Re: [radext] [Technical Errata Reported] RFC7585 (4991)
Benoit Claise <bclaise@cisco.com> Thu, 27 July 2017 13:52 UTC
Return-Path: <bclaise@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F9F513216D for <radext@ietfa.amsl.com>; Thu, 27 Jul 2017 06:52:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59hXrHolWAxz for <radext@ietfa.amsl.com>; Thu, 27 Jul 2017 06:52:14 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A915132167 for <radext@ietf.org>; Thu, 27 Jul 2017 06:52:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5497; q=dns/txt; s=iport; t=1501163527; x=1502373127; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=J6dO3MBgaaregFvIsslh7Wik+86BZzkpUgyA3Ofe/k8=; b=l79yWK+xupmNcbm8OVun/IDdaePcAbX3KKKpFhUTfnCTQ8Kf+YcOCp2d uJ4n01QTyNtxbzZ6XziTkoX70S+7CvC0kvmM+QDy0iAPMDVYh0qK+wXx+ snMD5Gh7bOlqTvKRHz3/eYp01PGPw3UjfIa4jdCFcGDwXP0zXgeKxbA2u I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D4AAAK73lZ/xbLJq1cGQEBAQEBAQEBAQEBBwEBAQEBhD5tJ44Nc5BMInSVFoISIQuETE8ChCEYAQIBAQEBAQEBayiFGAEBAQECAQEBIQQRNgsQCxgCAiYCAicwBgEMBgIBAYojCBCwCYFsOotBAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWBC4Idg02BYSsLgjo0gTyDIYMpgmEBBIlciGyNHosaiQuCDIknhwmJU4M6iGUfOIEKMiEIHBVJhSKBeT42h0IrghMBAQE
X-IronPort-AV: E=Sophos;i="5.40,419,1496102400"; d="scan'208";a="654557727"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jul 2017 13:52:03 +0000
Received: from [10.55.221.37] (ams-bclaise-nitro4.cisco.com [10.55.221.37]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v6RDq2Vh012570; Thu, 27 Jul 2017 13:52:03 GMT
To: Alan DeKok <aland@deployingradius.com>, Winter Stefan <stefan.winter@restena.lu>
Cc: radext@ietf.org
References: <20170407153616.79D17B80CE5@rfc-editor.org> <d00e36df-5158-af6a-db78-f752d2924428@restena.lu> <0EC0AC7E-04FE-416F-ABF3-92FFB07C8EA4@deployingradius.com>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <f3f44084-5727-8f07-c602-4b031c2521f2@cisco.com>
Date: Thu, 27 Jul 2017 15:52:03 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <0EC0AC7E-04FE-416F-ABF3-92FFB07C8EA4@deployingradius.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/U4WmfUUQsXeDJy3kA7kyfPeiAE8>
Subject: Re: [radext] [Technical Errata Reported] RFC7585 (4991)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2017 13:52:16 -0000
On 4/8/2017 1:01 AM, Alan DeKok wrote: > On Apr 7, 2017, at 1:58 PM, Stefan Winter <stefan.winter@restena.lu> wrote: >> Well, there's section 3.4.4 "Validity of results" which has some amount >> of text on that topic: > Essentially "subsequent packets for an open connection should re-use that connection". > >>> * when a realm is being looked up, the realm SHOULD be inserted into the table with a "pending" flag, so subsequent requests during the lookup process do not cause additional lookups to be made >> With the text above, is this needed? I would think that internal >> housekeeping like deciding to store the data in a table, and that it has >> keys, and what this key has to be is *too* much implementation specific >> and does not need to be in an RFC? > It would be good to recommend that only one connection discover is ongoing at a time. This is an issue of network overload, not implementation IMHO. > >>> * if server validation fails, the realm SHOULD be updated with a "failed" state and a TTL, so that subsequent requests do not cause additional lookups for a period of time. No server information should be stored for this entry. i.e. the realm is marked as "failed", the corresponding server MUST NOT be marked as "failed". This prevents attacks where a malicious actor could point their realm to an unknowing third-party server, and cause poorly implemented proxies to mark it "failed". >> The same section 3.4.4 goes on to state: >> >> "Should the algorithm above terminate with O-1 = { empty set }, the >> RADIUS server SHOULD NOT attempt another execution of this algorithm >> for the same target realm before the timeout O-2 has passed." >> >> Is that not enough? > Yes, it's largely the same thing. It also doesn't say what to do with requests for that realm. Discard them? Reject them? > > RADIUS is bad that way. :( > >> I you want to include a failed TLS connection setup >> phase result in the negative result state then that's probably more than >> an errata can do: it's not in scope of the RFC, it only defines the >> algorithm to find a set of servers to talk to. It hands off to RFC6614 >> once the server to talk to is known. > The dynamic discovery RFC should also say what to do when thing go wrong. This isn't an issue for RFC 6614, I think. > >> A tighter integration between those two phases is certainly desirable >> (and a useful thing to consider when thinking about the update & move of >> the specs from Experimental to Standards Track) > I agree. > >>> * if server validation succeeds, all realms in the TLS "subject alternative names" presented by the server SHOULD be inserted into the realm table, all pointing to the same server definition, so that subsequent requests for those other realms do not cause additional lookups to be made. >> That is in principle a good suggestion. However the discovery process >> also yielded some meta data about the server: there's a priority order >> of servers. For a different realm, there might be different discovery >> results with a different top-priority target; but the same server can >> still be configured to serve the realm, but with a lower priority. > Sure. > >> The mechanism above would mean that a client which has learned the >> target for one realm will also talk to that same target about another >> realm without validating that it is the one to talk to /in priority/. >> That may lead to results not expected by the owner of that realm. > Sure. It just would be nice to avoid the discovery phase in some cases. > >>> * servers which have been dynamically looked up MUST NOT be added to any global pool of servers. i.e. the lookup is always "realm -> server", and not "There's a known server at this IP address" >> Well, that's how the algorithm is set up. The input is a realm, the >> output is a set of servers. It is implicit that there's a link between >> the input and the output of the algorithm. Any other interpretation of >> the algorithm's results appear counter-intuitive to me. > It's described, but isn't as explicit as the text in RFC 7542. > > As an implementor, it's nice to know what information I need to track, and what state changes I need to make in order to implement the protocol. > > The existing document describes the lookup algorithm in detail, but is a little more vague about what information is tracked, and what state changes are made. > >>> I thought we had a short discussion of some of these topics on RADEXT, but I can't find it in the archives. >>> >>> I think these comments are substantial enough to warrant "wait for document update". I just wanted to ensure they weren't lost. >> There certainly was discussion at some meetings. Many of those led to >> text updates; which is why section 3.4.4 has corresponding text. >> >> Can you re-check the document with section 3.4.4 in mind and provide a >> more narrow description on what text exactly you think needs to be >> corrected/added, and where? > I'd like more text on what to do as an implementor, and what to do when things go wrong. > > I think we can leave the errata as "hold for document update", so that the next rev can add some more text based on my comments. Done. Regards, Benoit. > > Alan DeKok. > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext > . >
- Re: [radext] [Technical Errata Reported] RFC7585 … Alan DeKok
- [radext] [Technical Errata Reported] RFC7585 (499… RFC Errata System
- Re: [radext] [Technical Errata Reported] RFC7585 … Alan DeKok
- Re: [radext] [Technical Errata Reported] RFC7585 … Stefan Winter
- Re: [radext] [Technical Errata Reported] RFC7585 … Benoit Claise