Re: [radext] draft-ietf-opsawg-ucl-acl: User Access Control Group ID RADIUS Attribute

Heikki Vatiainen <hvn@radiatorsoftware.com> Thu, 12 October 2023 15:53 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84A37C15109F for <radext@ietfa.amsl.com>; Thu, 12 Oct 2023 08:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHf-IHP8X7G9 for <radext@ietfa.amsl.com>; Thu, 12 Oct 2023 08:53:45 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 530AFC1516E2 for <radext@ietf.org>; Thu, 12 Oct 2023 08:53:45 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-53d9b94731aso2137641a12.1 for <radext@ietf.org>; Thu, 12 Oct 2023 08:53:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1697126021; x=1697730821; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=P1tCElW8KlGLLKp6+QzVT3LB7wIiPIDgJmt8eTk4oxA=; b=tp1nyMazwPSaJyUsgh93qdultdtKVNSsQ1gLY9gIH+i4aXiMkl5l1QnAldcHWDHgie oiS6ih8KQ0NEVOfnzv8H7pBibFMplsYO8Kk5ISfanw8Oaw/wl6yVg+Pe2OFpmVyRErOY 55QSTQU3uajp56MM0XF/9aUmVJlWx8LFJKGDOkItMZ1bn/MJ0uRtJns0v8Bkr6l01ryK VtZX2mcmyRTcNag4DQiM2TMI+v3NC97hQmbaUQ5UdZ+/iy90BvUHInhBLiClz1vgIqGl 8tJgoAhk1tbaO3v7nIMQGvfLZSQxHaHWV5MTG+0rUd9LWj5Zh4gQpBVOM0OpgZQkKf0s wQ3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697126021; x=1697730821; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=P1tCElW8KlGLLKp6+QzVT3LB7wIiPIDgJmt8eTk4oxA=; b=Ate2o6UeOhmY6E6HCD0084VpPwe6uStJo+fdfTSNhOJArU9EOlyeWSAm7UfUrla9rU aGASBfneTdsQiUnglKFVgM2lRPJO886ZWmf/GmoshKCmBVFGn2I7GVtA9+XL6qI5F/P1 1A8DePUtKPUQUf2Rli54OJjVjjzbUki1xZ98AfZNxWNyT53ejFuSUCMs8VpGVnoSpxxd i5OT+EoAjMA9POUrxNYP4ldzEJnvduvIrzJOUdY7LITEYgGZBu7Sss5CT0tEpiCX2Drb Uo7AcferqN+odFLY6po1moEv/i54enJ58J/MwEudkpteFpFGcQYW8/6WymnWmh8h8SMw qoCQ==
X-Gm-Message-State: AOJu0YyjAFStMhx5bnVTfdXqC/E02rxETlsK/reUBE2Q47teS4QT0Vpi eJPOym9lawKpj+XNAtO/hGXiklD2Com2I/RworZPBQyUNavScDT8e5E=
X-Google-Smtp-Source: AGHT+IFn1Z3Pc3ZtVtiNDJGsCpN62fXT3/E0kjxPIhfxxeEv2OzhNERS4Dhe/FaTzjxZJZTU4muhHzZHCIaewlvxoYg=
X-Received: by 2002:a17:906:5a66:b0:9b2:93c1:72dd with SMTP id my38-20020a1709065a6600b009b293c172ddmr21225860ejc.36.1697126021384; Thu, 12 Oct 2023 08:53:41 -0700 (PDT)
MIME-Version: 1.0
References: <DU2PR02MB10160E3C06B7D7D89D3B21C9D88C3A@DU2PR02MB10160.eurprd02.prod.outlook.com> <CAA7Lko9YknOpxtdD=F5E7ALO83pgenHbfPDMgoDJPPQjY-CBVw@mail.gmail.com> <DU2PR02MB10160CED8CD146EB0F448598988D3A@DU2PR02MB10160.eurprd02.prod.outlook.com>
In-Reply-To: <DU2PR02MB10160CED8CD146EB0F448598988D3A@DU2PR02MB10160.eurprd02.prod.outlook.com>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Thu, 12 Oct 2023 18:53:25 +0300
Message-ID: <CAA7Lko_0eSbX1Xc+ogt5KWWYBqtpYJVx47a9getnoUF7XqfPmw@mail.gmail.com>
To: mohamed.boucadair@orange.com
Cc: "radext@ietf.org" <radext@ietf.org>, opsawg <opsawg@ietf.org>, "draft-ma-opsawg-ucl-acl@ietf.org" <draft-ma-opsawg-ucl-acl@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a4e681060786f162"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/S9Dgsb4EYWQNbIA3NL5BXEIqmH8>
Subject: Re: [radext] draft-ietf-opsawg-ucl-acl: User Access Control Group ID RADIUS Attribute
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 15:53:50 -0000

On Thu, 12 Oct 2023 at 18:05, <mohamed.boucadair@orange.com> wrote:


> Thank you for catching this.
>
>
>
> What is actually interesting is that we are discussing a PR to make the
> change in the other way around:
> https://github.com/boucadair/policy-based-network-acl/pull/20/files.
>

The PR documents the length of group-id as "1..64". Looking at 'string'
type definition for Radius, RFC 8044 requires this length restriction to be
a part of the new attribute definition:
https://datatracker.ietf.org/doc/html/rfc8044#section-3.5

I took a quick look at YANG definitions, and YANG's 'string' definitions
talks about Unicode.
https://datatracker.ietf.org/doc/html/rfc7950#section-9.4

Because the Unicode code points need to be somehow encoded when sent over
the network,  the draft likely needs a definition of how to encode YANG
'string' type group-id so that it can be sent with a Radius attribute. In
this case the Radius attribute payload length could be more than 64.

In other words, the draft should likely define how to encode YANG 'string'
type group-id to a presentation suitable for Radius transport. I think
doing this clarifies, for example, what's the Radius attribute length
restriction. It would also make it clear on how to encode/decode a group-id
value for transporting it over the new Radius attribute.

Radius also has type 'text' for carrying UTF-8 encoded strings.
https://datatracker.ietf.org/doc/html/rfc8044#section-3.4
This might be helpful too.

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com