IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Peter Deacon <peterd@iea-software.com> Tue, 03 September 2013 01:33 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8C4A21F9E80 for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 18:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eh5snm+hOs3M for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 18:33:39 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id BE60E21F9E7E for <radext@ietf.org>; Mon, 2 Sep 2013 18:33:39 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005897512@aspen.internal.iea-software.com>; Mon, 2 Sep 2013 18:33:38 -0700
Date: Mon, 02 Sep 2013 18:33:38 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5224F3BE.4070902@deployingradius.com>
Message-ID: <alpine.WNT.2.00.1309021811070.2692@SMURF>
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF> <5224AB2B.7000808@deployingradius.com> <alpine.WNT.2.00.1309020919250.2692@SMURF> <5224F3BE.4070902@deployingradius.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 01:33:45 -0000

On Mon, 2 Sep 2013, Alan DeKok wrote:

>  Some proxy implementations discarded any attributes which were not in
> the local dictionary.  This idiocy isn't forbidden by the previous RFCs,
> but is finally discouraged by 6929.  It prevents *any* changes to
> RADIUS, which is madness.

>> My opinion there certainly is value in administrative configuration
>> allowing forwarding of unknown attributes.  I encourage all vendors to
>> provide such an option to their customers.

>> Whether this is done or not seems to be orthogonal to the issue of
>> rejecting a known attribute you know to be malformed.

>  No.  A known attribute which uses fields that had previously been
> marked "reserved".  And even if it is malformed, there are ways to deal
> with it.

To be clear the issue is not allocation of reserved fields it is M bit set 
where RFC6929 requires it not be.

>  No.  Vendors still ship equipment which poaches on the standard space. 
> Deployments still rely on those attributes.  Eduroam was running into 
> issues with these attributes in the recent past.  With widely-used, 
> in-support commercial RADIUS servers.

Which vendors still use 241-246?

>> One option in the definition of any long attributes to convey
>> eduroam/SAML data specify how partial content should be handled and
>> allocate new flags to effect inter-packet continuation without changing
>> existing behavior.

>  Where would those "new flags" exist?  In a new attribute format?

Allocation of reserved bits from RFC6929.

>  Creating a brand-new incompatible standard isn't a solution to another
> (allegedly) incompatible standard.

>  For me, it's a simple principle.  Proxies have NO BUSINESS mucking
> around with attributes they don't understand.  If the RADIUS packet is
> well formed, the attributes (understood or not) should be sent onwards.

In this case lack of knowledge is NOT the problem.  The problem is proxies 
KNOWING something is WRONG and being expected to look the other way and 
forward the information on anyway.

regards,
Peter

v2.23.0 | Report a Bug | By Email