[radext] Re: Review of draft-janfred-radext-radius-congestion-control-01
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 23 April 2026 14:12 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2737DE1B7542 for <radext@mail2.ietf.org>; Thu, 23 Apr 2026 07:12:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776953573; bh=8rMU+PDeq32VvQgbYlDMx46+yI/jHol8H4OaMHeVNIQ=; h=From:To:Subject:In-Reply-To:References:Date; b=lXdzLKMTBc4Kb9TVKGRcpQhGwOj0R1BsQGeUw4vJo99j6Ux5AQbHT7wpA7b6/412G 85viRSG/kwXOqRRrKopC5u95aG7ISgbgB8rin0ww62z55gTB3x+MtDV6fqd10vzjyp JjYqrDapFrBkKIcprlMILH8U4xAXjjI904B6fMxw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CmcL1b1eaY4 for <radext@mail2.ietf.org>; Thu, 23 Apr 2026 07:12:49 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8BF40E1B744C for <radext@ietf.org>; Thu, 23 Apr 2026 07:12:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 16CBE39772; Thu, 23 Apr 2026 10:12:19 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id IBs3I1BHk2uM; Thu, 23 Apr 2026 10:12:14 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1776953534; bh=7RFyG65C69Fkjo6iTxp0TG9fpSQ+aMZBNGeCHcc1uuA=; h=From:To:Subject:In-Reply-To:References:Date:From; b=UwXRgb7WO30EDd6Oi1SEeZznfVYUUW2iuW0GRMBGvFUxv099fWmKjqX0beB6kzSLD tcb9bIZjVASW73BPDrSN3mCFe0Zf9NC6RlHbTghs4MNigy5CAAd3jK98Y7vvhoKN5N HXg2Oox1mbyOFKgt5ScfPcg32fWdzAVrv8vKjQyVoSOF3lNStaJ0C/nkSvXKhHvqgM bykZT6/SwZHr750Z7+p2Hrca+71BWYO+k+DjaYBoIStsChHnNZGTujvJzxFnMWOaZQ j4gTMQhivIPQkDvBUaeaAWaPwIcsJJP+WS38u1eoh3QWUNMe/mrArqrtRekGxQCbkI 7lYZpY/hy7/Tg==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 782F23974D; Thu, 23 Apr 2026 10:12:14 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 7454519D; Thu, 23 Apr 2026 10:12:14 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Alan DeKok <alan.dekok=40inkbridge.io@dmarc.ietf.org>, "radext@ietf.org" <radext@ietf.org>
In-Reply-To: <9A8C93DD-2B42-4229-B055-94F5B57ADCE7@inkbridge.io>
References: <BYAPR11MB37689872340FFF3C092140E0CC2C2@BYAPR11MB3768.namprd11.prod.outlook.com> <D2814CEE-D70F-4AED-B3FB-7DC747F780D9@inkbridge.io> <BYAPR11MB37683B78B0748256A547A960CC2D2@BYAPR11MB3768.namprd11.prod.outlook.com> <9A8C93DD-2B42-4229-B055-94F5B57ADCE7@inkbridge.io>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; Emacs 30.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 23 Apr 2026 10:12:14 -0400
Message-ID: <26881.1776953534@obiwan.sandelman.ca>
Message-ID-Hash: FTUYXLV2N753F3PAXZ222J2TAT7GN2FL
X-Message-ID-Hash: FTUYXLV2N753F3PAXZ222J2TAT7GN2FL
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: Review of draft-janfred-radext-radius-congestion-control-01
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/YJopFWRtbMBtXBXlGWP-h7PMI8A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Alan DeKok <alan.dekok=40inkbridge.io@dmarc.ietf.org> wrote:
> The main problem with federated environments is that there's a strong
> push for complete anonymization, which makes blocking extremely
> difficult.
If end systems had asymmetric crypto based credentials, then I could
envision distributing a bloom filter of public key hashes that bear further
evaluation. How that would work, I'm not sure exactly.
But, AFAIK, federations like eduroam leaves it up to the supplicant and
backend authenticator to do whatever inner EAP method they want. So the
authenticator does not get to see that part, so can't do any kind of per-user
rate limiting. All that is visible is the outer EAP's NAI.
This seems like a big deal, and something worth fixing, even if it takes a
long time to deploy.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
] My working hours and your working hours may be different. [
] Please do not feel obligated to reply outside your normal working hours [
- [radext] Review of draft-janfred-radext-radius-co… Premanand Seralathan (pseralat)
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Premanand Seralathan (pseralat)
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Heikki Vatiainen
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Stefan Paetow
- [radext] Re: [Madinas] Re: Re: Review of draft-ja… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Alexander Clouter
- [radext] Re: Review of draft-janfred-radext-radiu… josh.howlett