Re: [radext] WGLC for draft-ietf-radext-bigger-packets-01

Sam Hartman <hartmans@painless-security.com> Wed, 22 October 2014 14:43 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D514D1ACD01 for <radext@ietfa.amsl.com>; Wed, 22 Oct 2014 07:43:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FbZE1zSV79Op for <radext@ietfa.amsl.com>; Wed, 22 Oct 2014 07:43:05 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 779721ACD00 for <radext@ietf.org>; Wed, 22 Oct 2014 07:43:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 963AF2037B; Wed, 22 Oct 2014 10:41:39 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOONNt6CuCsR; Wed, 22 Oct 2014 10:41:38 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-50-177-26-5.hsd1.ma.comcast.net [50.177.26.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 22 Oct 2014 10:41:38 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 6B24681368; Wed, 22 Oct 2014 10:43:01 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alan DeKok <aland@deployingradius.com>
References: <54476510.10903@gmail.com> <5447BEA3.60805@deployingradius.com>
Date: Wed, 22 Oct 2014 10:43:01 -0400
In-Reply-To: <5447BEA3.60805@deployingradius.com> (Alan DeKok's message of "Wed, 22 Oct 2014 10:26:43 -0400")
Message-ID: <tsltx2wkvwq.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/SLEjuukr3qElUt9I2l0HNy8K9d8
Cc: "radext@ietf.org" <radext@ietf.org>, Jouni Korhonen <jouni.nospam@gmail.com>, Stefan Winter <stefan.winter@restena.lu>
Subject: Re: [radext] WGLC for draft-ietf-radext-bigger-packets-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 14:43:08 -0000

>>>>> "Alan" == Alan DeKok <aland@deployingradius.com> writes:

    Alan> Jouni Korhonen wrote:
    Alan> * Section 5 defines the Response-Length attribute, but doesn't
    Alan> use the typical RADIUS specification format, with ASCII art,
    Alan> etc.  This means it's not clear how many octets the attribute
    Alan> takes.

    Alan>   I suggest stating explicitly that it's of type "integer", as
    Alan> defined in RFC 2865, Section 5.

makes sense.
If you want to supply ASCII art I'd be happy to include it.
If you want to pretend we live in a post-data-types world and start that
world now I'd be delighted.


    Alan> * I'm of two minds about the "Too-Big" packet code.  It's
    Alan> useful, but it may be better to change this to a generic
    Alan> "Protocol-Error" type, and include an Error-Cause attribute,
    Alan> with value "Too-Big".

    Alan>   That would allow the same packet code to be used in other
    Alan> situations.

    Alan> * the document doesn't say how the "Too-Big" packet is created
    Alan> or signed.  The rules for signing packets are different for
    Alan> Access-Accept and Accounting-Request packets.  Which ones are
    Alan> used for "Too-Big" ?

I can see two choices.
Pick one, or pick the one that is appropriate for what you're responding
to.

    Alan> * what happens when a TCP socket contains both Access-Request
    Alan> and Accounting-Request packets?

Hmm, I was thinking about TCP where we have separate accounting and
authentication ports.
However, we don't seem to have that for radsec.

    Alan>   i.e. it is possible to have Access-Request of ID 1 and
    Alan> Accounting-Request of ID 1 sent over a TCP socket at the same
    Alan> time.

    Alan>   If the client receives a "Too-Big" attribute of ID 1, which
    Alan> packet is it for?  Does it matter?

I don't think it matters that much, no.
If it does you can see which of the packets you sent is bigger than the
response length you just got.

    Alan>   How does a client match the Too-Big attribute to incoming
    Alan> packets?  These rules aren't clear.  It's also not clear if
    Alan> they can be resolved in a reasonable amount of time.


    Alan>   Perhaps one way to solve this issue is to define a
    Alan> "Protocol-Error" packet, and a Protocol-Error-Ack packet.  The
    Alan> server would send one over the TCP socket to the client, and
    Alan> the client would ACK it.  The packet signing rules could be
    Alan> the same as for Accounting-Request.

I'd really rather not do that; it seems rather complex and I'd really
like to try and find a way to make this mechanism simple.
Let's explore how important it is that clients be able to match the
too-big packet and if so how difficult that ends up being.


--Sam