Re: [radext] Issues with draft-ietf-radext-radius-extensions-09
Sam Hartman <hartmans@painless-security.com> Sat, 02 February 2013 01:32 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED5F21F8C0B for <radext@ietfa.amsl.com>; Fri, 1 Feb 2013 17:32:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.449
X-Spam-Level:
X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, MANGLED_STOP=2.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TnsJUiJH8Wg4 for <radext@ietfa.amsl.com>; Fri, 1 Feb 2013 17:32:36 -0800 (PST)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 2955721F8995 for <radext@ietf.org>; Fri, 1 Feb 2013 17:32:25 -0800 (PST)
Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS id 79B6F20183; Fri, 1 Feb 2013 20:28:25 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id E7E6443FD; Fri, 1 Feb 2013 20:32:23 -0500 (EST)
From: Sam Hartman <hartmans@painless-security.com>
To: Barry Leiba <barryleiba@computer.org>
References: <CALaySJLf91jdfOrqC4V-fcYK53uhc5UMxJDPzqf60b5cKqfGSA@mail.gmail.com> <510BE42B.1060102@deployingradius.com> <CALaySJ+1Vc4t6usTVeJM+pbBtxqEhb7GOCJmUz=M=zOr9JJNdw@mail.gmail.com>
Date: Fri, 01 Feb 2013 20:32:23 -0500
In-Reply-To: <CALaySJ+1Vc4t6usTVeJM+pbBtxqEhb7GOCJmUz=M=zOr9JJNdw@mail.gmail.com> (Barry Leiba's message of "Fri, 1 Feb 2013 19:40:17 -0500")
Message-ID: <tslzjzno5zs.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: "radext@ietf.org" <radext@ietf.org>, radext-ads@tools.ietf.org, Alan DeKok <aland@deployingradius.com>
Subject: Re: [radext] Issues with draft-ietf-radext-radius-extensions-09
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Feb 2013 01:32:37 -0000
>>>>> "Barry" == Barry Leiba <barryleiba@computer.org> writes: esn't make sense to me. Section >>> 2.8 starts with this: >>> >>> The term "invalid attribute" is new to this specification. It >>> is defined to mean that the Length field of an Attribute is >>> valid (as per [RFC2865], Section 5, top of page 25). >>> >>> These two appear to be contradictory: the first says that if the >>> length is invalid, it's an "invalid attribute", and the second >>> says that "invalid attribute" means that the length field is >>> valid (but there are other problems). This comment also applies >>> to "TLV-Length" in Section 2.3. >> >> The intent here is that the *contents* of the attribute are >> invalid. Barry> Yes, I get that. Barry> You are saying (in 2.8) that "invalid attribute" is a Barry> situation when the length is valid and the content is not. Barry> But you are also saying (in 2.1) that an EA is considered Barry> "invalid attribute" when its length is invalid. If I may, I think this is a layering issue. You have the base radius layer, which requires length be at least 2. If your length isn't 2, you fall off the parse path in RFC 2865; it's a low level problem. If your length is at least 2 you get into an attribute-type-specific abstraction. One outcome of this abstraction is "invalid attribute," a new concept introduced in this spec. It means well-formed at the 2865-level but semantically garbage at an attribute-type-specific level introduced in this spec. And the attribute-type-specific layer for extended types introduces the length must be 4 rule. So, it's kind of like saying that a different chunk of code in the abstraction will return an error depending on which length range things fall in. 0-1: something like BaseRadius.WayTooShort; 2: if it's an extended attribute extendedattribute.InvalidAttribute The above is just an analogy to explain why I don't think it's contradictory. I'm not entirely convinced that distinction in abstraction is useful. I.E. the spec might be improved by addressing your concern, and the wording might not be good enough for you to see a reading that isn't contradictory, but I don't see any internal consistency problem. --Sam
- [radext] [Fwd: Issues with draft-ietf-radext-radi… Alan DeKok
- Re: [radext] Issues with draft-ietf-radext-radius… Alan DeKok
- Re: [radext] Issues with draft-ietf-radext-radius… Barry Leiba
- Re: [radext] Issues with draft-ietf-radext-radius… Sam Hartman
- Re: [radext] Issues with draft-ietf-radext-radius… Alan DeKok
- Re: [radext] Issues with draft-ietf-radext-radius… Barry Leiba
- Re: [radext] Issues with draft-ietf-radext-radius… Barry Leiba
- Re: [radext] Issues with draft-ietf-radext-radius… Barry Leiba
- Re: [radext] Issues with draft-ietf-radext-radius… Alan DeKok
- Re: [radext] Issues with draft-ietf-radext-radius… Sam Hartman
- Re: [radext] Issues with draft-ietf-radext-radius… Benoit Claise
- [radext] please check draft-ietf-radext-radius-ex… Jouni Korhonen
- Re: [radext] please check draft-ietf-radext-radiu… Jouni Korhonen
- Re: [radext] please check draft-ietf-radext-radiu… Benoit Claise