 14:27 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A28E91ACC8B for <radext@ietfa.amsl.com>; Wed, 22 Oct 2014 07:27:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nakn61u133ws for <radext@ietfa.amsl.com>; Wed, 22 Oct 2014 07:26:58 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5310D1AC410 for <radext@ietf.org>; Wed, 22 Oct 2014 07:26:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 8D1A522403A6; Wed, 22 Oct 2014 16:26:44 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAfC3R6O5Elv; Wed, 22 Oct 2014 16:26:44 +0200 (CEST)
Received: from Thor.local (69-165-156-239.dsl.teksavvy.com [69.165.156.239]) by power.freeradius.org (Postfix) with ESMTPSA id A410122400DF; Wed, 22 Oct 2014 16:26:43 +0200 (CEST)
Message-ID: <5447BEA3.60805@deployingradius.com>
Date: Wed, 22 Oct 2014 10:26:43 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Jouni Korhonen <jouni.nospam@gmail.com>
References: <54476510.10903@gmail.com>
In-Reply-To: <54476510.10903@gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/QlBk-PgzQHe4NKkLZSdpedLUzps
Cc: "radext@ietf.org" <radext@ietf.org>, Stefan Winter <stefan.winter@restena.lu>, Sam Hartman <hartmans@painless-security.com>
Subject: Re: [radext] WGLC for draft-ietf-radext-bigger-packets-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 14:27:00 -0000

Jouni Korhonen wrote:
> This email starts a two week WGLC for the I-D:
> draft-ietf-radext-bigger-packets-01
> 
> Voice your support, comments and concerns on the list. The WGLC ends 5th
> November EOB (EEST). In the case of issues or other enhancement
> proposals, please enter them also into the issue tracker.

  It needs some clarification around the response packet code.  Sorry
for not doing this review earlier.  I'll open some issues.



  Editorial nits:

 The maximum packet length of 4096 octets is proving
 insufficient for ...

  That could be "is proving TO BE insufficient ..."

  Implementation notes:

FreeRADIUS supports TCP, and silently discards packets over 4K octets.
This limit isn't configurable, but could be with minimal work.  This
applies to both server and proxy.


  Technical comments:

* Section 5 defines the Response-Length attribute, but doesn't use the
typical RADIUS specification format, with ASCII art, etc.  This means
it's not clear how many octets the attribute takes.

  I suggest stating explicitly that it's of type "integer", as defined
in RFC 2865, Section 5.

* I'm of two minds about the "Too-Big" packet code.  It's useful, but it
may be better to change this to a generic "Protocol-Error" type, and
include an Error-Cause attribute, with value "Too-Big".

  That would allow the same packet code to be used in other situations.

* the document doesn't say how the "Too-Big" packet is created or
signed.  The rules for signing packets are different for Access-Accept
and Accounting-Request packets.  Which ones are used for "Too-Big" ?

* what happens when a TCP socket contains both Access-Request and
Accounting-Request packets?

  i.e. it is possible to have Access-Request of ID 1 and
Accounting-Request of ID 1 sent over a TCP socket at the same time.

  If the client receives a "Too-Big" attribute of ID 1, which packet is
it for?  Does it matter?

  How does a client match the Too-Big attribute to incoming packets?
These rules aren't clear.  It's also not clear if they can be resolved
in a reasonable amount of time.


  Perhaps one way to solve this issue is to define a "Protocol-Error"
packet, and a Protocol-Error-Ack packet.  The server would send one over
the TCP socket to the client, and the client would ACK it.  The packet
signing rules could be the same as for Accounting-Request.

  This change would make TCP sockets "two-way", in that servers would be
sending messages to clients.  But I think that's fine...

  Clients could then use the same packet to send protocol error messages
to servers.

  A Protocol-Error packet could then contain an Error-Cause attribute
with value "Packet-Too-Big", and a Response-Length of the allowed
response length.  It would then be up to the receiver of the packet to
change it's behavior.

  This also means that the receiver of Protocol-Error can't tell *which*
packet caused the problem.  But that might be fine.