Re: [radext] [netmod] Comment on draft-ietf-netmod-system-mgmt-05
Martin Bjorklund <mbj@tail-f.com> Tue, 09 April 2013 19:25 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDE7321F989A; Tue, 9 Apr 2013 12:25:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.846
X-Spam-Level:
X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_64=0.6, J_CHICKENPOX_65=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhZ7fb+pjupH; Tue, 9 Apr 2013 12:25:15 -0700 (PDT)
Received: from mail.tail-f.com (de-2007.d.ipeer.se [213.180.74.102]) by ietfa.amsl.com (Postfix) with ESMTP id 97BB021F98C2; Tue, 9 Apr 2013 12:25:14 -0700 (PDT)
Received: from localhost (c213-100-166-57.cust.tele2.se [213.100.166.57]) by mail.tail-f.com (Postfix) with ESMTPSA id 6372F1200A35; Tue, 9 Apr 2013 21:25:13 +0200 (CEST)
Date: Tue, 09 Apr 2013 21:25:12 +0200
Message-Id: <20130409.212512.301591899.mbj@tail-f.com>
To: andy@yumaworks.com
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <CABCOCHTDveoHav4sNJMJN-3DPy_AnB5UVxje68639vicaP9Wmw@mail.gmail.com>
References: <97FEA158-451F-4F48-85B3-5763A6026A8F@gmail.com> <CABCOCHTDveoHav4sNJMJN-3DPy_AnB5UVxje68639vicaP9Wmw@mail.gmail.com>
X-Mailer: Mew version 6.5rc2 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 09 Apr 2013 23:23:06 -0700
Cc: radext@ietf.org, jouni.nospam@gmail.com, netmod@ietf.org
Subject: Re: [radext] [netmod] Comment on draft-ietf-netmod-system-mgmt-05
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 19:25:16 -0000
Andy Bierman <andy@yumaworks.com> wrote: > On Tue, Apr 9, 2013 at 5:32 AM, Jouni Korhonen <jouni.nospam@gmail.com> wrote: > > Folks, > > > > AAA-Doctors track on all documents that specify something that > > relates to AAA protocols (RADIUS/Diameter). In that light we > > also occasionally provide some early comments before the I-Ds > > from other WGs enter IETF LC. > > > > Section 3.4 of draft-ietf-netmod-system-mgmt-05 defines a data > > model for the configuration of the RADIUS client. Has the WG > > considered additional transports for RADIUS than the original > > UDP? RADEXT has defined TCP (RFC6613), TLS (RFC6614) and is > > about to complete DTLS (draft-ietf-radext-dtls-04). There are > > implementations already out in the field. I would envision > > different transports would have an impact to the data model > > (transport type, possible TLS cipher details and credentials, > > etc). Or is there a particular reason for not taking alternative > > transports into account? > > > > thanks for the review. > How would you suggest adding this support? > The radius feature (page 12) references RFC 2865. > > If the transport is something the server developer picks, > then perhaps updating the description and reference > statements for this feature is sufficient. > > If the transport is something the operator picks, > then it gets more complicated. E.g., > - add a config=false leaf or leaf-list identifying the transports > supported by the server > - add a config=true leaf to the radius/server list (page 21) > specifying the transport for the server to use > - add new identity statements for the standard transports I think what is needed is more flexibility in the radius server list (note that we only provide client-side configuration; so in the client config we list the servers the client can talk to). Something like this: container radius { list server { key name; ordered-by user; leaf name { type string; // arbitrary name } leaf address { type inet:host; mandatory true; } choice transport { case udp { container udp { leaf authentication-port { ... } leaf shared-secret { ... } } case tcp { container tcp { leaf authentication-port { ... } // RFC 6613 section 2.6.7 talks about config parameters // maybe include them here? } } case tls { leaf port { ... } // what else...? } } } ... } Note that this is an extensible model; other transports can be added or augmented into this structure. One option could be to restructure like this but only actually define the udp case above, and leave the rest (tcp, tls, dtls) for future work. /martin
- [radext] Comment on draft-ietf-netmod-system-mgmt… Jouni Korhonen
- Re: [radext] [netmod] Comment on draft-ietf-netmo… Andy Bierman
- Re: [radext] [netmod] Comment on draft-ietf-netmo… Martin Bjorklund
- Re: [radext] [netmod] Comment on draft-ietf-netmo… Jouni Korhonen
- Re: [radext] [netmod] Comment on draft-ietf-netmo… Andy Bierman