Re: [radext] draft-ietf-opsawg-ucl-acl: User Access Control Group ID RADIUS Attribute

Heikki Vatiainen <> Thu, 12 October 2023 15:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 84A37C15109F for <>; Thu, 12 Oct 2023 08:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GHf-IHP8X7G9 for <>; Thu, 12 Oct 2023 08:53:45 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 530AFC1516E2 for <>; Thu, 12 Oct 2023 08:53:45 -0700 (PDT)
Received: by with SMTP id 4fb4d7f45d1cf-53d9b94731aso2137641a12.1 for <>; Thu, 12 Oct 2023 08:53:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1697126021; x=1697730821;; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=P1tCElW8KlGLLKp6+QzVT3LB7wIiPIDgJmt8eTk4oxA=; b=tp1nyMazwPSaJyUsgh93qdultdtKVNSsQ1gLY9gIH+i4aXiMkl5l1QnAldcHWDHgie oiS6ih8KQ0NEVOfnzv8H7pBibFMplsYO8Kk5ISfanw8Oaw/wl6yVg+Pe2OFpmVyRErOY 55QSTQU3uajp56MM0XF/9aUmVJlWx8LFJKGDOkItMZ1bn/MJ0uRtJns0v8Bkr6l01ryK VtZX2mcmyRTcNag4DQiM2TMI+v3NC97hQmbaUQ5UdZ+/iy90BvUHInhBLiClz1vgIqGl 8tJgoAhk1tbaO3v7nIMQGvfLZSQxHaHWV5MTG+0rUd9LWj5Zh4gQpBVOM0OpgZQkKf0s wQ3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1697126021; x=1697730821; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=P1tCElW8KlGLLKp6+QzVT3LB7wIiPIDgJmt8eTk4oxA=; b=Ate2o6UeOhmY6E6HCD0084VpPwe6uStJo+fdfTSNhOJArU9EOlyeWSAm7UfUrla9rU aGASBfneTdsQiUnglKFVgM2lRPJO886ZWmf/GmoshKCmBVFGn2I7GVtA9+XL6qI5F/P1 1A8DePUtKPUQUf2Rli54OJjVjjzbUki1xZ98AfZNxWNyT53ejFuSUCMs8VpGVnoSpxxd i5OT+EoAjMA9POUrxNYP4ldzEJnvduvIrzJOUdY7LITEYgGZBu7Sss5CT0tEpiCX2Drb Uo7AcferqN+odFLY6po1moEv/i54enJ58J/MwEudkpteFpFGcQYW8/6WymnWmh8h8SMw qoCQ==
X-Gm-Message-State: AOJu0YyjAFStMhx5bnVTfdXqC/E02rxETlsK/reUBE2Q47teS4QT0Vpi eJPOym9lawKpj+XNAtO/hGXiklD2Com2I/RworZPBQyUNavScDT8e5E=
X-Google-Smtp-Source: AGHT+IFn1Z3Pc3ZtVtiNDJGsCpN62fXT3/E0kjxPIhfxxeEv2OzhNERS4Dhe/FaTzjxZJZTU4muhHzZHCIaewlvxoYg=
X-Received: by 2002:a17:906:5a66:b0:9b2:93c1:72dd with SMTP id my38-20020a1709065a6600b009b293c172ddmr21225860ejc.36.1697126021384; Thu, 12 Oct 2023 08:53:41 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Heikki Vatiainen <>
Date: Thu, 12 Oct 2023 18:53:25 +0300
Message-ID: <>
Cc: "" <>, opsawg <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000a4e681060786f162"
Archived-At: <>
Subject: Re: [radext] draft-ietf-opsawg-ucl-acl: User Access Control Group ID RADIUS Attribute
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Oct 2023 15:53:50 -0000

On Thu, 12 Oct 2023 at 18:05, <> wrote:

> Thank you for catching this.
> What is actually interesting is that we are discussing a PR to make the
> change in the other way around:

The PR documents the length of group-id as "1..64". Looking at 'string'
type definition for Radius, RFC 8044 requires this length restriction to be
a part of the new attribute definition:

I took a quick look at YANG definitions, and YANG's 'string' definitions
talks about Unicode.

Because the Unicode code points need to be somehow encoded when sent over
the network,  the draft likely needs a definition of how to encode YANG
'string' type group-id so that it can be sent with a Radius attribute. In
this case the Radius attribute payload length could be more than 64.

In other words, the draft should likely define how to encode YANG 'string'
type group-id to a presentation suitable for Radius transport. I think
doing this clarifies, for example, what's the Radius attribute length
restriction. It would also make it clear on how to encode/decode a group-id
value for transporting it over the new Radius attribute.

Radius also has type 'text' for carrying UTF-8 encoded strings.
This might be helpful too.

Heikki Vatiainen