IETF Logo Mail Archive

Re: [radext] Extended IDs

Alan DeKok <aland@deployingradius.com> Fri, 01 December 2017 14:23 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DAC812708C for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 06:23:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TfD0qzVK8v4W for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 06:23:06 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id A2012126C19 for <radext@ietf.org>; Fri, 1 Dec 2017 06:23:06 -0800 (PST)
Received: from [192.168.20.53] (CPEf4cc55220745-CM64777ddff610.cpe.net.cable.rogers.com [99.248.225.186]) by mail.networkradius.com (Postfix) with ESMTPSA id A29A3161; Fri, 1 Dec 2017 14:23:05 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <b6ed7a87de434ea4a39f584a92e933b9@XCH-ALN-014.cisco.com>
Date: Fri, 01 Dec 2017 09:23:04 -0500
Cc: "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <285C5C94-578E-4293-81A2-9D73E1105ABE@deployingradius.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <8BD2C2F2-D42E-4B84-8F86-3A803160DD74@cisco.com> <b6ed7a87de434ea4a39f584a92e933b9@XCH-ALN-014.cisco.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/TI0PcoA9jU4_nYi86S7p2HYRHhA>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 14:23:07 -0000

On Nov 30, 2017, at 9:02 PM, Jakob Heitz (jheitz) <jheitz@cisco.com> wrote:
> 
> I generally don't like overloading a field with different semantics,

  I do agree it's weird.. but it *is* the minimal possible change to the protocol.

> because if one of the semantics needs to change in the future, the dependency
> on the other semantic will complicate the change.

  I'm not sure what that means... we are absolutely *not* going to change the meaning of the Request Authenticator field.  Doing so would mean RADIUS would be changed into something else entirely.

> For that reason, I prefer draft-chen-radext-identifier-attr-02.
> I do like some of the detailed discussion of the issues in
> draft-dekok-radext-request-authenticator-02.
> I think the final document should include some of these discussions.

  One large point for me is the subject of "conflicting packets".  i.e. what does a RADIUS server do when it's currently processing one packet, and it receives another one with the same src/dst ip/port, code, and ID?

  All of the specs are silent on this topic, despite implementations having to handle such a corner case.  So far as I can tell, all implementations have chosen a similar solution.  Even RFC 5080 ignores this topic... despite FreeRADIUS (among others) have explicit code to handle this situation.

  It was thinking about these "conflicting packets" that led me to my draft.  What if they *weren't* discarded / rejected, and instead the server could process them? 

  The conclusion was not only that it was possible, but that it wasn't much work, and wasn't a large change to the RADIUS protocol.  It just requirements agreement between the client and server to just behave differently.

  In contrast, adding an extended ID as an attribute to every packet is arguably changing the RADIUS header... while pretending we're not changing the RADIUS header.  We've avoided that for 20+ years because it's a slippery slope to just changing all of RADIUS...

  Alan DeKok.

v2.23.0 | Report a Bug | By Email