IETF Logo Mail Archive

Re: [radext] Extended IDs

"Brian Weis (bew)" <bew@cisco.com> Tue, 12 December 2017 02:39 UTC

Return-Path: <bew@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB05C128E19 for <radext@ietfa.amsl.com>; Mon, 11 Dec 2017 18:39:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itMagdsxPg8N for <radext@ietfa.amsl.com>; Mon, 11 Dec 2017 18:39:45 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF1B11270B4 for <radext@ietf.org>; Mon, 11 Dec 2017 18:39:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6980; q=dns/txt; s=iport; t=1513046384; x=1514255984; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=gIUr4DUhOVD9CbZ96hB7gOISs4kuQW1jtHVhpysubu8=; b=htEERnsVmYF3R7dSlxgPv+HaPtoo86Ls6HV/osAkm/5pYkCjfqrL/Bp+ YB9V6HkwXvYxjnSUweTSPq1xwsoFyIbmsL02jNepKQTBBcCcyLSLlt7pl gnGGxsSrLQ8cFpnPr9RLWlHoaxdnah8EWRIVsf9DpXuadqO3XDP4C0YBk 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AoAgAQQS9a/51dJa1RBgMZAQEBAQEBAQEBAQEBBwEBAQEBgw8vgVonB4N7mSOBfX6WDxSCAQqFOwIahFhBFgEBAQEBAQEBAWsohSIBAQEBAgEjETMSBQsCAQgYAgImAgICMBUQAgQOBYogCKgxgieKbwEBAQEBAQEBAQEBAQEBAQEBAQEBAR2BD4JZgguDPymCTDaEbAEICgEHAhYXCiaCTjGCMgWjEwKVH4IWiiCHMJYxAhEZAYE6ASYCMGFubxVkAYF+glIcgWd4iBiBJIEVAQEB
X-IronPort-AV: E=Sophos;i="5.45,393,1508803200"; d="scan'208";a="42814704"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Dec 2017 02:39:44 +0000
Received: from XCH-RTP-005.cisco.com (xch-rtp-005.cisco.com [64.101.220.145]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id vBC2dhAP022046 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 12 Dec 2017 02:39:44 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-005.cisco.com (64.101.220.145) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 11 Dec 2017 21:39:43 -0500
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1320.000; Mon, 11 Dec 2017 21:39:42 -0500
From: "Brian Weis (bew)" <bew@cisco.com>
To: Alan DeKok <aland@deployingradius.com>
CC: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Extended IDs
Thread-Index: AQHTKHKmN0OvqHUzwEy8+4sqgJSsZaMqo8EAgBUquQCAAAxHAIAADR6A
Date: Tue, 12 Dec 2017 02:39:42 +0000
Message-ID: <1465D072-52D7-4FC3-88A6-E1A97740B753@cisco.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <C50ED086-A344-492B-9782-53FB5A1C0761@cisco.com> <2D707CD0-5C6D-4ABE-9829-820D6145E98F@deployingradius.com>
In-Reply-To: <2D707CD0-5C6D-4ABE-9829-820D6145E98F@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.173.230]
Content-Type: text/plain; charset="utf-8"
Content-ID: <620501025AE95045ADCCA54556D86A1E@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/cIBIxKfyiU6-jQyaZUylr9VIvhc>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2017 02:39:47 -0000

Hi Alan,

> On Dec 11, 2017, at 5:52 PM, Alan DeKok <aland@deployingradius.com> wrote:
> 
> 
>> On Dec 11, 2017, at 8:08 PM, Brian Weis (bew) <bew@cisco.com> wrote:
>> 
>> I’ve read through the latest versions of both drafts, and I do prefer the approach taken in draft-chen-radext-identifier-attr.
>> 
>> From a protocol perspective, the two approaches do not seem very far apart to me. They both seem to do the following. (1) Define a new per-connection attribute as part of a Status-Server message. (2) Specify that a client chooses when to use a larger identifier. (3) Specify that when the server recognizes the “new extended field”, then it is obligated to return the original values of both identity field and the “new extended field”. (4) The server need not have any knowledge as to how the “new extended field” is determined.  (5) If the server does not recognize the new attribute, it ignores it. So in neither case do that the mechanism seem to unduly modify RADIUS.
> 
>  The differences are that the draft-chen proposal effectively modifies the RADIUS header, and that it has the opportunity for "leakage" of extended IDs in the case of error or misconfiguration.

From your comments I see that the point that the draft effectively modifying the RADIUS header is due to requiring that the Extended-Identifier be the first attribute. That seems to be an optimization that does not appear to be necessary, and could be removed to address this point. (I assume either draft would undergo change if it became a WG draft.)

> 
>  My draft has none of these issues.

Regarding leakage, does a proxy normally replace the Request Authenticator field with a new value? (I’m asking for information.)

> 
>> It seems to me that the real difference comes down to how the “new extended field” is carried — either in the new per-connection attribute, or by overloading the Request Identifier. I appreciate the arguments in draft-dekok that indicate that there should not be a problem with overloading, but because overloading protocol fields can carry unexpected risks
> 
>  Risks like... ?
> 
>  I must admit to being a little surprised at the dislike of "overloading" the Request Authenticator field.  As Peter Deacon pointed out, it's already "overloaded" for many, many, other things.
> 
>  Given the existing definition of the Request Authenticator field, it is *impossible* at this time to change how it's calculated.  Similarly, it's impossible to change the meaning of the field for packet signatures.  And, it's impossible to change the usage of the field within other attributes.

I’m missing where draft-chen does any of these things (assuming that the “MUST be first attribute” is removed).

> 
>  So we're left with a field that we cannot change, but we can look at.  What is the risk in looking at it?  What is the risk in echoing it verbatim in a response packet?
> 
>  I understand that saying "we add a 32-bit ID" is conceptually simpler.  But I still don't get where any "risk" or concern with "overloading" of the field comes from.  Some additional explanation would be useful here.
> 
>> my preference is to adopt the explicit approach in draft-chen. With the same thought process I’m a little worried about defining "behavior previously left open to implementation interpretation” (as mentioned in Section 2.1 of draft-dekok). I cannot disagree that it “should" be OK, but the lack of certainly does add some risk.
> 
>  How?
> 
>  The draft goes through exhaustive enumeration of the possibilities.  It shows that the proposal is no worse than existing RADIUS, and in some cases is substantially better.

I appreciate the enumeration, and I’m not implying that you’ve missed any known risk. But so often overloading fields leads to unforeseen results (due to bad assumptions by a developer or future specification writer) and that’s the basis for my concern.

>> However, I also believe that there is a lot of good background and explanatory text in draft-dekok that is valuable and if the working group takes draft-chen as the base then some of this would be valuable to bring that into the draft. This might address some of the concerns that draft-chen is under-specified.
> 
>  I agree.
> 
>  I think a large part of the concern here is due to the background and explanatory text in my document.  i.e. a proposal which describes the risks seems risky.   A proposal which ignores the risks seems less risky.

Personally, I did not find the background and explanatory text to make draft-dekok seem seem more risky. I’m reacting to the overloading, where given similar outcomes I prefer not to introduce additional semantics to an existing field.

Thanks,
Brian

> 
>  But I would still like to understand (a) what the risks are here, and (b) why there's a concern with "overloading" a field that cannot be changed, and is already used for many things.
> 
>  Alan DeKok.
> 

-- 
Brian Weis
Security, CSG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com

v2.23.0 | Report a Bug | By Email