Re: [radext] Meeting laundry list
Peter Deacon <peterd@iea-software.com> Tue, 19 March 2013 15:14 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E21A221F8667 for <radext@ietfa.amsl.com>; Tue, 19 Mar 2013 08:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JpUSOyhrfqLx for <radext@ietfa.amsl.com>; Tue, 19 Mar 2013 08:14:05 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id 280F621F8628 for <radext@ietf.org>; Tue, 19 Mar 2013 08:14:05 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005875594@aspen.internal.iea-software.com>; Tue, 19 Mar 2013 08:14:04 -0700
Date: Tue, 19 Mar 2013 08:13:57 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Stefan Winter <stefan.winter@restena.lu>
In-Reply-To: <514824E0.1000506@restena.lu>
Message-ID: <alpine.WNT.2.00.1303190718130.2600@SMURF>
References: <alpine.WNT.2.00.1303130928300.1880@littlesmurf> <514824E0.1000506@restena.lu>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: radext@ietf.org
Subject: Re: [radext] Meeting laundry list
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 15:14:06 -0000
On Tue, 19 Mar 2013, Stefan Winter wrote:
>> We have had a trivial proxy loop detection system in production in our
>> implementations for several years. It works on the assumption any
>> request the same proxy system sees again completes a cycle.
>> In our implementation a systems identifier is embedded in the proxy
>> state attribute. When a request for proxy is received we check for
>> matching system identifier in the current stack of proxy states and drop
>> the request if one is found.
> Many of those who implement loop checking in eduroam do similarly: they
> use their own VSA space to
> * in incoming packets, check for presence of their VSA like
> "Processed-By: my.ip.ad.dr" (or other halfways unique ID)
> * If found, discard and log loop
> * if not found, add "Processed-By: my.ip.ad.dr" (or other halfways
> unique ID) and process packet
> That's simple and straightforward indeed. The problem I have is that
> such a behaviour is not specified anywhere, and doesn't have its own
> attribute.
> You overload Proxy-State; which is fine if you don't need it for
> anything else.
I don't know that "overload" is applicable in this context or why it
couldn't be used for multiple purposes concurrently.
Proxy-State is defined as an opaque field. Its purpose is left
intentionally out of scope RFC2865 5.33
" Usage of the Proxy-State Attribute is implementation dependent. A
description of its function is outside the scope of this
specification.
"
> I don't really care if that use of Proxy-State gets standardised, or if
> a new attribute is chosen. But having one deterministic way of doing
> things, along with a document which explains the how and why, instead of
> everyone doing his own variant on its own, is a GoodThing(tm) IMHO.
We don't really know generally what constitutes a "loop" or granularity of
the system box (Parts of one server or entire groups of servers).
Messages may be able to loop back for another round of processing after
being sent outside the admin domain.
Seems easy enough to create one-off solutions yet very difficult to solve
generally.
Perhaps some general guidance or blunt tools like TTLs on stack of
proxy-states.
regards,
Peter
- [radext] Meeting laundry list Peter Deacon
- Re: [radext] Meeting laundry list Alan DeKok
- Re: [radext] Meeting laundry list Stefan Winter
- Re: [radext] Meeting laundry list Peter Deacon
- Re: [radext] Meeting laundry list Alan DeKok
- Re: [radext] Meeting laundry list Stefan Winter