Re: [radext] Implementation inventions

Alan DeKok <aland@deployingradius.com> Thu, 24 August 2023 13:12 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE71C1519BC for <radext@ietfa.amsl.com>; Thu, 24 Aug 2023 06:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nCorsHGz2dKB for <radext@ietfa.amsl.com>; Thu, 24 Aug 2023 06:12:06 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D158CC14CE39 for <radext@ietf.org>; Thu, 24 Aug 2023 06:12:04 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 748F424B; Thu, 24 Aug 2023 13:12:01 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <bbbce228-5b64-40a7-91b5-33479bdd5706@app.fastmail.com>
Date: Thu, 24 Aug 2023 09:11:59 -0400
Cc: "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BFFF24E-DC2B-4D83-97F7-6D5876C65887@deployingradius.com>
References: <2B40BD0B-8C16-491C-90F8-B744F2E4E2D3@deployingradius.com> <SN4PR10MB5589C79F441AFBB72493DA84A10CA@SN4PR10MB5589.namprd10.prod.outlook.com> <A4625416-E62C-45F9-ABDF-3FDF3034511C@deployingradius.com> <CAA7Lko_WY-yDX5XJUqNGN2MQ+m5_9eY_4eEBs1VJNsgZ3mOrsQ@mail.gmail.com> <7DED2D44-0972-4013-952B-F41F243C945D@deployingradius.com> <CAA7Lko8CXgCxpVCi3SKF5dq6oOD1jdvjAHGFs+REAormOoDVew@mail.gmail.com> <SN4PR10MB5589141124336784947B1A7FA11DA@SN4PR10MB5589.namprd10.prod.outlook.com> <bbbce228-5b64-40a7-91b5-33479bdd5706@app.fastmail.com>
To: Alexander Clouter <alex+ietf@coremem.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/UKjUMYYpVpjT93TzpfxhpoZMqVc>
Subject: Re: [radext] Implementation inventions
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2023 13:12:08 -0000

On Aug 24, 2023, at 5:17 AM, Alexander Clouter <alex+ietf@coremem.com> wrote:
>> I see there’s an item about keeping User-Name consistent (which is definitely important!), but we also need other solid ways to tie auth to acct.  I think this is vital for broader adoption of paid Wi-Fi roaming.
> 
> CUI I think gets you there.

  If it works.  If Class works, that's nice, too.

  If you don't have either of them, then RFC 2866 pretty much has no requirement that the attributes in Accounting-Request are in any way related to a previous Access-Request.

  The sum total of its requirements are:

      If the Accounting-Request packet includes a Framed-IP-Address,
      that attribute MUST contain the IP address of the user.  If the
      Access-Accept used the special values for Framed-IP-Address
      telling the NAS to assign or negotiate an IP address for the user,
      the Framed-IP-Address (if any) in the Accounting-Request MUST
      contain the actual IP address assigned or negotiated.

  So it's technically valid for the User-Name, NAS-Port, NAS-Port-ID, NAS-Identifier, etc. to all be different.

  In practice, servers treat the User-Name as unique, because nearly all sites limit simultaneous logins.  After that, servers go to great lengths to correlate the random data in Accounting-Request with the random data in Access-Request.  And then hope that the guesses it makes are correct.

  Is it time to standardize 2866 in order to fix this?  Apparently the subject of RFC2866 being "informative' and not "standard" has come up at the IESG.  People not familiar with the history of RADIUS boggled at just how bad it was.

>> I think clearer guidelines on Acct-Session-Id and Acct-Multi-Session-Id (and their inclusion in auth requests) could address this.
> 
> Maybe some wording around suggested uses of Acct-Session-Id (MAY in Access-Request) and Class (SHOULD in Access-Accept) would be helpful.
> 
> Would it be out of place to describe strategies here for implementors[1] on how to deal with awful vendor kit:

  Yes.

>  1. try Acct-Session-Id
>  2. sob a little and try Class
>  3. get stiff drink and reconcile sliding window and MAC/CUI/...

  I'd suggest User-Name + <waving hands> some NAS information.  The user is unlikely to have more than one session on the same NAS (barring Acct-Multi-Session-ID)

>  4. get whole bottle of stiff liquor and reconcile sliding window and MAC/username/...
>  5. ...
>  N. flip table

  N+1: file bug reports with vendor and get told "the RFCs allow this behavior"

  I'm putting text into the "deprecate" document which addresses this harmful attitude.

> The problems of each strategy would be needed too with the vain hope that we can push the crap back uphill where it came from....we can hope.
> 
> Cheers
> 
> [1] Hat tip on the friendly advice and "this seems to work in the field" to RFC5080 section 2.1.2 (Request-ID Supplementation) that details "here is how to track in flight EAP sessions".

  All of that came from implementation experience.

  This issue is best seen recently on EMU, with 7170bis.  No one implemented 7170, and it still got published.  Ten years later, we discovered that almost all of it was wrong.

  I think the IETF should do a much better job of requiring that standards be implemented.  And not as theoretical / toy implementations.  But in actual shipping product which works in the real world.

  Alan DeKok.