Re: [radext] Server identity and RFC7585bis
Jan-Frederik Rieckers <rieckers@dfn.de> Fri, 12 April 2024 08:55 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0277FC14F5FB for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 01:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id adkvWBukjfKM for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 01:55:21 -0700 (PDT)
Received: from a1004.mx.srv.dfn.de (a1004.mx.srv.dfn.de [194.95.233.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB48C14F604 for <radext@ietf.org>; Fri, 12 Apr 2024 01:55:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :content-language:references:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1712912116; x=1714726517; bh=RtQF0gknFkJ9ZsXiT3X23M3q85NIWO/4MNrpVzu4AE4=; b= ONml1No13JwRWPtUtT36im1CHq6pG232qXDu1S+t5500rOhv5FZ/L0T83AiUhyM8 PwWN198J0iw6W1C/XIaTB1BSpBYbcA0WK3Y5vgd27Bh4je+cyf/qzpt0DQhcq9yi jzcdCycKu8ZLy3mbBT7sdPF1Blfc0w67Nf2Cm0G3JPo=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by a1004.mx.srv.dfn.de (Postfix) with ESMTPS id 9739A2000E7 for <radext@ietf.org>; Fri, 12 Apr 2024 10:55:16 +0200 (CEST)
Received: from [10.100.252.162] (airoserv.dfn.de [192.76.176.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 7B07D3D6 for <radext@ietf.org>; Fri, 12 Apr 2024 10:55:16 +0200 (CEST)
Message-ID: <68d3f64a-e5ae-456c-90f6-5854dbffaa91@dfn.de>
Date: Fri, 12 Apr 2024 10:55:15 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <PH0PR11MB5928CD1EB7DBD5349EB84055D2062@PH0PR11MB5928.namprd11.prod.outlook.com> <6c93c523-d4de-47cb-b87d-e18275939355@dfn.de> <PH0PR11MB59288D2199678633E63F9E4BD2052@PH0PR11MB5928.namprd11.prod.outlook.com>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Enigmail-Draft-Status: N11222
Organization: DFN e.V.
In-Reply-To: <PH0PR11MB59288D2199678633E63F9E4BD2052@PH0PR11MB5928.namprd11.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms020005060908050600080204"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/_0InZXpwxdfD7hSeVY1BVDzEcSc>
Subject: Re: [radext] Server identity and RFC7585bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 08:55:27 -0000
Hi Mark, Thanks for your explanation. Unfortunately, I'm still a bit in the dark here, what the error condition is, what causes the error and where we could fix that. To me the problem (or the solution) seems pretty straight-forward, but I fear I'm missing something here. What would the "other open sessions" be? From my understanding, if the discovery yielded different servers, they switch to the new server and the connections to the old servers eventually run into the timeout. But if other sessions are still open, then either they are also configured dynamically (and therefore the DNS records for the second domain can just be changed) or it is configured statically, and then the problem isn't really with RFC7585. If you could give an example playbook which server (or admin) does what at what time and what the actual and expected outcome would be, that would help me a lot to understand it. Cheers, Janfred On 11.04.24 15:50, Mark Grayson (mgrayson) wrote: > Hi Janfred > > 7585 has the following > > To allow for a change of > > configuration, a RADIUS server SHOULD re-execute the discovery > > algorithm after the Effective TTL that is associated with this > > connection has expired. The server SHOULD keep the session open > > during this reassessment to avoid closure and immediate reopening of > > the connection should the result not have changed. > > This seems to miss when the existing session should be closed, only > covering when it > > should be kept open. It sort of implies that the connection should be > closed if the > > discovered host has changed configuration. But that seems to miss the > possibility that > > the existing connection may be supporting other open sessions. > > Cheers, > > Mark > > *From: *radext <radext-bounces@ietf.org> on behalf of Jan-Frederik > Rieckers <rieckers@dfn.de> > *Date: *Thursday, 11 April 2024 at 13:09 > *To: *radext@ietf.org <radext@ietf.org> > *Subject: *Re: [radext] Server identity and RFC7585bis > > Hi Mark, > > could you provide an example scenario for this? I can't really picture it. > > My naïve understanding is that to phase a server out, you change the SRV > records to point to a different server, then there should be a timeout > for the dynamic lookup, and once this timeout triggers and the proxy > gets the new server, it should redirect all traffic to the new and the > old shouldn't see any traffic any more. > > If it's something that is missing from RFC7585, then this might be > another argument why we should work on a 7585bis document. > > Cheers, > Janfred > > On 10.04.24 09:58, Mark Grayson (mgrayson) wrote: >> As it relates to 7585, WBA recently had to clarify the same in terms of >> cache TTL, >> >> but also recommendation on maximum TCP lifetime for dynamic connections: >> >> there are some scenarios where significant traffic between access providers >> >> and identity providers means any idle timeout is never triggered and the >> >> dynamic connection becomes persistent, which then prevents the identity >> >> provider from gracefully terminating connections on an old server instance. >> >> * M > > -- > Herr Jan-Frederik Rieckers > Security, Trust & Identity Services > > E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 > Pronomen: er/sein | Pronouns: he/him > __________________________________________________________________________________ > > DFN - Deutsches Forschungsnetz | German National Research and Education > Network > Verein zur Förderung eines Deutschen Forschungsnetzes e.V. > Alexanderplatz 1 | 10178 Berlin > https://www.dfn.de <https://www.dfn.de> > > Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | > Christian Zens > Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch > VR AG Charlottenburg 7729B | USt.-ID. DE 136623822 > -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- [radext] Certficate and certificate chain selecti… Heikki Vatiainen
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- [radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
- Re: [radext] Certficate and certificate chain sel… Alan DeKok
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
- [radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- [radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Michael Richardson
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
- Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Fabian Mauchle
- Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
- Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
- Re: [radext] Session closure in DTLS Fabian Mauchle
- Re: [radext] Session closure in DTLS Alan DeKok