[radext] Re: New I-D: draft-seralathan-radext-persistent-devid-00
Alexander Clouter <alex+ietf@coremem.com> Tue, 02 June 2026 10:57 UTC
Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C1FB8F9284B6 for <radext@mail2.ietf.org>; Tue, 2 Jun 2026 03:57:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780397847; bh=x17xOTX9XXEsm5L9LrKHZ2HkNDbEVmuZFq1lwZH68eM=; h=Date:From:To:Cc:In-Reply-To:References:Subject; b=LjGJ/3xYVZhkFwgCLztsJpVW+VSDmmFFLeQ3RZz7eRpnMCAt929tck7la9opv7T2U iS2/9BSZL1UZIaasK5l9hAxUWrT6wH2lP6LAJmowD1vfMBr/bOrjSAgvuJMXpUJ5qc q7eFQSSqEL5dDAbRBIYSPUZ9JUd26G7EKxB7UlL8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="kRUvsx72"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="C3njLhpK"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kXmOl3oZQsw9 for <radext@mail2.ietf.org>; Tue, 2 Jun 2026 03:57:27 -0700 (PDT)
Received: from fout-b7-smtp.messagingengine.com (fout-b7-smtp.messagingengine.com [202.12.124.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2EE9BF9284AC for <radext@ietf.org>; Tue, 2 Jun 2026 03:57:27 -0700 (PDT)
Received: from phl-compute-12.internal (phl-compute-12.internal [10.202.2.52]) by mailfout.stl.internal (Postfix) with ESMTP id 9A8071D00072; Tue, 2 Jun 2026 06:57:21 -0400 (EDT)
Received: from phl-imap-10 ([10.202.2.85]) by phl-compute-12.internal (MEProxy); Tue, 02 Jun 2026 06:57:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1780397841; x=1780484241; bh=knJhRzn/FLiDxizi0SoaULe4GVGrdtlwju/z2BGBqlg=; b= kRUvsx72poJzcMA9pYPssGgRvMPiGTucPVBm0oS7pREFXIMi7EW7VYE2SQy6hJeO 7uYXEE0+QSZQdgMh42+fUPZR7nLZwbE+4BOTCnrm1ZQDELQTmsm4ZgFPvf3aulhb jk2La2sp+0YQ8bHpAdezxDPIdEVvVIKiukzFO3u9gMYIiXMPv5N1xVjWPGdIMsWR MYtFNxUNGir6zVEAN3yrrp+vzMQCtdUM3EDN5+HFkrrbrfN8SoeLe7tOTTooOBDP Mrm7YpzHIzNxlVIpr5IE9K0/sUgzxqhvPKOat09EqvaIHysIG8ithcihzoxXaz+c SUdYFvLPFkoNaW8Thyu6sw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1780397841; x= 1780484241; bh=knJhRzn/FLiDxizi0SoaULe4GVGrdtlwju/z2BGBqlg=; b=C 3njLhpKESKcKLs+OJFHQuzOSebhGmlIJ46M5kpbNse/UQmsK3tce/RlDnCyOgFuf zDmD0B8b3jwhGBoEB+a5lVobWvNCLh/bK3PzCeKKhv3N0l17c1XuAWKWa4XmlCdL SM6aO6MwSwUQ/kh8jas2+U3PFLDEKi+UIyCCQ9ZlCvqnCsfTz5TX/yHanF7avCJj TmC2Pmp8Anq+NArZfKvem2KXAvZpEyBYdx4SlDrEzhPm4fBVR8is2TnuVHER7paP zJcIWFaB/IWsDF1P72/OKwFa8dcic1sb6FRXs4r4ZKIcFbtS26BsV2oLeQY9z27q fG9eFQUyJbQDhltD7MiIg==
X-ME-Sender: <xms:ELceamVw_Zbeo2Mh_g_TJfhxJj_O7eKk3ee-rtqOyJVLMuY9Xi-6sg> <xme:ELceatZsjgt-vk_VQXa_-b3sgpwIh-Wkg8OJPT4pQzHNoOQQDYmbKPPdUuTQblmMN FcL5rgOkjdR3IG8VCeDfWKDAyFUSV_AN_5dqdksBB0PYAZ4dIj4nw>
X-ME-Proxy-Cause: dmFkZTF11rgo5+wuyFd8YKWPOzgiKdNq3MoibVIP5fcvWd+0Bd/NDNF2dBaoPx0JZqt1Ih nR5avl86i9JzfWSw9VfGNwewj9/lkHG8c5RA6VzVsjH5i85NWixbw66UivTntuw+wwY1qy CimOhNPNnvhzNgfYsLIUiATxx197Q6J4dVhu1Ws3ohelIPVTZb+4QHAZWt/wFI3Y4G89/O ItuUtGB5dNoFcWOJwHgNMz19oioFZ/c2Tx+tS9pGlqafHe9FrtsRCChH91z2AAEhywp9tI AOOrcdKF9haBa2UXkfpNVTAHfJtu1F1p2WWWFo7PYl5cGalBpZ5kjzuDJwRiDvPXuWDQei d9lMN6DbNW6l1ZLo6jqRp1YQ5gvPVdF1uN8sHSE+B83PFQKuri7L4uzTyCZjCT95ToNjdV 928Uk+6wvuiiyooMDxPJMsVuY2aa00MFHcsbjMO2DCpXNCWHRkxQi+vVSS6KGgzl7LfxU0 PTXEZ06OIZmPhhdPfhZnY+u2RLv/EZbJPsEIyjtGfQ0Tfit+B1odyn9HhgRRFeP+87LwIa E/f1Tiic9CDJOrIkeE13VgPi5cBhXLd1dEgQVyIGOFIt/mLt+8QdIlMtZvrKoFDrIT5ZPB kQ0mSAmF4CqLI2hPvn69DO4P2seajPjCEn7HhauzIqrmcFXLrlfjKrxfbylQ
X-ME-Proxy: <xmx:ELceatRrYWRDoD9GcVz0gc1IGjgxveMkfczRrJ0-tVEfNC39YER72Q> <xmx:ELceaujklWzFENULwEtqx8uDOFLPinLr_jXJKabH1zRD6WAtMJR9-Q> <xmx:ELceal5ivIcqTSo5EFqcNbjm5MkO2m9wa8QPwl9E8XovYHa_X6_e6w> <xmx:ELceajDXz0i-kWnDSuHMYEud-Of1076xRBZ3315mfCcrVlNsEHi0YQ> <xmx:Ebceal6yrPa5otGXl-fOt1fDlrDERVGCr81FuwmjewtkYM4Fqfp3EGRL>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 8CEBB216008A; Tue, 2 Jun 2026 06:57:20 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: AphdW0kk-S67
Date: Tue, 02 Jun 2026 11:57:00 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: "Premanand Seralathan (pseralat)" <pseralat=40cisco.com@dmarc.ietf.org>
Message-Id: <cca09fd4-7aeb-4af1-bbb0-bedd190a42e5@app.fastmail.com>
In-Reply-To: <BN8PR11MB3762DB90B15DD7FAA600102CCC122@BN8PR11MB3762.namprd11.prod.outlook.com>
References: <BYAPR11MB37689273BC46B447843F3516CC352@BYAPR11MB3768.namprd11.prod.outlook.com> <C035972D-A954-4449-B1AA-194C7954F27B@inkbridge.io> <BYAPR11MB3768995A3F905845409EF032CC0B2@BYAPR11MB3768.namprd11.prod.outlook.com> <4C8F2356-BE1F-43AC-AC9A-3AAAE136D906@inkbridge.io> <861b4431-a032-40ac-8d2b-a0b2c8ef33ee@app.fastmail.com> <92499196-F354-47B7-91EF-30F98CA2C80E@inkbridge.io> <BN8PR11MB3762DB90B15DD7FAA600102CCC122@BN8PR11MB3762.namprd11.prod.outlook.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-ID-Hash: GAEK3UE4BYHU7QS5OOGQZXSMQJHWVWSP
X-Message-ID-Hash: GAEK3UE4BYHU7QS5OOGQZXSMQJHWVWSP
X-MailFrom: alex+ietf@coremem.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "radext@ietf.org" <radext@ietf.org>, Alan DeKok <alan.dekok@inkbridge.io>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: New I-D: draft-seralathan-radext-persistent-devid-00
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/RJ2_tnMvG_MabAzNNXeFs5wA3h4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Hello, On Tue, 2 Jun 2026, at 07:02, Premanand Seralathan (pseralat) wrote: > 1. As you noted, some NAS products don't support multiple Class > attributes. Class is already widely used for policy names, VLAN tags, > billing codes, etc. In those deployments there's no room for a device > ID without displacing existing usage. Does any off the shelf vendor equipment support Persistent-Device-Id today? Alan's point was where support would need to be added for Persistent-Device-Id by a vendor, that vendor would be better to fix their support for Class rather than put their efforts in introducing something new. > 2. A "devid:" prefix is an ad-hoc convention -- every consuming system > (profiling engine, SIEM, compliance) would need to know to parse Class > values looking for the prefix. A defined attribute with IANA > registration gives interoperability without per-deployment conventions. I am not sure leaning on the lack of middleware support is a reason to define something new that nothing supports is the correct course of action here. :) Class can be whatever the site wishes it to be. Any 'contract' around its use can be determined there. > 3. Class is opaque by specification - RFC 2865 says implementations > "SHOULD NOT attempt to interpret" it. Requiring systems to parse and > interpret Class content works against this. It is unsporting to trim down the quote without including the rest of it :) In the same sub-section, "information is site or application specific" and the "codification of the range of allowed usage of this field is outside the scope of this specification." Instead, Persistent-Device-Id could be replaced with a proposal offering a format to use for Class instead. Mechanisms that could be leant on: * to determine if a given Class value is for your application, use an encoding strategy that avoids confusion, such as appending a signature/checksum or use symmetric encryption where the plaintext starts with your prefix; you are not looking for confidentiality so maybe the key used could be public. * a persistent device ID must vary on every authentication but be linked back to a static ID server/application side; whether with a lookup table or include a nonce with the key or a RFC2289 inspired approach where you encode and send a counter N and the N times hashed value of the original UUID to make it reversible server side. On that last point, I think over the wire static user/device IDs is something that can and should be avoided in new specifications, especially when RADIUS proxies over a federation of many administrative domains would have access to this ID. CUI accomplishes this by allowing mixing of a time component (ISO week number makes for a good choice) and visited site (ie. Operator-Name). I am not convinced of the technical necessity of Persistent-Device-Id for the functioning of middleware systems providing policy enforcement and regulatory compliance. Those systems are typically deployed to coordinate with a central service and so only a per-session ID would be necessary. My preference is to see less over-the-wire readable user/device tracking, as well as improved support for Class from vendors. This draft may be pushing us in the opposite direction so my initial reflex would be to oppose it. Cheers Alex
- [radext] New I-D: draft-seralathan-radext-persist… Premanand Seralathan (pseralat)
- [radext] Re: New I-D: draft-seralathan-radext-per… Alan DeKok
- [radext] Re: New I-D: draft-seralathan-radext-per… Premanand Seralathan (pseralat)
- [radext] Re: New I-D: draft-seralathan-radext-per… Alan DeKok
- [radext] Re: New I-D: draft-seralathan-radext-per… Alexander Clouter
- [radext] Re: New I-D: draft-seralathan-radext-per… Alan DeKok
- [radext] Re: New I-D: draft-seralathan-radext-per… Premanand Seralathan (pseralat)
- [radext] Re: New I-D: draft-seralathan-radext-per… Alexander Clouter
- [radext] Re: New I-D: draft-seralathan-radext-per… Alan DeKok
- [radext] Re: New I-D: draft-seralathan-radext-per… Premanand Seralathan (pseralat)
- [radext] Re: New I-D: draft-seralathan-radext-per… Premanand Seralathan (pseralat)
- [radext] Re: New I-D: draft-seralathan-radext-per… Alan DeKok
- [radext] Re: New I-D: draft-seralathan-radext-per… Premanand Seralathan (pseralat)
- [radext] Re: New I-D: draft-seralathan-radext-per… Alexander Clouter
- [radext] Re: New I-D: draft-seralathan-radext-per… Michael Richardson