IETF Logo Mail Archive

Re: [radext] Extended IDs

Stig Venaas <stig@venaas.com> Mon, 04 December 2017 18:48 UTC

Return-Path: <stig@venaas.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F3C128891 for <radext@ietfa.amsl.com>; Mon, 4 Dec 2017 10:48:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venaas-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCskmoo4QIcT for <radext@ietfa.amsl.com>; Mon, 4 Dec 2017 10:48:54 -0800 (PST)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 260E61287A3 for <radext@ietf.org>; Mon, 4 Dec 2017 10:48:54 -0800 (PST)
Received: by mail-qt0-x235.google.com with SMTP id i40so23422563qti.8 for <radext@ietf.org>; Mon, 04 Dec 2017 10:48:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venaas-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=K9WoO3KkLsV5RiU7sbBClBBo99fWjIWPKNdLM2v7sqA=; b=cGARINs+dRjnCsGZvqN1QeZGhyXdGBvfuLp0Bqdy9+OuOfA4da/o52ttDWi8OnOTpP bSL5brcolACFaBeQ5Aq0ZITwvelJ6FESIE/0ath/MwX/VJEb3TC0V5cxiZR59uYLdis9 h1xpLuycfjo58Jb9zzO7NhbMz0cC9u3T5Skv0HCMWbqVuXJenY/0p/NQoF7Pjm32wMnv Cxsc5L6DGw8OTlV7JeMtrskN0jODn8enZY2ejUtw/3JRVtoiYR7Byhc8uempmZaQEFVQ DOHrGDISOv1lVCMZI5iratMjYqYycwoqsad+/FC34gHVooFyDirahnRTO9uvfS2bgPxu Deag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=K9WoO3KkLsV5RiU7sbBClBBo99fWjIWPKNdLM2v7sqA=; b=YsQrkr9ei0+DV0kLJdz15sR0AAYeDJZXXd7a/W4J25Xmz8dwIZxaabYE23D84/0GuE xxJBW2skpAHqa4jrdgxEpVeOf4mkdeVHTufDY/Xnib+17gEmTTvxXT+lFJkOJvqLtvwg 0YAQIVsPUEzSmKf8iGQnVeDu8rVK7K5by56dyjkmjw23ZkrsHtiI/voGuj+E4xI2xIUU RrHtOcgeFMVbcBCKkG+xNpoa4GHHkcvS+62xjgr3yHz73O+xAaVJ9zSXFPng1ivzs83X uqSnXnNYHyna0dyuCqRvqirP6MQUK5CaABHWgSTlCGv9rX/M21vKam95hsppUypStRCt NBXg==
X-Gm-Message-State: AKGB3mL2R+TVLwpY7adlabFQ3Nz4G8a/IliC6/x3Ut9d4D86rX9gAh6T +MFPJq/AqfVV6j4XHj5gnM2gZlvbiLhoHDi1ZXhxpg==
X-Google-Smtp-Source: AGs4zMZokWyrPR1km2jPHuH7W4PHLM56RgXKvrsS1l/h/wBiZGt2RGePrhZCjETLoUyuozVcoeYWhtF9TtGHnJtR6Lo=
X-Received: by 10.200.56.34 with SMTP id q31mr8850qtb.64.1512413333108; Mon, 04 Dec 2017 10:48:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.20.81 with HTTP; Mon, 4 Dec 2017 10:48:52 -0800 (PST)
In-Reply-To: <8C4CACF8-3940-4209-B44F-C501DAE945CA@deployingradius.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <alpine.WNT.2.21.1.1712022028110.2252@smurf> <8C4CACF8-3940-4209-B44F-C501DAE945CA@deployingradius.com>
From: Stig Venaas <stig@venaas.com>
Date: Mon, 04 Dec 2017 10:48:52 -0800
Message-ID: <CAHANBtJnDhfgP4-2eRK7J8SDPZDeSc3X8TBd==fNTsSP5yy3Pw@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Peter Deacon <peterd@iea-software.com>, Winter Stefan <stefan.winter@restena.lu>, radext@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/bmXk9CAUfyqNDEEZLrO5S6bydW4>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Dec 2017 18:48:56 -0000

I prefer draft-chen-radext-identifier-attr-02. While both approaches
can work, I prefer not to overload the RA.

The draft needs some more work, but I believe it is ready for adoption.

Stig


On Sun, Dec 3, 2017 at 6:18 AM, Alan DeKok <aland@deployingradius.com> wrote:
> On Dec 3, 2017, at 3:22 AM, Peter Deacon <peterd@iea-software.com> wrote:
>> draft-dekok-radext-request-authenticator-02
>>
>> This approach also makes sense conceptually and seems to be marginally easier to manage.  No changes to request attributes, no worry about dynamic auth req and no sequence counter to maintain when generating ORA response.
>
>   That was a major goal in the design.
>
>> This approach offers a small benefit ORA response always unambiguously correlated with requesting peer avoiding possibility of (C.) behavior in proxy chains.
>
>   It does have the possibility of a server sending the ORA attribute back in a response when it's not supposed to.  In that case, an old-style proxy *could* forward that attribute downstream.  We then have two cases:
>
> - the downstream proxy / client doesn't implement the draft, in which case the attribute is ignored
>
> - the downstream proxy / client does implement the draft, but hasn't negotiated it with the upstream (which doesn't implement it), and therefore the attribute is ignored.
>
>   So the change is compatible with existing servers for all possible scenarios.
>
>> I don't agree with client behavior when ORA is expected yet missing.  The response should always be to silently ignore request.  Certainly mandatory fallback mechanism for static configuration is going way too far in dictating behavior / controlling operator preference.
>
>   That's certainly a good option.  I tried to cover all possible scenarios in the draft, with recommended behaviour.  But I'm open to changing the recommendations.
>
>> Wouldn't count on those who elect to implement a mechanism like this to also spend too much time working viable scalable connection management to provide useful interop with servers that don't support ORA otherwise to be honest likely wouldn't be much point in implementing this draft in the first place.  In my view it should not be assumed fallback is harmless or even a viable option.
>
>   I'm happy with that.
>
>   i.e. if the server sends bad packets, the client should ignore them.
>
>   Alan DeKok.
>
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email