Re: [radext] New WGLC for RADIUSv11
Matthew Newton <matthew-ietf@newtoncomputing.co.uk> Thu, 07 March 2024 15:29 UTC
Return-Path: <matthew-ietf@newtoncomputing.co.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45357C180B57 for <radext@ietfa.amsl.com>; Thu, 7 Mar 2024 07:29:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=newtoncomputing.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vh6RxSP-jRo2 for <radext@ietfa.amsl.com>; Thu, 7 Mar 2024 07:29:29 -0800 (PST)
Received: from mail.newtoncomputing.co.uk (mail.newtoncomputing.co.uk [IPv6:2001:8b0:b2:1::140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07509C151532 for <radext@ietf.org>; Thu, 7 Mar 2024 07:29:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=newtoncomputing.co.uk; s=feb2010; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:From:References:To:Subject:MIME-Version:Date:Message-ID:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=OzVdAPJal1ZR9sw6QZdBiFOufrLU4czO61VMDp7VvKY=; b=hpmb/MJvIeS6HS8OIqKB/e7Y/R WUcwYX73YUjNZdT2F5a7a4SjdzymSZY1ZCA79Mfrv7HdFWFBN1+tPfNOzMCRULFwEwyunFtVfmTRU yHZOzfddVrIM98ZkNPb3sa8+iyT7WK6N9EzpvYYpa7urlQkkHqgDC81wRE9e0i6tTCX8=;
Received: from [2001:8b0:b2:11::1001] by mail.newtoncomputing.co.uk with esmtpsa (Exim 4.92 #3 (Debian)) id 1riFgP-0002EL-UQ for <radext@ietf.org>; Thu, 07 Mar 2024 15:29:23 +0000
Message-ID: <50dba6a8-9f9c-43aa-9e97-79c72e68f796@newtoncomputing.co.uk>
Date: Thu, 07 Mar 2024 15:29:19 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
To: radext@ietf.org
References: <A9DCF202-6963-4069-A9F1-7F79860FF405@gmail.com>
From: Matthew Newton <matthew-ietf@newtoncomputing.co.uk>
In-Reply-To: <A9DCF202-6963-4069-A9F1-7F79860FF405@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-NC-Fw-Sig: d28eb7783fcaa8a96965cdcb17b1e1fe matthew-ietf@newtoncomputing.co.uk
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/db_muYfKwXRB-t2_8pG-bVllvgE>
Subject: Re: [radext] New WGLC for RADIUSv11
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 15:29:34 -0000
On 27/02/2024 20:31, Margaret Cullen wrote:> The latest version of the document (draft-ietf-radext-radiusv11-04) can > be found here: > > https://datatracker.ietf.org/doc/draft-ietf-radext-radiusv11/ > <https://datatracker.ietf.org/doc/draft-ietf-radext-radiusv11/> > > Please read the new version, and respond to this message clearly > indicating that you SUPPORT publication of this draft as an > Experimental RFC, or that you DO NOT SUPPORT publication. If you do not > support publication, please list any outstanding issues that you would > like to see resolved before publication. I have read the latest version. Two very minor nits, and one paragraph that is not clear: Introduction, (Page 6 paragraph 1): "A major benefit of this extensions is that a home server which implement it can also be more easily verified for FIPS-140 compliance." -> (extensions -> extension, implement -> implements) "A major benefit of this extension is that a home server which implements it can also be more easily verified for FIPS-140 compliance." Section 3.5, (Page 18 paragraph 8): "Similarly, when a server does resumption for a session which had previously negotiated "radius/1.1", If the client attempts to resume the sessions without signaling the use of RADIUS/1.1, the server MUST close the connection." ", If" -> ", if" ("signaling" rather than "signalling" throughout the document grates rather, but I suspect those over the pond would disagree!) Section 4.2.1, (Page 21 paragraph 4): "In contrast, the Token field MUST be managed on a per-connection basis, and MUST NOT be managed for individual packet Codes. That is, if a system sends multiple packet Codes over the same connection, the Token field MUST be managed independent of any packet Code. For An implementation which sends both (for example) Access-Request and Accounting-Requests on the same connection is not compliant with this specification." "independent of any packet Code" -> "independently of any packet Code" (or "independent to any packet Code") "For An implementation"... - remove "For", but... This paragraph is not clear to me. I think it is trying to say that multiple Codes are permitted per connection, but the Token is unique on that connection connection (e.g. you can NOT have an Access-Request with Token A and an Accounting-Request with the same Token A). However the last sentence seems to say that an implementation sending both Access-Requests and Accounting-Requests on the same connection is not permitted. If my understanding is correct, I think this paragraph should read: "In contrast, the Token field MUST be managed on a per-connection basis, and MUST NOT be managed for individual packet Codes. That is, if a system sends multiple packet Codes over the same connection, the Token field MUST be managed independently of any packet Code. An implementation which, for example, can have an Access-Request and an Accounting-Request simultaneously ongoing using the same Token on the same connection is not compliant with this specification." Thanks, -- Matthew
- [radext] New WGLC for RADIUSv11 Margaret Cullen
- Re: [radext] New WGLC for RADIUSv11 Jan-Frederik Rieckers
- Re: [radext] New WGLC for RADIUSv11 Alan DeKok
- Re: [radext] New WGLC for RADIUSv11 Margaret Cullen
- Re: [radext] New WGLC for RADIUSv11 Stefan Paetow
- Re: [radext] New WGLC for RADIUSv11 Alexander Clouter
- Re: [radext] New WGLC for RADIUSv11 Fabian Mauchle
- Re: [radext] New WGLC for RADIUSv11 Nick Porter
- Re: [radext] New WGLC for RADIUSv11 mohamed.boucadair
- Re: [radext] New WGLC for RADIUSv11 Matthew Newton
- Re: [radext] New WGLC for RADIUSv11 Alan DeKok
- Re: [radext] New WGLC for RADIUSv11 Matthew Newton
- Re: [radext] New WGLC for RADIUSv11 Heikki Vatiainen