[radext] Re: Review of draft-janfred-radext-radius-congestion-control-01
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 27 April 2026 04:29 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 17295E3AB49B for <radext@mail2.ietf.org>; Sun, 26 Apr 2026 21:29:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777264194; bh=hJIb+JQhJqDMFuFia/73d0Hg0NtjePdVMOYo5wt177M=; h=From:To:Subject:In-Reply-To:References:Date; b=xNoHm5xcIX/F31HrSIAoo56N13AjjmKvjVWrI1CqMzrS7wdseSJEBnNgPVDBiJ3c8 lN7aWeqErstIVqPVOqt/nlO4zygCKdnkx5aYCu7TjMBsrS1hoZtWo8gy9OFT0jQjeO SpLwV3N2uiKirJY7xb77g4HIx5t+FK09K2QqqePw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b80JbKwhXkbz for <radext@mail2.ietf.org>; Sun, 26 Apr 2026 21:29:53 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id ABB5EE3AB493 for <radext@ietf.org>; Sun, 26 Apr 2026 21:29:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 3533B18011; Mon, 27 Apr 2026 00:29:53 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id yKP1n4eorkhi; Mon, 27 Apr 2026 00:29:51 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1777264191; bh=+ikcAv9L63bYhoRigCsUJWFCfLdTR44FAiVBEP3Jw50=; h=From:To:Subject:In-Reply-To:References:Date:From; b=SrUG+mzYTqwXDeXYR93ZgNr8i/E21P+p31ojbq4ARZnNirajc64uAz8azCNsJKqIu rf6BVEfQwIYdkvSSSjicuLm0XIEeD2/xD4F0p4zte1kZP9Mm60bZLQyJZS4KU2vuJf 1CKCOydFAbYdK6qLC/mNzaPTcOTT1yb+5QNhUMIUXM35MYfhbLTeferOgIezD/3v6z JYn/6LGD25Og7rcGPjjw8JcMYJ2+rm7AhvBnfc5dwEZ/anGH/007JptcVasUoL/GkD VeGEJ+pWEW4hcd4I+2+p2oZHFkTwBnAxS8Mq1ZBpvJIucA59kikidW4WoUp+5p23GC hzuVMSFqnKYrA==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C5E1218010; Mon, 27 Apr 2026 00:29:51 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id C220F182; Mon, 27 Apr 2026 00:29:51 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Alan DeKok <alan.dekok@inkbridge.io>, "radext@ietf.org" <radext@ietf.org>
In-Reply-To: <A4B94C08-C92D-4FB4-A736-2EF2AF0DB86D@inkbridge.io>
References: <BYAPR11MB37689872340FFF3C092140E0CC2C2@BYAPR11MB3768.namprd11.prod.outlook.com> <D2814CEE-D70F-4AED-B3FB-7DC747F780D9@inkbridge.io> <BYAPR11MB37683B78B0748256A547A960CC2D2@BYAPR11MB3768.namprd11.prod.outlook.com> <9A8C93DD-2B42-4229-B055-94F5B57ADCE7@inkbridge.io> <26881.1776953534@obiwan.sandelman.ca> <A4B94C08-C92D-4FB4-A736-2EF2AF0DB86D@inkbridge.io>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; Emacs 30.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 27 Apr 2026 00:29:51 -0400
Message-ID: <9342.1777264191@obiwan.sandelman.ca>
Message-ID-Hash: CYB4WGQBB3WX3UECBKETUAHDX6OVSOR3
X-Message-ID-Hash: CYB4WGQBB3WX3UECBKETUAHDX6OVSOR3
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: Review of draft-janfred-radext-radius-congestion-control-01
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/dI0heksICZJMjSF-v_4vHJb-Ddo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Alan DeKok <alan.dekok@inkbridge.io> wrote:
>> This seems like a big deal, and something worth fixing, even if it
>> takes a long time to deploy.
> There as similar issues with EAP-PPT.
> When a user has complete anonymity in a roaming environment, there is
> substantial potential for abuse.
> It's likely impossible to satisfy both the user desire for anonymity,
> and the local administrations desire to prevent abuse.
Do users successfully login, or is it high-speed endless failures that we are
trying to protect against?
> So the question then becomes, what can we do about it?
The *notions* I have involve:
1) getting a per-authenticator unique token back when users successfully
login. At the RADIUS layer.
Supplicants also get a copy of this (inside the EAP inner layer) token.
They can include that in their subsequent EAP outer layers, which gets
them "faster" service.
This just creates some new level of service, allowing anything *not*
in that level to be more aggressively policed/traffic engineered.
2) having some kind of protocol that runs BEFORE the EAP Inner, over RADIUS,
that provides some kind of pre-authorization.
> I suspect that administrators will err on the side of safety.
> i.e. If someone @example.com is abusing the local network. the safest
> and simplest thing to do is to ban all users @example.com.
okay, but if it's no-longer-a-student@higher.edu, then it's just penalizing
other higher.edu users... and since the login does not succeed, if this
causes a ban, then someone annoyed with higher.edu can get them all banned.
> Those users can then complain to their administrator, who will
> (presumably) deal with the issue out of band.
But, what can that admin do?
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
** My working hours and your working hours may be different. **
** Please do not feel obligated to reply outside your normal working hours **
- [radext] Review of draft-janfred-radext-radius-co… Premanand Seralathan (pseralat)
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Premanand Seralathan (pseralat)
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Heikki Vatiainen
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Alan DeKok
- [radext] Re: Review of draft-janfred-radext-radiu… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Stefan Paetow
- [radext] Re: [Madinas] Re: Re: Review of draft-ja… Michael Richardson
- [radext] Re: Review of draft-janfred-radext-radiu… Alexander Clouter
- [radext] Re: Review of draft-janfred-radext-radiu… josh.howlett