IETF Logo Mail Archive

Re: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)

Alan DeKok <aland@deployingradius.com> Thu, 11 April 2024 13:20 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B215FC14F6EF for <radext@ietfa.amsl.com>; Thu, 11 Apr 2024 06:20:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yu9liDWkFrLN for <radext@ietfa.amsl.com>; Thu, 11 Apr 2024 06:20:31 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA3B3C14F68F for <radext@ietf.org>; Thu, 11 Apr 2024 06:20:31 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id 2FAAB177; Thu, 11 Apr 2024 13:20:27 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <dfdaac4a-c4b0-4509-93a6-a41805a16e87@app.fastmail.com>
Date: Thu, 11 Apr 2024 09:20:27 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B21F1DF5-FB39-4BEA-8F7C-92515E1827C9@deployingradius.com>
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <dfdaac4a-c4b0-4509-93a6-a41805a16e87@app.fastmail.com>
To: Alexander Clouter <alex+ietf@coremem.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/dLH19CwBMc_dnA_u2KljZJvswOY>
Subject: Re: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 13:20:35 -0000

On Apr 10, 2024, at 5:57 PM, Alexander Clouter <alex+ietf@coremem.com> wrote:
> I would recommend each connection is just treated (and described) as a *route* to the service endpoint.
> 
> It seems easier to read if you replace 'connection' with 'route' when reading it out loud. Connections provide *routes* to a server. When there are no routes, the 'server' (ie. 'service endpoint') is then DOWN.

  I think that's a good terminology.  It also matches the text in RFC 7542 (NAI) Section 3 "Routing inside of AAA systems"  https://datatracker.ietf.org/doc/html/rfc7542#section-3

  A client or proxy can put multiple "routes" into a connection pool.  The pool can contain UDP home servers, or DTLS / TLS home servers.  It doesn't matter.  The administrator has determined that these are all paths to the same home server.

  The standardization work here is how the client or proxy can automatically determine that certain routes end up at the home server.  One way is a signed certificate which claims to be the same server.

  e.g.  It is reasonable to expect that NAIs of the form "example.com" get routed to servers which have certificates in the domain "example.com".

  Alan DeKok.

v2.23.0 | Report a Bug | By Email