IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

Alan DeKok <aland@deployingradius.com> Sat, 06 April 2013 23:49 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5870B21F8B08 for <radext@ietfa.amsl.com>; Sat, 6 Apr 2013 16:49:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vay1aLb5YWw9 for <radext@ietfa.amsl.com>; Sat, 6 Apr 2013 16:49:44 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 8B37821F8B07 for <radext@ietf.org>; Sat, 6 Apr 2013 16:49:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 43F1A2240D85; Sun, 7 Apr 2013 01:49:43 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbKimf0olgML; Sun, 7 Apr 2013 01:49:40 +0200 (CEST)
Received: from Thor-2.local (bas1-ottawa11-1176224750.dsl.bell.ca [70.27.195.238]) by power.freeradius.org (Postfix) with ESMTPSA id 03CC722404EF; Sun, 7 Apr 2013 01:49:39 +0200 (CEST)
Message-ID: <5160B492.8040604@deployingradius.com>
Date: Sat, 06 Apr 2013 19:49:38 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Deacon <peterd@iea-software.com>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <515EDBB8.2020101@deployingradius.com> <alpine.WNT.2.00.1304052202020.3988@SMURF>
In-Reply-To: <alpine.WNT.2.00.1304052202020.3988@SMURF>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: radext@ietf.org, radext-chairs@tools.ietf.org
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 23:49:45 -0000

Peter Deacon wrote:
>>  Uh... they declared that RADIUS/UDP packets were acceptable.  The DTLS
>> flag is for *new* traffic.
> 
> It makes a decision for the operator by assuming past configuration is
> still desired or applicable.

  The point of a specification is to do exactly that: mandate good
decisions where the local admin may make bad ones.

>>  It makes no sense to send RADIUS/UDP packets, and then ignore the
>> responses because DTLS is now required.
> 
> When switching to DTLS clients may no longer be capable or willing to
> touch RADIUS/UDP.  I'm not arguing against the behavior.  I just think
> the MUST requirement is too strong.

  You're very concerned about miscommunication for idle timeouts, but
you're unconcerned with miscommunication here.  I'm not sure why.

> At some point the operator would have had to update firmware or software
> taking the system offline to obtain RADIUS/DTLS functionality.  These
> kinds of things are handled normally within a planned maintenance window.

  There is no requirement to *use* DTLS when you upgrade the firmware.
Allowing for a gradual migration path is good, in my opinion.

> As draft points out in section 10.3 this automatic scheme causes
> breakage while there are multiple clients behind a single IP.

  Which is not supported by RADIUS/UDP.  This document isn't the place
to standardize that behavior.

>  When just
> one of them upgrades all other clients break causing network outage and
> potential loss of revenue.  The simple manual server knobs without
> migration behavior in this case prevents migration from *causing* an
> outage.

  If people aren't following the specs, then they're responsible for
breaking their own networks.  I don't have a lot of sympathy here.

> Having thought about this a bit more perhaps it would be better simply
> to move migration procedure from server to client.  This would fix NAT
> problems and server "flag" would only be used to declare level of
> security it is willing to accept.

  That results in down-bidding attacks from the clients, which won't
pass a security review.

> The main reason I see a need to use heartbeats is to thread the needle
> keeping UDP NAT associations from expiring, letting servers know our
> session is not forgotten and detecting session termination.  None of
> these concerns apply to RADIUS/UDP.

  If you're going to run multiple RADIUS clients behind one NAT, you're
not really doing RADIUS.

> I would be happy if DTLS heartbeats were able to reset server idle
> timeout.  Thats all I want.

  OK.

> In my view the only "application layer" thing that works for purpose of
> determining useful overall systems availability is still passive
> observation of response to client requests in the spirit of RFC 2865.

  Using Status-Server is a reasonable substitute.  Especially when (as
you say) the client may not be sending "normal" packets for long periods
of time.

  Alan DeKok.

v2.39.1 | Report a Bug | By Email | System Status