Re: [radext] Alissa Cooper's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
Alan DeKok <aland@deployingradius.com> Tue, 06 September 2016 13:30 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B8C12B1D7; Tue, 6 Sep 2016 06:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ACaiuyM8RfyI; Tue, 6 Sep 2016 06:30:26 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 957F412B1D2; Tue, 6 Sep 2016 06:16:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id B35241E9A; Tue, 6 Sep 2016 13:16:01 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eU2fhIqfTCxN; Tue, 6 Sep 2016 13:16:01 +0000 (UTC)
Received: from [192.168.120.42] (unknown [23.233.24.114]) by mail.networkradius.com (Postfix) with ESMTPSA id A3E9E80C; Tue, 6 Sep 2016 13:16:00 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <28413_1473165080_57CEB718_28413_354_4_6B7134B31289DC4FAF731D844122B36E01F9F38E@OPEXCLILM43.corporate.adroot.infra.ftgroup>
Date: Tue, 06 Sep 2016 09:15:59 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <4DCE81CA-FC1F-4CFF-82E1-135E158087C6@deployingradius.com>
References: <147137412687.22998.17081075232946825763.idtracker@ietfa.amsl.com> <CAHbuEH7+Gw=zDiN66Aydmie2M4dXcVqjLKWHixR7Qe6ECfN9Hg@mail.gmail.com> <D0152C61-D391-482B-BF1E-45180F89DA41@cooperw.in> <EACFFDF5-3974-4778-8EDD-A68410BAD972@gmail.com> <28413_1473165080_57CEB718_28413_354_4_6B7134B31289DC4FAF731D844122B36E01F9F38E@OPEXCLILM43.corporate.adroot.infra.ftgroup>
To: "lionel.morand@orange.com" <lionel.morand@orange.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/TUvbHSNGTHC3kdleyPmwkUEYQyQ>
Cc: "draft-ietf-radext-ip-port-radius-ext@ietf.org" <draft-ietf-radext-ip-port-radius-ext@ietf.org>, "radext@ietf.org" <radext@ietf.org>, Alissa Cooper <alissa@cooperw.in>, "kathleen.moriarty.ietf@gmail.com" <kathleen.moriarty.ietf@gmail.com>, IESG <iesg@ietf.org>, "radext-chairs@ietf.org" <radext-chairs@ietf.org>
Subject: Re: [radext] Alissa Cooper's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2016 13:30:28 -0000
On Sep 6, 2016, at 8:31 AM, lionel.morand@orange.com wrote: > Which means that whatever the parent attribute, value 1 will have to be reserved for IP-Port, value 2 for IP-Port-Limit, etc. even if these TLVs are never unused in these attributes. > The argument given by Alan is that "a TLV called "foo" should have the same TLV-Type value (e.g. 1) across multiple parent TLVs. There is enough space to do sparse allocation." In this draft, yes. Where the same sub-TLVs are used in multiple different parent TLVs. It's not a hard & fast recommendation. It's just one of the little things that would be nice, if it can be done. > Following these recommendations, the section 7.3 should be revised as follow, with a TLV-Type defined per parent attribute: That needs to be done, as IANA requires very specific instructions. My $0.02 is that I'd like to see: IP-Port-Type-Parent-A have the same "TLV-Type" value as IP-Port-Type-Parent-B. > And the values x.x.{1-11} will have to be reserved for any new attribute of type "TLV" defined in the ranges 241.{6-240}, 242.{1-240}, 243.{1-240}, 244.{1-240}, 245.{1-240} and 246.{1-240}. That's not what I'm saying. > It would be like defining a new registry for sub-TLVs. That is, in my opinion, in contradiction with the definition of the TLV data type given in section 7.3 of RFC6929 (see above). I would be in for of a new registry for sub-TLVs, but only where those sub-TLVs are re-used a lot. As an example, let's say we had firewall rules defined in RADIUS TLVs. Each firewall rule can specify a src/dst IP/port, for 4 different fields. The firewall rules have an "input" set, for packets destined locally, and an "output" set, for packets destined remotely. Let's say we have the following definitions for "input" attributes. I'll omit numbers for clarity, but assume that order matters: INPUT SRC-IP-Input DST-IP-Input SRC-Port-Input DST-Port-Input We need to define something similar for the output rules. We could do this: OUTPUT SRC-IP-Output DST-IP-Output SRC-Port-Output DST-Port-Output Which is nice. The sub-TLVs have the same order. Or, if numbering doesn't matter, we could do: OUTPUT SRC-Port-Output DST-Port-Output SRC-IP-Output DST-IP-Output Or: OUTPUT SRC-Port-Output SRC-IP-Output DST-IP-Output DST-Port-Output I think that either of these last two options is objectively worse than the first one. Note that I'm not suggesting that *all* attributes have these 4 sub-TLVs defined. Just the attributes which define firewall rules. In this case, there are multiple parent attributes which define essentially the same sub-TLVs. It would be nice to be able to re-use these these sub-TLVs, without having multiple different definitions for them. I hope that clarifies things. Alan DeKok.
- Re: [radext] Alissa Cooper's Discuss on draft-iet… kathleen.moriarty.ietf
- Re: [radext] Alissa Cooper's Discuss on draft-iet… kathleen.moriarty.ietf
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Alissa Cooper
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Kathleen Moriarty
- [radext] Alissa Cooper's Discuss on draft-ietf-ra… Alissa Cooper
- Re: [radext] Alissa Cooper's Discuss on draft-iet… lionel.morand
- Re: [radext] Alissa Cooper's Discuss on draft-iet… lionel.morand
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Alan DeKok
- [radext] RE : Re: Alissa Cooper's Discuss on draf… lionel.morand
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Alan DeKok
- Re: [radext] Alissa Cooper's Discuss on draft-iet… David B. Nelson
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Dean cheng
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Alissa Cooper
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Alissa Cooper
- Re: [radext] Alissa Cooper's Discuss on draft-iet… lionel.morand
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Alan DeKok
- Re: [radext] Alissa Cooper's Discuss on draft-iet… lionel.morand
- Re: [radext] Alissa Cooper's Discuss on draft-iet… lionel.morand
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Alan DeKok
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Kathleen Moriarty
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Alan DeKok
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Kathleen Moriarty
- Re: [radext] Alissa Cooper's Discuss on draft-iet… Kathleen Moriarty