Re: [radext] WGLC for draft-ietf-radext-bigger-packets-01

Sam Hartman <> Wed, 22 October 2014 14:43 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D514D1ACD01 for <>; Wed, 22 Oct 2014 07:43:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FbZE1zSV79Op for <>; Wed, 22 Oct 2014 07:43:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 779721ACD00 for <>; Wed, 22 Oct 2014 07:43:05 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 963AF2037B; Wed, 22 Oct 2014 10:41:39 -0400 (EDT)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lOONNt6CuCsR; Wed, 22 Oct 2014 10:41:38 -0400 (EDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by (Postfix) with ESMTPS; Wed, 22 Oct 2014 10:41:38 -0400 (EDT)
Received: by (Postfix, from userid 8042) id 6B24681368; Wed, 22 Oct 2014 10:43:01 -0400 (EDT)
From: Sam Hartman <>
To: Alan DeKok <>
References: <> <>
Date: Wed, 22 Oct 2014 10:43:01 -0400
In-Reply-To: <> (Alan DeKok's message of "Wed, 22 Oct 2014 10:26:43 -0400")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Cc: "" <>, Jouni Korhonen <>, Stefan Winter <>
Subject: Re: [radext] WGLC for draft-ietf-radext-bigger-packets-01
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Oct 2014 14:43:08 -0000

>>>>> "Alan" == Alan DeKok <> writes:

    Alan> Jouni Korhonen wrote:
    Alan> * Section 5 defines the Response-Length attribute, but doesn't
    Alan> use the typical RADIUS specification format, with ASCII art,
    Alan> etc.  This means it's not clear how many octets the attribute
    Alan> takes.

    Alan>   I suggest stating explicitly that it's of type "integer", as
    Alan> defined in RFC 2865, Section 5.

makes sense.
If you want to supply ASCII art I'd be happy to include it.
If you want to pretend we live in a post-data-types world and start that
world now I'd be delighted.

    Alan> * I'm of two minds about the "Too-Big" packet code.  It's
    Alan> useful, but it may be better to change this to a generic
    Alan> "Protocol-Error" type, and include an Error-Cause attribute,
    Alan> with value "Too-Big".

    Alan>   That would allow the same packet code to be used in other
    Alan> situations.

    Alan> * the document doesn't say how the "Too-Big" packet is created
    Alan> or signed.  The rules for signing packets are different for
    Alan> Access-Accept and Accounting-Request packets.  Which ones are
    Alan> used for "Too-Big" ?

I can see two choices.
Pick one, or pick the one that is appropriate for what you're responding

    Alan> * what happens when a TCP socket contains both Access-Request
    Alan> and Accounting-Request packets?

Hmm, I was thinking about TCP where we have separate accounting and
authentication ports.
However, we don't seem to have that for radsec.

    Alan>   i.e. it is possible to have Access-Request of ID 1 and
    Alan> Accounting-Request of ID 1 sent over a TCP socket at the same
    Alan> time.

    Alan>   If the client receives a "Too-Big" attribute of ID 1, which
    Alan> packet is it for?  Does it matter?

I don't think it matters that much, no.
If it does you can see which of the packets you sent is bigger than the
response length you just got.

    Alan>   How does a client match the Too-Big attribute to incoming
    Alan> packets?  These rules aren't clear.  It's also not clear if
    Alan> they can be resolved in a reasonable amount of time.

    Alan>   Perhaps one way to solve this issue is to define a
    Alan> "Protocol-Error" packet, and a Protocol-Error-Ack packet.  The
    Alan> server would send one over the TCP socket to the client, and
    Alan> the client would ACK it.  The packet signing rules could be
    Alan> the same as for Accounting-Request.

I'd really rather not do that; it seems rather complex and I'd really
like to try and find a way to make this mechanism simple.
Let's explore how important it is that clients be able to match the
too-big packet and if so how difficult that ends up being.