Re: [radext] Extended IDs
Peter Deacon <peterd@iea-software.com> Sun, 03 December 2017 08:22 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8206120713 for <radext@ietfa.amsl.com>; Sun, 3 Dec 2017 00:22:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HORIoTgx5cRV for <radext@ietfa.amsl.com>; Sun, 3 Dec 2017 00:22:36 -0800 (PST)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id DF5DA1201F8 for <radext@ietf.org>; Sun, 3 Dec 2017 00:22:35 -0800 (PST)
Received: from smurf (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0006061106@aspen.iea-software.com>; Sun, 3 Dec 2017 00:22:35 -0800
Date: Sun, 03 Dec 2017 00:22:35 -0800
From: Peter Deacon <peterd@iea-software.com>
To: Stefan Winter <stefan.winter@restena.lu>
cc: radext@ietf.org
In-Reply-To: <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu>
Message-ID: <alpine.WNT.2.21.1.1712022028110.2252@smurf>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu>
User-Agent: Alpine 2.21.1 (WNT 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/TwSd_SbVUV_eRGRbX40Gmarv2sE>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Dec 2017 08:22:38 -0000
On Tue, 28 Nov 2017, Stefan Winter wrote: >> I think it would be good if all remaining readers of this list who care >> enough now take some time to read both drafts and make up their mind on >> what the preferred approach is. >> In approx. two weeks' time I will start a call for adoption on both >> drafts, and hopefully there are enough responses to make the exercise >> meaningful. If so, the one with more votes wins. > * draft-chen-radext-identifier-attr-02 > * draft-dekok-radext-request-authenticator-02 > Since the two drafts treat the same topic, at most one can be selected > to serve as the basis for future work. > In your reply to this call for adoption, please indicate which of the > two drafts you think should be adopted. You can of course also indicate > that none of the two are fit for purpose. The only thing you really While both approaches achieve the same thing using similar means and similar properties of the two draft-dekok-radext-request-authenticator-02 is my preference. Details below for those interested. ---- draft-chen-radext-identifier-attr-02 While I have some minor concerns: - structure of attribute Please make it a normal integer? - ordering requirement Only one specification can ever demand its attribute be "first". You have to check the rest anyway to enforce stated constraint. This should be relaxed. - lack of details The approach at a high level is reasonable and makes sense to me. A very minor issue I see is behavior in face of misconfigured clients by allowing for manual configuration: Consider client /w extended id support enabled sends Request to immediate upstream server in proxy chain not supporting extended id. In this case some things may happen: 1. No server in the chain support extended id resulting in client never seeing a response. This seems acceptable enough to me because the client is after-all misconfigured. 2. One or more servers in the chain support extended id. What happens in this case is implementation specific. A. Best case the benefits of extended id space are successfully tunneled back to requesting client thru servers that don't support it. This is actually kind of cool assuming it's what actually happens. B. Second best extended id attribute is dropped due to proxy specific policy restrictions causing client to never see response. No response is an acceptable response to client misconfiguration. C. Not so good proxy server is only checking srcaddr/srcport/id for duplicate requests resulting in a ton of dropped requests and a potentially difficult problem for operators to understand or troubleshoot. ---- draft-dekok-radext-request-authenticator-02 This approach also makes sense conceptually and seems to be marginally easier to manage. No changes to request attributes, no worry about dynamic auth req and no sequence counter to maintain when generating ORA response. This approach offers a small benefit ORA response always unambiguously correlated with requesting peer avoiding possibility of (C.) behavior in proxy chains. I don't agree with client behavior when ORA is expected yet missing. The response should always be to silently ignore request. Certainly mandatory fallback mechanism for static configuration is going way too far in dictating behavior / controlling operator preference. Wouldn't count on those who elect to implement a mechanism like this to also spend too much time working viable scalable connection management to provide useful interop with servers that don't support ORA otherwise to be honest likely wouldn't be much point in implementing this draft in the first place. In my view it should not be assumed fallback is harmless or even a viable option. regards, Peter
- [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Robert Raszuk
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Astrid Smith
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stig Venaas
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Arran Cudbard-Bell
- Re: [radext] Extended IDs peter
- Re: [radext] Extended IDs Bernard Aboba
- Re: [radext] Extended IDs Alan DeKok
- [radext] FW: Extended IDs Albert Tian
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs David Carrel
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Jun Zhuang
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alexander Clouter