IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Stefan Winter <stefan.winter@restena.lu> Thu, 22 August 2013 07:53 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B55B21F9F40 for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 00:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUOyi2fzJkbk for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 00:53:14 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id C3B4421F9F3D for <radext@ietf.org>; Thu, 22 Aug 2013 00:53:13 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 7178C10589 for <radext@ietf.org>; Thu, 22 Aug 2013 09:53:12 +0200 (CEST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 655E610581 for <radext@ietf.org>; Thu, 22 Aug 2013 09:53:12 +0200 (CEST)
Message-ID: <5215C364.6080502@restena.lu>
Date: Thu, 22 Aug 2013 09:53:08 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: radext@ietf.org
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <52146E31.1030701@restena.lu> <5215BC9B.2070107@um.es>
In-Reply-To: <5215BC9B.2070107@um.es>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="wUKfKb5S84LKpXI2NKfAoPG45FcGKXgG2"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 07:53:15 -0000

Hi,

> Actually, they are known by the Server, but unknown by the Client. When
> the server is the one fragmenting information, that information is accurate.

It doesn't know; it's an estimation which is hopefully rather accurate
these days because many sane implementations of forwarding server do add
Proxy-State; but they are not at all obliged to.

RFC2865, 2.3 "Proxy" states:

The forwarding server MAY add one Proxy-State attribute to the
      packet.  (It MUST NOT add more than one.)

So your server in the end may see less Proxy-State than there were
proxies. This is mostly irrelevant to your draft, because if that proxy
didn't add Proxy-State, then is also doesn't consume space in the packet.

OTOH, if that proxy decided that it wants to add other attributes
besides Proxy-State, then that proxy *will* have an impact. For extra
fun, consider that a proxy may not feel the urge to add an attribute in
the request, but does so in the reply. That makes for an asynchronous MTU!

This begs the question: if a fragmentation-draft-unaware proxy receives
a chunk close to 4096, and decides it wants to add an arbitrary
attribute on its own, and cannot -> bad luck, discard?

I also just found another gem regarding Proxy-State that I wasn't aware
of until now: a forwarding server may truncate the Proxy-State values it
found from earlier proxies, and only send its new one further on. It
merely needs to remember the content of the earlier ones, to add them
back in the reply. I'm speaking of this text in the same section:

"  The forwarding server MAY
   include the Proxy-State attributes in the access-request when it
   forwards the request, or MAY omit them in the forwarded request.  If
   the forwarding server omits the Proxy-State attributes in the
   forwarded access-request, it MUST attach them to the response before
   sending it to the client."

This would totally break your proxy detection. I am not aware of anyone
implementing this though.

> That's right. Proxy-State-Len provides an approximation to that value. A
> Client will probably adjust chunk size as if Proxy-State-Len would be
> higher. I agree that being conservative is the best.
> This calculation mechanisms does not solve all the problems, but IMHO
> offers more information that using plain RADIUS, where the Client cannot
> even guess.

Your 7.1 point 3 does not explicitly mention that the client should
leave some leeway. You might want to add a sentence to that effect.

>> It might be worthwhile to consider if stacking of fragmentation is
>> possible with your draft; i.e. if a proxy receives a chunk, can it use
>> the fragmentation draft to split that incoming packet into chunks on its
>> own again? Can the receiver make sense of that double-fragging? I didn't
>> wrap my head around your draft enough to be able to answer that question
>> myself at this point :-)
> 
> No, please :).

Okay :-) Alan's response kind of gave a hint already: reassemble the
whole packet, add your attributes, chunk it.

The question of frag-unaware proxies remains; their only choice is to
discard if they can't fit in their attributes.

> It will not be an Access-Challenge, as the Access-Request of a pre-authz
> exchange does not contain any authentication attribute (e.g.
> EAP-Messsage). It only contains authorization related information, thus
> suitable responses are Access-Accept (i.e. I correctly received and
> understood your data), or Access-Reject (i.e. data not understood or not
> valid).
> 
> In previous versions of the draft it was possible to do what you said,
> but we decided to simplify to avoid a lot of troubles if mixing with
> authentication exchanges.

That's not what your example does: The packet in 4.1 contains a
"User-Password" attribute.

Maybe that's a leftover from an earlier rev?

>> 6. Allowed size
>> ===============
>> It might be worthwhile to calculate how much actual fragmented data will
>> be transmittable with 20 such roundtrips, and the maximum possible overhead.
>>
>> I think it would be (4096-517)*19+(4096-517+253) in the worst case (one
>> round-trip's User-Name is actually part of the payload, and not a
>> repetition.
> 
> Well, the draft also states to set the limit in a few tens of kilooctets
> 20. That is, whatever is reached first. Nonetheless, this are
> recommendations, but it will be a configuration decision, not sure if it
> is really important to state in the draft.

My point is that you could give implementers or even deployers some
hints regarding "what they get" for specific values. Just stating: when
using the default 20 roundtrips maximum ceiling, the amount of data that
can be transferred is between x Bytes (lowest overhead) and y Bytes
(highest overhead).

It makes life easier for people who want or need to judge whether the
default value is good enough for their implementation or deployment.
It's just a suggestion for readability / comprehensability of the draft
anyway.

Greetings,

Stefan

> 
> Best regards,
> Alejandro
>> 1 Legacy proxies
>> ==================
>> There is an implicit assumption in the draft that proxies make their
>> routing decisions based on User-Name; that's the reason why User-Name
>> always gets repeated in every chunk.
>>
>> The whole fragmentation along unmodified proxies will break if the proxy
>> uses other attributes for its forwarding decisions, say the SSID part of
>> Called-Station-Id.
>>
>> I don't know how common that is; but your draft should at least
>> explicitly state that User-Name is the (only) attribute that proxies can
>> use to make their forwarding decisions. You may also want to discuss
>> replacing or augmenting the attribute repetition for other attributes as
>> needed; but that increases the complexity of your draft significantly.
>>
>> Actually, now that I think of it, I have heard of (few) eduroam SP
>> RADIUS proxies which decide based on the SSID whether the incoming
>> request is for eduroam (proxy to their national eduroam server) or for
>> something else (proxy elsewhere). So that use case is not completely
>> theoretical.
>>
>> Greetings,
>>
>> Stefan Winter
>>
>> On 09.08.2013 14:02, Jouni Korhonen wrote:
>>> Folks,
>>>
>>> Based on the discussion in Berlin we are ready to start another
>>> adoption call for the solution for fragmentation of RADIUS packets.
>>>
>>> This email starts a two week consensus call on adopting:
>>>
>>>  Filename:         draft-perez-radext-radius-fragmentation
>>>  Revision:         06
>>>  Title:            Support of fragmentation of RADIUS packets
>>>  Creation date:    2013-07-02
>>>
>>> Express your concerns or support by 23rd August EOB on the mailing list.
>>>
>>> - Jouni & Mauricio
>>> _______________________________________________
>>> radext mailing list
>>> radext@ietf.org
>>> https://www.ietf.org/mailman/listinfo/radext
>>>
>>
>>
>>
>> _______________________________________________
>> radext mailing list
>> radext@ietf.org
>> https://www.ietf.org/mailman/listinfo/radext
> 
> 
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

v2.23.0 | Report a Bug | By Email