Re: [radext] draft-ietf-opsawg-ucl-acl: User Access Control Group ID RADIUS Attribute

mohamed.boucadair@orange.com Mon, 09 October 2023 07:07 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F278FC15109F; Mon, 9 Oct 2023 00:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-jxZCp6nvlz; Mon, 9 Oct 2023 00:06:57 -0700 (PDT)
Received: from smtp-out.orange.com (smtp-out.orange.com [80.12.210.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33D8FC151520; Mon, 9 Oct 2023 00:06:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; i=@orange.com; q=dns/txt; s=orange002; t=1696835216; x=1728371216; h=to:cc:subject:date:message-id:references:in-reply-to: mime-version:content-transfer-encoding:from; bh=T79/0BdQCLdH/w89mBlq/dU3MxztyErDCnCgLy5QOZ4=; b=Oy1LC+enPX1TA/bFHM+xbgtAO02iVasqzQZ6mDVYDU+VZafFRRnRkK8p H48nzg79vptG72uWUcufpUCEQUEySl57qaO0G+0D119qW8fTL/xSCPhKW PpgKzis7YT2oW9+amFq9fl7OXUPw4qNCvVMOBfmNOWDCb6PRuXoXEuBFK 3YU3bTYuWS/mTpuSUkSDJw7v43oHHSu9w4Pj5v6Akk3LVy0oPHzw530xA TH4wI/Dxpciw8EMyEmt0r4c4uMrWouP9kl5w4AT5j6Tx3PiWUQqHdzq3y yCbRJwYUrdKamxEoENF3tEeVLAPSgxDWFBc57P6uuv8MVP2OPe00hgXbS w==;
Received: from unknown (HELO opfedv3rlp0c.nor.fr.ftgroup) ([x.x.x.x]) by smtp-out.orange.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Oct 2023 09:06:53 +0200
Received: from unknown (HELO opzinddimail4.si.francetelecom.fr) ([x.x.x.x]) by opfedv3rlp0c.nor.fr.ftgroup with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Oct 2023 09:06:54 +0200
Received: from opzinddimail4.si.francetelecom.fr (unknown [127.0.0.1]) by DDEI (Postfix) with SMTP id A7B77BC16848; Mon, 9 Oct 2023 09:06:53 +0200 (CEST)
Received: from opzinddimail4.si.francetelecom.fr (unknown [127.0.0.1]) by DDEI (Postfix) with ESMTP id 2D64FBC16857; Mon, 9 Oct 2023 09:06:27 +0200 (CEST)
Received: from smtp-out365.orange.com (unknown [x.x.x.x]) by opzinddimail4.si.francetelecom.fr (Postfix) with ESMTPS; Mon, 9 Oct 2023 09:06:27 +0200 (CEST)
Received: from mail-am0eur02lp2232.outbound.protection.outlook.com (HELO EUR02-AM0-obe.outbound.protection.outlook.com) ([104.47.11.232]) by smtp-out365.orange.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Oct 2023 09:06:27 +0200
Received: from AS8PR02MB10146.eurprd02.prod.outlook.com (2603:10a6:20b:63c::7) by AS4PR02MB8006.eurprd02.prod.outlook.com (2603:10a6:20b:4e1::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.36; Mon, 9 Oct 2023 07:06:25 +0000
Received: from AS8PR02MB10146.eurprd02.prod.outlook.com ([fe80::c5a7:bd4f:5d92:551b]) by AS8PR02MB10146.eurprd02.prod.outlook.com ([fe80::c5a7:bd4f:5d92:551b%3]) with mapi id 15.20.6838.033; Mon, 9 Oct 2023 07:06:25 +0000
From: mohamed.boucadair@orange.com
X-TM-AS-ERS: 10.106.160.159-127.5.254.253
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-DDEI-TLS-USAGE: Used
Authentication-Results: smtp-out365.orange.com; dkim=none (message not signed) header.i=none; spf=Fail smtp.mailfrom=mohamed.boucadair@orange.com; spf=Pass smtp.helo=postmaster@EUR02-AM0-obe.outbound.protection.outlook.com
Received-SPF: Fail (smtp-in365b.orange.com: domain of mohamed.boucadair@orange.com does not designate 104.47.11.232 as permitted sender) identity=mailfrom; client-ip=104.47.11.232; receiver=smtp-in365b.orange.com; envelope-from="mohamed.boucadair@orange.com"; x-sender="mohamed.boucadair@orange.com"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:80.12.66.32/28 ip4:80.12.210.96/28 ip4:80.12.70.34/31 ip4:80.12.70.36 include:spfa.orange.com include:spfb.orange.com include:spfc.orange.com include:spfd.orange.com include:spfe.orange.com include:spff.orange.com include:spf6a.orange.com include:spffed-ip.orange.com include:spffed-mm.orange.com -all"
Received-SPF: Pass (smtp-in365b.orange.com: domain of postmaster@EUR02-AM0-obe.outbound.protection.outlook.com designates 104.47.11.232 as permitted sender) identity=helo; client-ip=104.47.11.232; receiver=smtp-in365b.orange.com; envelope-from="mohamed.boucadair@orange.com"; x-sender="postmaster@EUR02-AM0-obe.outbound.protection.outlook.com"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/50 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all"
IronPort-Data: A9a23:FQQOIqBBDmtR7BVW///kw5YqxClBgxIJ4kV8jS/XYbTApDInhjNTn GodXWCAMvzeYDb0KY9+YYuyoxxUv5+Dzt9mTANkpHpgcSlH+JHPbTi7wuYcHM8wwunrFh8PA xA2M4GYRCwMZiaA4E3ra9ANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXV4 rsen+WFYAX+gmYsYjpOg06+gEgHUMra6WpwUmMWNagjUG/2zxE9EJ8ZLKetGHr0KqE88jmSH rurIBmRpws1zj91Yj+Xuu+Tnn4iG9Y+CTOzZk9+AMBOtPTgShsaic7XPNJEAateZq7gc9pZk L2hvrToIesl0zGldOk1C3Fl/y9C0aJu5br6elj4ld6v8VD2X3DCn6RfMGFqMthNkgp3KTkmG f0wBQ03NkrGrsfuhbWxR69rm9gpK9TtMMUHoHZ8wDrFDPEgB5feX6HN4twe1zA17ixMNa+GO 4xFNnw2NVKaOEcn1lQ/UPrSmM+tgXn2djBU7liSuKE+72HS1iR2yrHrP9eTcduPLSlQth/B+ TuXpj6mav0cHJu4zx2a2zWnvfLsti/9CJkOLqefsfE/1TV/wURIUUZNDQLhyRWjsWa3X9tZJ 2QY9zIqqrkz8kOxR9X8Qgb+q3mB1jYGUtZdA/ES6QyRxOzT+QnxLm8cVTdeZ/QnudM4Azsw2 Tehk8ngCyAqtbTQTmqG/6ib6C65PW0cJmsqZCIYQ00C+daLnW0ophfGT9ImGavtg8DvQWv02 2rQ93J4gKgPh8kW0an95UrAnz+nupnOSEgy+xnTWWWmqAh+YeZJerBE93DG6MsbDMG9XGW/o UgokObCvdEyLc2CwXnlrPo2IJml4POMMTv5iFFpHoU8+znFx5JFVdAAiN2ZDBYxWvvoaQMFc 2eO41gOuc470G+CMf8mPN/Z59ECl/CIKDjzahzDRvxqCnSbXCaC5z1jf0KZ2ggBe2B1yfhlU Xt3WeCrF2oaQYRgyD6/Qet17FPG7iU3xGeWTJWjwgm9ieCafCTPEu1DN0aSZOck6q/CuB/S7 9tUK8qNzVNYTfH6ZS7Ut4UUKDjmzETX57im96S7lcbafWKK/V3N7dePndvNnKQ7x8xoeh/gp C3VZ6Oh4AOXaYf7AQuLcGt/T7jkQIxyq3k2VQR1Ywf2hChyMdr2tflAH3fSQVXB3LwypRKTZ 6hcE/hs/twVEVwrBhxBPcek/dczLXxHeyrVZ3T1O2dXk2Fcq/zhoYa/JVO2rkHi/wKytMAkp Kan2B+TSIgeXQkKMSolQKPH8r9FhlBMyIpaBhOWSvEKIRmE2NYwd0TZ0KRtS+lSckqr+9dv/ 1f+7eEw+LGV++fYMbDh3si5kmteO7AgQxcDRzWAtere2Ouz1jPL/LKsmd2gJVj1PF4YMo37D QmJ55kQ8cHrnWqmd6JRLowzl+cXwoOqoLVXiAN5AH/MclKnTKt6JWWL1tVOsasLwaJFvQyxW QSE/dwy1XChJpb+CFBITOY6Rr3r6B3WsmG6ATcJzIHS4zV++rWKF05VOnFgTQRDeaBtPtpNL fgJ5KYr1uBnticXDw==
IronPort-HdrOrdr: A9a23:0gXCHqgisSSdY7NFzx89RhUiSHBQX2J13DAbv31ZSRFFG/FwyP rCoB1L73XJYWgqM03IwerwQ5VpQRvnlaKcquIqTNOftXrdyRGVxeZZnMHfKlzbambDH4FmpM BdmsRFZuEYSGIK9foSgzPIXurIouP3lpxA7N22pxsDcegpUdAY0+4TMHf5LqQCfngiOXNPLu v/2iMonVudUEVSSv7+KmgOXuDFqdGOvonhewQ6Cxku7xTLpS+06ZbheiLokSs2Yndq+/MP4G LFmwv26uGIqPeg0CLR0GfV8tB/hMbh8N1eH8aB4/JlZAkEyzzYJbiJaYfy/wzdk9vfqmrCV+ O85ivICv4Dq085uFvF5ScFlTOQlwrGoEWStGNwyUGT3fARAghKR/apzLgpDCcw5ycbza5B+b MO0GSDu5VNCxTc2Cz7+tjTThlv0lG5uHw4jIco/gpiuKYlGctsRLYkjTRoOYZFGDi/5JEsEe FoAs2Z7PFKcUmCZ3ScumV02tSjUnk6Ax/DGyE5y4So+ikTmGo8w1oTxcQZkHtF/JUhS4Nc7+ CBNqhzjrlBQsIfcKo4DuYcRsm8DHDLXHv3QSuvCEWiELtCN2PGqpbx7rlw7Oa2eIYQxJ93g5 jFWEMwjx9GR6svM7z94HRmyGG/fIzmZ0Wd9ih33ekIhoHB
X-Talos-CUID: 9a23:HdiJjG2p1l6Myay/NK76CLxfB8UYKV2a6GXsHVKIJW1HFOykdX/M9/Yx
X-Talos-MUID: 9a23:ZNpfvQnavSEWGAcBRHttdnolE8FP/I3pA3sQsr4KvZmfKRZqHHCS2WE=
X-IronPort-AV: E=Sophos;i="6.03,209,1694728800"; d="scan'208";a="11719127"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M/IQYoxl9Hy70SELduaTPczJtPnXda9VHfE1cXOI3K2SnnsHa9G0Bw2lz5tj/3oVS4ZwIy3pw+6PZYpRtTI+N3sChV5sUtV2ygxsZLE/WtYk17huGJzgVpZhLRXB120bRZfRvh9eSyX7qQk9mAtzv23bxZrS8fZEaYLEOMuV7wzpc8e366Nt+a2gkQqr5YXoUORB1apuHB7u958s1wRu9fqyeNPwfPm/T32Te3rf12lc1JTYWJ2cvBpEPQ0KtWOa/FlUZOlOjklQd4cVVFAXV57P4BjblvFTl9lZt1XulhRQ/+qCPVLXCAU8vFBcbOOeV8RgOgYMK+yKAV8ZdfIdXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q1YQeWdWYc41ZTfTQuWTvxA+F751QIBa1erQpjVweio=; b=GYf5PIlGdW+q/iUHXs/57uiUoRSmNpAh9IKMjFhcsaYTRliLynACkjeb1dXtjpdukYRRb0bC8ij+V9pPhghWai13KlWtWV1OnYafcRuY0aUZKn6b6VSnbaRbwvp0AiRj3i9W8pUIQ6HQN3dW6XOoIf1k414H3ARq5PVQsd7pCfgbZ8U4AimPRqTSS3Fcl//gcuWFrujkeoY7T3aDYRDVSGE5Yq3vHxKCQoRd8RwGT4c5xQOp/yLDZbTfjN5+CeTWLwqZ2BsoEArWI0D/sTjEXVNUPU8w+LyZB9Vl3l2aRCx75EaQ1D+eF+xnctHzVIGKfRJl6hqZcyjzO+f+Lk3piw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=orange.com; dmarc=pass action=none header.from=orange.com; dkim=pass header.d=orange.com; arc=none
To: Alan DeKok <aland@deployingradius.com>
CC: "radext@ietf.org" <radext@ietf.org>, opsawg <opsawg@ietf.org>, "draft-ma-opsawg-ucl-acl@ietf.org" <draft-ma-opsawg-ucl-acl@ietf.org>
Thread-Topic: [radext] draft-ietf-opsawg-ucl-acl: User Access Control Group ID RADIUS Attribute
Thread-Index: AdnwcLY3AuIfH5/XSOq9yTW4TO9xvAABXoCAAoIGjeA=
Content-Class:
Date: Mon, 09 Oct 2023 07:06:25 +0000
Message-ID: <AS8PR02MB101467F2AEB71DE27A31B742988CEA@AS8PR02MB10146.eurprd02.prod.outlook.com>
References: <DU2PR02MB10160E3C06B7D7D89D3B21C9D88C3A@DU2PR02MB10160.eurprd02.prod.outlook.com> <FEC939FF-4088-46D3-B87D-040BD8FAE51B@deployingradius.com>
In-Reply-To: <FEC939FF-4088-46D3-B87D-040BD8FAE51B@deployingradius.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-10-09T07:00:45Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=81ee2247-9948-4861-bd0b-4780005ab7fc; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS8PR02MB10146:EE_|AS4PR02MB8006:EE_
x-ms-office365-filtering-correlation-id: 822fbef3-2861-411a-7d0e-08dbc8964052
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H9AnqNj+a87xAgJiRDLoIqj+h+V+dMpsCbqOMJwalNPbeqFCCHTZsDpt9yf0WHwXMNtO+nlMJQ+WDtasc0G/aA2HFAkd5+jWuDCo6tH2n3a7iJJwfBqDtXzQ28n+GeVitR3mUAFazXWrkuhCRjV8F3MQfSJXinaqytnvFIN87MuGT3DGoALB6QMHj6ITRD/AfhGUmRrKhzZ2oxnbveWWFixcyMT2kZnYCd89QcDN92UyGAUWy9IZmWzmlZ9Ds8moBdKfzC6+Sj6yZj4ioQ8OH+NHftUGHO5ZbMiB2+4Yu6MuSyttEp8spcGA/JR/h/dG4IHeU9N3pbO4XyDOXOia8IanapXUM4b22+k+LAM9i2rzLfabJVRLrgLZBsGE3wEXWcMs2H/NHkgkFMHlKQeNsjUDpJi5HbbYys+rPuGVbj/YSCobcENmFIxHHm3Sev5AIKDmPY03d1OSZNu8QW5m+04xH7av9Zfh8MOcOajiWNR9ZnDCpRrRCjgmw9k9piavtxF/HcwAAfqcBCF10ZhVLzC7rzYy4XdXL0RWzCoWGvgrgVJFGvDLCqma9h1ErOwq0oGNIeCrzQOhsqRW/fh7iOKHhAYbTWqy8EWiJI3dRXo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR02MB10146.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376002)(39860400002)(346002)(396003)(366004)(136003)(230922051799003)(64100799003)(186009)(1800799009)(451199024)(55016003)(83380400001)(26005)(54906003)(66476007)(66556008)(66446008)(64756008)(76116006)(66946007)(316002)(6916009)(8936002)(8676002)(4326008)(7696005)(41300700001)(5660300002)(52536014)(53546011)(6506007)(71200400001)(9686003)(2906002)(45080400002)(966005)(478600001)(33656002)(38070700005)(38100700002)(122000001)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QNgMcQcksJxO9dWE7Qrg3AovVOnzbhJsmyBCrbioOIGipFj8WRox1zBjsx0m/60H9fVPIX1j/L3tO1P+lcQ7rLAIecxnvYr592Ygc1hSSSL77UiWbR/UQrYKZt1Sau2tPV24QJIRVqRVfrDX4GiN7Gf9S+LVyDogD+UCwVJGq6pRJvDBJXjREOXV70W839eJXA8u2v1gTJY7N8LIVHneag+KJW9oHwN5yq+EklGJrV2a7cVzNhqKg6erGL95XBxD5Be9E3Fk0ofZG+zzb/VQcWD7byWevgA9NIQ1VHVSl6wj93iMw85liB9OIgjg5jnNs+sEFRsvXtplWIZoe8RPT3bvsA/tjpE4Y6pKhP8s0P6o2LV07QF6pFtxVG8d9+/XmDeUmPAA7nbZkqkougcGcwSlMMltGkc76aLBFEGaIcLYOGeN2WFIe3bH9YLXVbP2CK7dCrVQrqdHvMEbFIj3l2kYCZ46zSOql3noPInOt+8n7wCN82QMFJg5ahmorq2alf+zyGGb673An6Jc2BzCZH32pWSpczSf3Wi9277Pje7AuMw/9Kb69n2qae0H8EEqpHOGOS3wjwxLcNOMj3QbY5dvvG8l9/jsh4/EYZ64i/8RnIklls2sJT0+f5DerSQP5AIJwyPBXa/rI5QJjFg+JnEYvav/Jtpe4dHIVKApYIf1sCuie8fun1bLH6pMECpOq+ufa/03dVNDT2Mp5sXw0ed44Jk2R2yiSM5GNj/mVwh/QgKu1VUpH44EN9az5NXSOBQGDMOc+YDh6K1U9M6taDYss/yr/W00yAiiY8y8qXEh+h2jgTW1KAos2XBycQm59LR+uRLM1Ftugjo+xNKodAGSbz3URKvQD6RpByfa6JIi3AfwBxCVjpnfyrSFswUFZQfP38XZWDMDX3jZAVQ+EhDXUfCBRNvn/Xvkf1F2AnaoWZ0xHqGUByAo3lAsEcP0CIEpOeJN0SZRsfeTnoiOWh6F5y+pryCrzwwo4VSwUXU5qQ1h9obWHF8mnmuA9oS/J37vFheFP2CVKfQrdCSoSz2yhgip2Kd+y98LELl7B385IDc5NTfq3RAqxUzUkss19lXBVcpyESolXGd22NtCXjR7QMltoH8lUXqga1ZmaudFgd1CkMSePvfqHohx9hTE+rLXbYgJAOq92sWe9Jn7siIPH990jXs8LZtk/3OdIq7Tlg9w57Zx/+YT2gxzdKrh7oH4XueYQv6dyEm1hofJkK6yEWVxgUh5LVOSL5mvksvxl0nMSJtWJolsoppy3vaLNGQwHgJJ0IcxNov8xQTqrDkqnoeTNWQZTAi8DkNXwPdvk6qvd5bqYhersnT6GtnWDsHjQQxtuJfT73uzoYBBcAFyHP6arxFx81gkslfSYgTH2cKtvz+PV+j9mZ/5QKHlWUuZhUiSseJ/AZDqQCiNS1N0lVXyv+AdxcIoVzNpE8GmkZ4MP67KMCMSHRqOUmp1EuBAqqfsBOW4wwaHR83GasEkxvI8rS3EP/aYLdugRDJAi2WV5lK+q5z6AtO6s/NfFzN9AjuIjkvyI9YITQusX3dybG/1iNWUzZ0+cyEZP2rcMoVNl7iR6tZGQHoW2djW
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
X-OriginatorOrg: orange.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR02MB10146.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 822fbef3-2861-411a-7d0e-08dbc8964052
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2023 07:06:25.2540 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 90c7a20a-f34b-40bf-bc48-b9253b6f5d20
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mL5PULjGJXBotv9+KOWijY5HrDyeip7QXseipuvp+acJtPnyt3LL4Jbg26c7polWMv4biO7AJ1/VVAQhcLPMEsWKrzeAmjNS6toM8Y27zJY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR02MB8006
X-TM-AS-ERS: 10.106.160.159-127.5.254.253
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-TMASE-Version: DDEI-5.1-9.0.1002-27924.005
X-TMASE-Result: 10--44.046100-10.000000
X-TMASE-MatchedRID: oCj5caaCQymkmOzIPyadd0EOfoWOrvuOld00Q5SO0q4R34ro7k23nXqT KrT4kCRpzkSrLYLPdE/6A9EgjeIiMAcO+Ovs7EaQxvp0tuDMx3mOQOsE4nDCdJq1KDz9P4W7Dwk +OTUjHmtZvUQUPliXLvWHSLoU43ZYHhrksawCaq0Zca7SN08UZBwum9qeXFea5yEcDTjPPfOxAH DfblcOmUveIbrkQ/PU9bpIA2s63D+2Rb7ICUG6Aa5i3jK3KDOofjJOgArMOCZOaDdl7pggve+OG B5X07yUiAlQZ2ElSwXQ9AtQf3I3oW3T7CQ2mf0o0e7jfBjhB8eyHEuvZQ1reLIVFCmucGulyzQD w5yHT0FNQIVgNmLzt7MHGpiZgWvobVcsZW9h4Cg3vTBeEjQNfvaA5b6Ri3hN0Z6fEMfqaevNcgE M5HHVzxab+AC2MJ3sidUZM6kRhoHSjH7v+xv4edKDcT1f9CjElNnJT1Rqg3bN/524wIksTES3N7 Ud/ZNypU8SzCeCQi8x2pQChHXZbEoMIXX8xwg0jHD5RTSnfNaC7C2rJeUToXROxyHvZdJsN/psA GmukLLPDcKOi9stQrVijUdnqQBWMEwweCLCSdJANB89sV0bJ30tCKdnhB58vHkdPhnNpj8hPeaV MHHsTOMJ4Tm/iUfkQyJGPQdwPixGONWF/6P/CqWjE0K8Zqo9KrauXd3MZDUD/dHyT/Xh7Q==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
X-TMASE-INERTIA: 0-0;;;;
X-TMASE-XGENCLOUD: d2bcf533-0f5b-4941-bdd3-4ba2af443195-0-0-200-0
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/YUhQjpQE2wQz6n78IO5nIWynsnE>
Subject: Re: [radext] draft-ietf-opsawg-ucl-acl: User Access Control Group ID RADIUS Attribute
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2023 07:07:01 -0000

Hi Alan, 

Thank you for the review and comments.

We prepared a PR to address these at: https://github.com/boucadair/policy-based-network-acl/pull/18/files

Please note that for this one:  

>   It may be good to give an example packet, but that may also be too
> restrictive.  What should be discussed is what format is used by the
> credentials.  i.e. User-Password or CHAP-Password.  Given other
> discussions and research in RADEXT, it would be good to suggest here
> that User-Password is strongly preferred to the alternatives.

I think that it is better to refer to a RADEXT doc (e.g., Section 7.3 of draft-dekok-radext-deprecating-radius) rather than duplicating the reco in the doc. 

Cheers,
Med

> -----Message d'origine-----
> De : radext <radext-bounces@ietf.org> De la part de Alan DeKok
> Envoyé : mardi 26 septembre 2023 14:37
> À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
> Cc : radext@ietf.org; opsawg <opsawg@ietf.org>; draft-ma-opsawg-ucl-
> acl@ietf.org
> Objet : Re: [radext] draft-ietf-opsawg-ucl-acl: User Access Control
> Group ID RADIUS Attribute
> 
> On Sep 26, 2023, at 8:00 AM, mohamed.boucadair@orange.com wrote:
> >
> > Hi RADEXT,
> >
> > FWIW, the document specifies the following new RADIUS attribute:
> >
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbouc
> adair.github.io%2Fpolicy-based-network-acl%2Fdraft-ietf-opsawg-ucl-
> acl.html%23name-user-access-control-group-
> i&data=05%7C01%7Cmohamed.boucadair%40orange.com%7C305c160d37f64930767b
> 08dbbe8d6976%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C638313286796
> 267255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TnIp9ejIAK5V6F%2BAvk
> Y8c%2BeZ93Ph9hQwahIv%2FqgobRc%3D&reserved=0
> >
> > Your review of that part of the spec is appreciated.
> 
>   My $0.02 as someone jumping on these kinds of things.  Mostly nits.
> 
> > The value fields of the Attribute are encoded in clear and not
> encrypted as, for example, Tunnel- Password Attribute [RFC2868].
> 
>   This text isn't necessary and can be omitted.
> 
> > The User-Access-Group-ID Attribute MAY appear in a RADIUS
> Accounting- Request packet.
> 
>   What is the interpretation of the attribute there?
> 
>   i.e. in Access-Request, it's a hint / request.  In Accounting-
> Request, it means... ?
> 
>   I think the requirement here is that if the User-Access-Group-ID
> attribute appears in an Accounting-Request packets, it MUST have the
> same value as given in the Access-Accept.
> 
>   That is, the value in Accounting-Request is an acknowledgment by the
> NAS that it has received the attribute in the Access-Request, and is
> enforcing that policy.
> 
> > The User-Access-Group-ID Attribute is structured as follows:
> 
>   I would suggest following the attribute definition format suggested
> in 8044:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> rfc-editor.org%2Frfc%2Frfc8044%23section-
> 2.1.3&data=05%7C01%7Cmohamed.boucadair%40orange.com%7C305c160d37f64930
> 767b08dbbe8d6976%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C63831328
> 6796267255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k1J421hRuReCJAlY
> ZCrMCWZYa%2BsixIs0eC86%2BHdWNLw%3D&reserved=0
> 
>   It's only a minor change from what is there now.  Add a "data type"
> field, and remove the "extended type" field.
> 
> > The User-Access-Group-ID Attribute is associated with the following
> identifier: 241.TBA1.
> 
>   This text isn't necessary and can be omitted.  Just leave a "TBD" in
> the Type field as recommended by 8044.
> 
> > The following table provides a guide as what type of RADIUS packets
> that may contain User-Access-Group-ID Attribute, and in what quantity.
> 
>   It's not necessary to list the attribute number here.  Just omit
> that column.  Identifying the attribute by name is enough
> 
>   I'll also note that this table allows for multiple copies of the
> attribute to exist (i.e. "0+").  The rest of the text in the section
> doesn't mention that more than one attribute are allowed.  The text
> should be updated to explain what that means.
> 
>   Perhaps something like "If more than one copy of the User-Access-
> Group-ID attribute appears in an Access-Accept packet, it means that
> the user is a member of all of those groups."
> 
>   I haven't taken a detailed look at the rest of the document, but
> this text in Section 4.1 jumped out at me:
> 
> > Step 3: The authentication request is then relayed to the AAA server
> using a protocol such as RADIUS [RFC2865]. It is assumed that the AAA
> server has been appropriately configured to store user credentials,
> e.g., user name, password, group information and other user
> attributes.
> 
>   It may be good to give an example packet, but that may also be too
> restrictive.  What should be discussed is what format is used by the
> credentials.  i.e. User-Password or CHAP-Password.  Given other
> discussions and research in RADEXT, it would be good to suggest here
> that User-Password is strongly preferred to the alternatives.
> 
>   For anyone interested in the underlying reasons, there is a long
> discussion of this topic in
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdata
> tracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-dekok-radext-deprecating-radius-
> 03%23section-
> 7.3&data=05%7C01%7Cmohamed.boucadair%40orange.com%7C305c160d37f6493076
> 7b08dbbe8d6976%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C6383132867
> 96423481%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tfHtb%2B3GhRWe%2Fx
> n1zYDyNAGYsc3olh8S%2FJRzI6M9xBQ%3D&reserved=0
> 
>   Alan DeKok.
> 
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.