IETF Logo Mail Archive

Re: [radext] draft-cullen-radextra-status-realm-00

Alexander Clouter <alex+ietf@coremem.com> Sun, 01 January 2023 17:54 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 492BBC14CF0F for <radext@ietfa.amsl.com>; Sun, 1 Jan 2023 09:54:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b=QqEVO9Mw; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=tYnDk4y7
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQlv3mnS6CBv for <radext@ietfa.amsl.com>; Sun, 1 Jan 2023 09:54:07 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB798C14F723 for <radext@ietf.org>; Sun, 1 Jan 2023 09:54:06 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 1A32E3200645 for <radext@ietf.org>; Sun, 1 Jan 2023 12:54:06 -0500 (EST)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Sun, 01 Jan 2023 12:54:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1672595645; x=1672682045; bh=SAG/U1XnE+ B7Bx60IR/DN548FWkZPRBO4zzZR9bbgV8=; b=QqEVO9MwIv47mTt0/2uClayXB9 BO8YZ7a/lHewHStRHsGoYBTgpg5xsXAoGmDgcu5YvvCV02ivOJRQrIB9SWHd3lpv khMoYqj/JRloLoohFlyCcRmNSYW+Q537vVA4hJlx4jpk5zZtFOgimAvAPP3v/Y1L H6OoGV7/cO6BY/3yMTHiAyT+OFAO913exvuXVaH6nbLToZUMZP6+0TNR6C/jXJtT w9t0c+jXSDb4nJCII2dErdy+rY9Ja+IZ8fhbarpjFUj9KWMinaK/2BPNmVhOnk1n fHEfktvLfZf3M2D8SvvNwAM431SkH3na+Bminlpdc2UQm9C8PPCfiRmngNMA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1672595645; x=1672682045; bh=SAG/U1XnE+B7Bx60IR/DN548FWkZ PRBO4zzZR9bbgV8=; b=tYnDk4y7807aK7uzbIgoIGmLVYSqiv/LZRlVPfHit8z+ hNT+d8oM/boCrW8g/Paa8Pfu/c5wELv+oNgYzF2sb1+JJvADYhWZ9KakAI+7D3ly QB1T1WWCov74OsnISx7eLECgofkZ9HgDmw6SvcHJ2NezrQzfwJXlMgagKeJo9blH 2/AoQvuMH/4HrZTXWYaNKsLq6MXoT4YM81DfBDmCFn4PXgTJYuKByuIKDaN3vJ4O SEwNkuFfgE+If05UsAGiCCVUaL8N8Mz1E6PX5FAQgYPyLYrUzg9h7VER4MVK4dzk A2DmSpR8CNtVj+MZ2swBSuJuORfXXNoZFyU7YEFVxw==
X-ME-Sender: <xms:vcixY04l4Rt4BmpJHoI4L83992VKDVu2zmXO2vcJyk6I_6VbJhDTag> <xme:vcixY14SP3bws5Q_ZFLSting3RYCYngO2HviiclrdhomCrEe8nxSJQbMpUikkCv8y daRjGMN2PrQK_-GDA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrjedtgddutdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerreejnecuhfhrohhmpedftehlvgigrghnuggvrhcuvehlohhuthgvrhdfuceorghl vgigodhivghtfhestghorhgvmhgvmhdrtghomheqnecuggftrfgrthhtvghrnhepiedvje dtuefgkedvieegieekhfektdeufeevteekffehkefgkefhheffteehteefnecuffhomhgr ihhnpehivghtfhdrohhrghdpphgrrhhishdqthhrrggtvghrohhuthgvrdhnvghtnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprghlvgigodhi vghtfhestghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:vcixYzeeY22mIMjPwNdS_jDv_nIYIpFRZ_z5pyhdw2XQ2aajtP42EA> <xmx:vcixY5IzJ-WTsfaUehoevGybcZadAwMoF0NOZybPnxc8gJJCA-PFsQ> <xmx:vcixY4Ll4Sy2Z5C_iEHTgmiSo1cvcpK3ghmKeP6eIaHfjWMXB7pafg> <xmx:vcixY9Wrx9Bq2iv4sgQchSzQEWPwVR0Rm3K-A48a140ZobZ3m4SMkg>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 64B382A20080; Sun, 1 Jan 2023 12:54:05 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-1185-g841157300a-fm-20221208.002-g84115730
Mime-Version: 1.0
Message-Id: <747e85f4-71c5-4b45-aded-0bb73f1b334c@app.fastmail.com>
In-Reply-To: <BB2CA78D-4C7B-4A5D-A1D5-F09993636373@gmail.com>
References: <BB2CA78D-4C7B-4A5D-A1D5-F09993636373@gmail.com>
Date: Sun, 01 Jan 2023 17:53:24 +0000
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="f94b5761a50847ad9474c2bceb85a28e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/TZBXfCxS0-A6OcYnBPbNpWJIjYA>
Subject: Re: [radext] draft-cullen-radextra-status-realm-00
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jan 2023 17:54:11 -0000

On Tue, 25 Oct 2022, at 01:18, Margaret Cullen wrote:
> We have submitted a draft that defines a Status-Realm mechanism, offering  “ping-like” and “traceroute-like” functionality for multi-hop RADIUS proxy fabrics.  It also contains mechanism for the mitigation and prevention of proxy forwarding loops.  The draft can be found here:
> 
> https://datatracker.ietf.org/doc/draft-cullen-radextra-status-realm/

Section 4.2:

"The value is *deprecated* each time a RADIUS message...", did you mean 'decremented'?

Is it useful to add to this section that by originating requests with 'Max-Hop-Count = 1' you can hint that you wish to prevent proxying upstream? Similarly the reverse in the IGP/EGP routing protocols world the TTL of the IP packet is set to 255 so the next hop router knows the request came from it's immediate neighbor.

Section 7:

"Hop-Count is of type 'integer'. Valid values are 0=255...", should this be '0-255'?

Also, what are the consequences of a originating system sending out a request with 'Max-Hop-Count = 0'? Should the next hop just reject the request immediately? Asking as this is the sort of thing we are going to see during the excitement of interop.

Section 8:

"RADIUS Servers SHOULD NOT add Server-Information attributes to Response messages when processing Responses.", it is unclear why you would not want to have Server-Information attributes added to the responses on the way back? The routing may be asymmetrical (https://paris-traceroute.net/) and would be useful to see this.

"This attribute is also included as a sub-attribute within the Status-Realm-Response-Code attribute...", okay, my brain just exploded with the TLVs within TLVs within TLVs...and it is unclear if Server-Information must only now be inside a Status-Realm-Response-Code at all times? I am probably being stupid, but I cannot piece together how Server-Information is added *inside* of Status-Realm-Response-Code unless some constraints are highlighted guarding that the attribute ID for Server-Information is nothing like the sub-attribute IDs of Status-Realm-Response-Code. This section is screaming out for some ASCIIart.

'Proxy-{Information,Identifier}' appears from nowhere. Did you mean 'Server-{Information,Identifier}'? I am guessing this terminology was used in an earlier revision?

I have no idea where 'Server-Operator' comes from? I know it is a 'string' and works like 'Operator-Name', but I have no idea how it should be packaged into the 'Server-Information' TLV? Should this be a 'Type = 4' or something?

It takes some mental gymnastics to understand and see the purpose of 'Hop-Count'. There is a hint tucked away into Section 6 of 'traceroute-like', so it might be worth showing an example of after a full proxied authentication round trip the contents of those Server-Information attributes that have been added and how that information is extractable to build a map of the RADIUS Proxy Fabric involved.

Finally I would love to see a timestamp (at least millisecond resolution) sub-attribute be packed into 'Server-Information' so we can find the slow hops and an optional 'retry' sub-attribute counter so we can discover the lossy hops.

Thanks

v2.35.0 | Report a Bug | By Email | System Status