Re: [radext] Server identity and RFC7585bis
"Mark Grayson (mgrayson)" <mgrayson@cisco.com> Thu, 11 April 2024 13:52 UTC
Return-Path: <mgrayson@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3A6C151093 for <radext@ietfa.amsl.com>; Thu, 11 Apr 2024 06:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.933
X-Spam-Level:
X-Spam-Status: No, score=-13.933 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="CUxmZ8lv"; dkim=pass (1024-bit key) header.d=cisco.com header.b="YHNNYW8D"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g2iVkLKG47An for <radext@ietfa.amsl.com>; Thu, 11 Apr 2024 06:52:06 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8CD6C1516EA for <radext@ietf.org>; Thu, 11 Apr 2024 06:50:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=10213; q=dns/txt; s=iport; t=1712843455; x=1714053055; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=6K8wHY2UjJw9/nBhr14ag5hahCNr3e9PkVajb8clF/4=; b=CUxmZ8lvAbnUcMUiclFcqoZ8tynhCbfuwn+8rpEEUAqJ2HY/dC434wcM +2/VbuordHlGDFTBh6WVM3BVJSZcATAmy+eW8jiwVAFg7W/7Msi+/i4D5 VP7BLT6MPIhV2gqme040uVBQtzyWBg6wYQhdiIEeGU9POUu+vO7/MRvVv Q=;
X-CSE-ConnectionGUID: HIEtCrEGSBi+Maa26oEXig==
X-CSE-MsgGUID: ZMiFq81LRaKNu3cNFWzD0Q==
X-IPAS-Result: A0AOAADi6RdmmJhdJa1RCRwBAQEBAQEHAQESAQEEBAEBQCWBFgcBAQsBgUAxKih6AoEXSIghA4ROX4ZKgiIDkUKFdIZSgSUDVg8BAQENAQExEwQBAYUGAogWAiY0CQ4BAgICAQEBAQMCAwEBAQEBAQEBBgEBBQEBAQIBBwUUAQEBAQEBAQEeGQUQDieFbQ2GWQEBAQEDEi4BATgPAgEIEQMBAgEuMR0IAgQBEggODIJeAYIXSAMBpFYBgUACiih4gTSBAYIKAQEGBAXddQMGgUgBhEmDYgEkgTGIYicbgUlEgVeCaD6BBYFcAoE0FBoeDYNngi+TOEGBWIEWgSMviF1UdyIDJjMhAhEBVRMhCToPDBoCGxQNJCMCLD4DCQoQAhYDHRQEMhEJCyYDKgY2AhIMBgYGWyAWCQQjAwgEA1ADIHARAwQaBAsHdYIAgT0EE0cQgTIGihMMgwkCBSOBdymBERiDCgtCcYEeAoMBRwNEHUADC209NQYOGwUEHwGBGAWcHgE7AYJ7AQ4BVAdQWDlJEz8LAz2SMRsnjniBeoIcnzkKhBOhYxeqNJhiIKJpNAuFEwIEAgQFAg8BAQaBZDqBW3AVgyJSGQ+OIBmBFQEBgkoznVQBeDsCBwEKAQEDCYoIYAEB
IronPort-PHdr: A9a23:7rG2YB1lDOgeWnKGsmDPY1BlVkEcU/3cNwoR7N8gk71RN/nl9JX5N 0uZ7vJo3xfFXoTevupNkPGe87vhVmoJ/YubvTgcfYZNWR4IhYRenwEpDMOfT0yuBPXrdCc9W s9FUQwt5Gm1ZHBcA922fFjOuju35D8WFA/4MF9wKf78C5XViey81vu5/NvYZAAbzDa4aKl5e Q2/th6Z9tFDm4ZgJ60tghfIuS5OfOJbhCtkcFmShB37oMy3+fZe
IronPort-Data: A9a23:bdIKDKo4ZyIbjlHyjQ3oVTwGo5xeBmJmZRIvgKrLsJaIsI4StFCzt garIBmAM/6Namvyc4ggPoi+8EhQupWHn4JjSQdk/CszEi9DpePIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7wdOCn9T8ljf3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYADNNwJcaDpOt/rf8Uo35pwehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86rIGaRpz6xE78FU7tJo56jGqE4aue60Tum1hK6b5Ofbi1q/UTe5EqU2M00Mi+7gx3R9zx4J U4kWZaYEW/FNYWU8AgRvoUx/yxWZcV7FLH7zXeXke2+02bcXlTX6fQtKUg/Z9Mf19Z2DjQbn RAYAGhlghGrnem6xvewTfNhw51lJ8jwN4RZsXZlpd3bJa95GtaYHOObvpkBgW1YasNmRZ4yY +IcZiBmfQ/HZTVEO0wcD9Q1m+LAanzXKWAA8A/I+vFsi4TV5D5U0Zb0YIPxQNWpY9gOlWC2m XDqp12sV3n2M/TElGLaqSjz7gPVpgvhUY4fBKGQ9/N2jhuU3GN7NfENfUGwrf/8gUmkVpcGb UcV4SEp66M18SRHU+URQTWYgVOYlQQxdOF6Eq4f4QjXlK350weWUz1soiF6VPQqs8o/RDoP3 1CPns/0CTEHjFFzYSzGnltzhW3rURX5PVM/iTk4oRzpCuQPTakphR7JC91kCqPw15v+GCr7x HaBqy1Wa1QvYSwjifrTEbPv2m7ESn31ougdvVW/soWNtV0RWWJdT9b0gWU3FN4ZRGpjcnGPv WIfh++V5/0UAJeGmUSlGbpURu72vKbaa2CH3jaD+qXNERzzoxZPmqgNsVlDyLtBY67ohBewO RCD51kNjHOtFCL7N/Qfj32N5zQClvW4So+/CZg4n/JFY4N6c0ec7TpyaEuLl2Hrmw5ErE3ME cnzTCpYNl5DUf4P5GPvH481iOZ7rghgnjm7bc6gkHyaPU+2OST9pUEtagXeN4jULcqs/W3oz jqoH5DUlk8GC7yjOXG/HEx6BQliEEXXzKve8qR/XuWCOQFhXmomDpfsLXkJIuSJQ4w9ej/0w 0yA
IronPort-HdrOrdr: A9a23:AHJi6ahQ8kBjE10Kv4DBLXEAGHBQX5J23DAbv31ZSRFFG/FwyP re/8jzhCWVtN9OYhAdcIi7Sde9qBPnmaKdkrNhTItKPTOW9FdASbsSj7cKrAeQYREWmtQtsp uINpIOd+EYbmIKwvoSgjPIburIqePvmMvH9IKuq0uFDzsaF52IhD0JczpzZ3cGPzWucqBJbK Z0iPA3wQaISDA8VOj+LH8DWOTIut3Mk7zbQTNuPXQawTjLpwmFrJrhHTal/jp2aV5yKLEZnl Ttokjc3OGOovu7whjT2yv49JJNgubszdNFGYilltUVAi+EsHfoWK1RH5m5+BwlquCm71gn1P PWpQ07Ash143TNOkmovBrW3RX62jpG0Q6j9bbYuwqhnSXKfkN+NyNzv/McTvIf0TtmgDhI6t MI44tejesQMfqPplWl2zGCbWAbqqP9mwtQrQdUtQ0QbWPbA4Uh9rD2OyhuYc89NTO/54Y9HO Z0CsbAoP5QbFOBdnjc+nJi2dq2Qx0Ib1y7q2U5y4WoOgJt7ThE5lpdwNZakmYL9Zo7RZUB7+ PYMr5wnLULSsMNd6pyCOoIXMPyUwX2MF/xGXPXJU6iGLAMOnrLpZKy6LIp5PuycJhNyJcpgp zOXF5RqGZ3cUPzDs+F2oFN73n2MS+AdCWoztsb64lyu7X6SrauOSqfSEo2m8/luPkbCt2zYY fEBHuXOY6VEYLDI/c84+SlYeghFZA3arxhhuoG
X-Talos-CUID: 9a23:sdqCzGAWTWxX7K/6EwlG2VI/AO0KSVfcj1LZKhXmDktZSbLAHA==
X-Talos-MUID: 9a23:ZiVZqQ4XL6IY1Ud+3EGGFDpGxoxaxqWAERBUta8PmO+ZbidWFQiPoGyOF9o=
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Apr 2024 13:50:54 +0000
Received: from alln-opgw-5.cisco.com (alln-opgw-5.cisco.com [173.37.147.253]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 43BDoscn027380 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <radext@ietf.org>; Thu, 11 Apr 2024 13:50:54 GMT
X-CSE-ConnectionGUID: +n4T4LDvQKWzAAw32W6p/g==
X-CSE-MsgGUID: 5AdCl1FURFy+utqT53f0Rg==
Authentication-Results: alln-opgw-5.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=mgrayson@cisco.com; dmarc=pass (p=reject dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.07,193,1708387200"; d="scan'208,217";a="7061826"
Received: from mail-bn7nam10lp2100.outbound.protection.outlook.com (HELO NAM10-BN7-obe.outbound.protection.outlook.com) ([104.47.70.100]) by alln-opgw-5.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Apr 2024 13:50:54 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FEQEszPpR2FiOK1mF6k1YQfO3vhXI8geobaVtxW7MWayWFwHDVRCcIiMB9KtQnRPvYk4Qfw8VhPCCDRSiqi/Gm9Sb7yMkzk1K+V2YEM1qeuoROnA3NTho0qdOhXhVP0iTxEzoc3TnNqA7WFj1yhwX5QF5933u71LH1RX6rDcuRC0T4tp8achYA2ZsVDkFg3bRfAUdJ7T3943vs/aWzUwsT3wrtaBpeEbtVRq8esGGP8dKDbKLrKWkFJzt0XphSWKoxRiIL4Jtqv5T7iDDTNj2ELv8L9uRk99woaxNroc2DbMWPLayvBxFQA2CfHR4d1HJn0EQj3pdMftioPndsaunA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6K8wHY2UjJw9/nBhr14ag5hahCNr3e9PkVajb8clF/4=; b=IQECK4CtjU7xq10cX281J7KAMr5AK4mhkF2GWfHZoh2PQEEerLG2cbfZLOzxlBFoDy5bBT3UoSw4nqCS7qi9HIfDbmL4jqbAFsks3pO8f+hYahHBArPNJjVEWZoLXWZea05W7L2s0Soi/GkqdxQ8lW1HrFT9DeFcqSA6UPIXqsSpH2J11KZr3ow0qifBfeauyBAiziO5nijBxOto/nuZfgVEcgJpYAfrkpZsJzofOGBij3MGAxAHDhYP3Wl/jT6W5xpa/YSoLpb4yj8A8bFW37lac0cmFUI8OmBs3qM16v4FmJ7oHiXbwGq7W5KGVr+GOFjEGXuO9UCbCpPpmOqEcw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6K8wHY2UjJw9/nBhr14ag5hahCNr3e9PkVajb8clF/4=; b=YHNNYW8DB6Rs5JTOCRGtTWD8PWqWVZE3lg1AFYFkTWW7834oovJ45V6YVFCQKhTHuqpLj0cmJXtupLynPaNQImYnlnuK4LYKILmSxA2UMX2njcokupqdCcrhDPqGPaf2ytH8ofWh2lvvlhMglS8Fh/c5iyzU4WcNSC4vS1Rg6Hg=
Received: from PH0PR11MB5928.namprd11.prod.outlook.com (2603:10b6:510:144::16) by SN7PR11MB7417.namprd11.prod.outlook.com (2603:10b6:806:345::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.26; Thu, 11 Apr 2024 13:50:52 +0000
Received: from PH0PR11MB5928.namprd11.prod.outlook.com ([fe80::f126:dcac:294f:1998]) by PH0PR11MB5928.namprd11.prod.outlook.com ([fe80::f126:dcac:294f:1998%2]) with mapi id 15.20.7452.019; Thu, 11 Apr 2024 13:50:52 +0000
From: "Mark Grayson (mgrayson)" <mgrayson@cisco.com>
To: Jan-Frederik Rieckers <rieckers@dfn.de>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Server identity and RFC7585bis
Thread-Index: AQHajAkOxAOa+hUR60un+dd+B3HQ8bFjFJJX
Date: Thu, 11 Apr 2024 13:50:52 +0000
Message-ID: <PH0PR11MB59288D2199678633E63F9E4BD2052@PH0PR11MB5928.namprd11.prod.outlook.com>
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <PH0PR11MB5928CD1EB7DBD5349EB84055D2062@PH0PR11MB5928.namprd11.prod.outlook.com> <6c93c523-d4de-47cb-b87d-e18275939355@dfn.de>
In-Reply-To: <6c93c523-d4de-47cb-b87d-e18275939355@dfn.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR11MB5928:EE_|SN7PR11MB7417:EE_
x-ms-office365-filtering-correlation-id: 53c1525d-d269-4399-8574-08dc5a2e674d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4l960UdQun57uuSlExZo/IDWKVcq1tdGh8Q8RGWOo5oLn9E9qbKRrHHa2y+4Xy7HwN2PU/xmr96j724+JYKsiWw9wkQDx20v1SUqd+RtZVJisWhAIjqj47r0P/8f4XxvkRGOc1u9K6EL+NXnf9PRPUTAxW11w9UGOhU0y0ya2TNdLYlyGgX8tGzkt8cZBObeAmlo+EhtcmLodY0ohEVeAdhCEcijMarlrnUsLik4XeJ2MgdS4Qr41shVTf2yq/3QYyLB/94BSZr+UnjI9TvMGmZ4sdFHcRLY1FAiTRxolrMrJTW+G0TaSSF2edq/EqEUP2hbXO8pIXN2Z9VpJkIgbqq5eJK8CbbdAd1mQAc9Ye5sUjIFJNJLr1CTqN/u/YJbvX11fypgwTKGp7E/2U+b3rXlNMwXy8X881Pc1Ma0IGrkSfriFK1yxwd7tUy9TqzSvLutHO3Kq7Mnfl64QCTKfqoNZL/vp5XOH88Wol3OUEYL69V1B5l39Y34ao3uz3TG7jZ/gt5rYrmj4bT+vjFhgjMraf55pYPRZYdqsTs9SJTM+LtNYyQdFiWv6L13I4LP9fVWxGMeWZJkDOpyRrO1TIw3RJJNeLaDbuJ892k0wUZYTeRS+LpjwBKDUlbfpCF1iLg/Zlp+Mc0Uu4nS/KGXjfvuJ8XL6WNEmvxgr/+FsXo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB5928.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mG8ghs0+Xa3PnNi7IzkT3Lcjx1vZuySP4ltpSVEwn2R3W0FVjM3JYSBn3DlrzY0qW125P/mbwqMGI+2zuIf2AvkH4bdYh+MBrozyTv4+9DEBif+AzTE92eRWz6HDvONSkqiWbn6VoFMAK+Irhw9QSSMEQNctN5xCIazr+s483ayGLp0M8KOZ8bPPGR4D1ccYS77Eo8pufBIWOTiCBljr8KP0P3X9lPj2uF8CbMmSTcCEid0vntjqHv91kJYpxIHVDRSTRFXThuky3kNMtgmIbkgsrMHOLET16zAH63qTL/Ofot0v4M3/PHgQPWyhgKm32DrEtUuwfsvnlIyNbVRv+MRVIRLa9Uv3xFzNuDVJek1oGpMUj/gcn11B8sCg3sPMlxwecSXo+ONW6XV1ba7TNv0nTBN9PF2kQB5UHHLwgSCyYqxSx5pWqvnq7IelzbOuf/5UtIM6aovunMHe1Xbqh9MVX47PvT2hd9khSc79shyPF/T7lVMQOuZK1RDwwS+MtM6syw77xPVgtFcth5rB2uMz9nsOeyFaBPk0c2RXWUM8hPKUAt4eY7e4lsrxxb4xGpKnLkfdyHQMXVHu+WOJq/c1TUlbOSsOIc0TsV/vlaysF5Nv2CnvyJD/mihhgbUXmbr9Q6m8gp4TvccxBM9qjerTADH44CBEBwWzGWXIJkoR7XOGyULmNP0FR8dhz78bacSGGidsRNMnsynMNSPU0J3sL0rie8nGttFcfO+snDS/nEcTTouEri/4Wtsl/TnURwsRqO64bhLu4TC6pwNfcf2n0MQtkjBsia7hKUpWrGdJCO1nENHLUj0Glbd5r+b5PlqR98ZAfSRk9V6NaqYYTFJagyY7KvY5Us+zDVYllWAxrEnoE/b+TkrvvftyFQe5l7eztogHEfyC9p/by2K+SFM0y9Dfq5eFLad8TKu+HoL23qW6/qktxet9LRKVDb8epxACYx6PowWr3HllJ4rDt4p9ZKDK0q0WuiLAyhgWrUBlL+8v7SDt3KZjpJ1CgA2s/ZVH9RhgraYcfzuLSVnDd5ulMIuD3Ux7mtIBsjFpJ0QxCE0iyqEIHZFG6K9Rybv0oSZmrbbD8hKxFFKL+S4DDKRgPbScS+5CkgNWIGWQ1aTyNPzSQoVpBVX/1Hv+5FEc8MAQj8uVIEof74R77di0x61jBz20jDEQTBsK9gQTFrsOj+Hkihw4SmYaqbHILSfM5P521gmvHp1I5O9uzfo9/aNS9Gewo6Gm5xpDcybkxdlGSa4DpHaXa6OKh9UAa2OV3DFqFNW3ngvse34G6HPl76Xhn02X1K7n6IijFPsXUQwWfpZ1KEet84SmiSlh88hQ232HHQV2hFbhS8MPrKGqDDap0R0jg27Fu3Z+eP80Ibt7dP213Ttp9xIijja8Jjb5He57cSTrb6sWz0FCAlpmh1YGxGzjmmogfuER6fNp+mdF5UJ8hkOB94Zyn0TOhYfaXT43ddSIGje3sApXCmlfjmznraHonSmwJwiaQIuzrQymNtPsaPzutEaalOd8Fkbxmnmq16zr7jfFPEqxIStOPypPGZsfg6cbqFhNIvAQE83KbR+nkpHLXcEFNCj6JoXx
Content-Type: multipart/alternative; boundary="_000_PH0PR11MB59288D2199678633E63F9E4BD2052PH0PR11MB5928namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5928.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 53c1525d-d269-4399-8574-08dc5a2e674d
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Apr 2024 13:50:52.7277 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0Uyqy5FxsOnjTCIDGiGDPfJTzke0JzScb0cx0jjVzAEPeReABeC39V5h4hEZ08EXrDPjp6to/2cU2TciBEVApg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR11MB7417
X-Outbound-SMTP-Client: 173.37.147.253, alln-opgw-5.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/YzCUCmB6hQHbeyZ6t0-s4DyvOVw>
Subject: Re: [radext] Server identity and RFC7585bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 13:52:10 -0000
Hi Janfred 7585 has the following To allow for a change of configuration, a RADIUS server SHOULD re-execute the discovery algorithm after the Effective TTL that is associated with this connection has expired. The server SHOULD keep the session open during this reassessment to avoid closure and immediate reopening of the connection should the result not have changed. This seems to miss when the existing session should be closed, only covering when it should be kept open. It sort of implies that the connection should be closed if the discovered host has changed configuration. But that seems to miss the possibility that the existing connection may be supporting other open sessions. Cheers, Mark From: radext <radext-bounces@ietf.org> on behalf of Jan-Frederik Rieckers <rieckers@dfn.de> Date: Thursday, 11 April 2024 at 13:09 To: radext@ietf.org <radext@ietf.org> Subject: Re: [radext] Server identity and RFC7585bis Hi Mark, could you provide an example scenario for this? I can't really picture it. My naïve understanding is that to phase a server out, you change the SRV records to point to a different server, then there should be a timeout for the dynamic lookup, and once this timeout triggers and the proxy gets the new server, it should redirect all traffic to the new and the old shouldn't see any traffic any more. If it's something that is missing from RFC7585, then this might be another argument why we should work on a 7585bis document. Cheers, Janfred On 10.04.24 09:58, Mark Grayson (mgrayson) wrote: > As it relates to 7585, WBA recently had to clarify the same in terms of > cache TTL, > > but also recommendation on maximum TCP lifetime for dynamic connections: > > there are some scenarios where significant traffic between access providers > > and identity providers means any idle timeout is never triggered and the > > dynamic connection becomes persistent, which then prevents the identity > > provider from gracefully terminating connections on an old server instance. > > * M -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- [radext] Certficate and certificate chain selecti… Heikki Vatiainen
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- [radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
- Re: [radext] Certficate and certificate chain sel… Alan DeKok
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
- [radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- [radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Michael Richardson
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
- Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Fabian Mauchle
- Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
- Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
- Re: [radext] Session closure in DTLS Fabian Mauchle
- Re: [radext] Session closure in DTLS Alan DeKok