IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Alejandro Perez Mendez <alex@um.es> Thu, 22 August 2013 08:20 UTC

Return-Path: <alex@um.es>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C7DC11E810D for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 01:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.998
X-Spam-Level:
X-Spam-Status: No, score=-4.998 tagged_above=-999 required=5 tests=[AWL=-1.399, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5R-OYsCDdRRG for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 01:20:07 -0700 (PDT)
Received: from xenon13.um.es (xenon13.um.es [155.54.212.167]) by ietfa.amsl.com (Postfix) with ESMTP id 86D8E11E8180 for <radext@ietf.org>; Thu, 22 Aug 2013 01:20:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon13.um.es (Postfix) with ESMTP id 7D4065D5B4 for <radext@ietf.org>; Thu, 22 Aug 2013 10:19:59 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon13.um.es
Received: from xenon13.um.es ([127.0.0.1]) by localhost (xenon13.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id TSQfKXmKdEHh for <radext@ietf.org>; Thu, 22 Aug 2013 10:19:58 +0200 (CEST)
Received: from [192.168.10.2] (84.124.135.236.dyn.user.ono.com [84.124.135.236]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon13.um.es (Postfix) with ESMTPSA id D24B25D575 for <radext@ietf.org>; Thu, 22 Aug 2013 10:19:58 +0200 (CEST)
Message-ID: <5215C9AD.1060805@um.es>
Date: Thu, 22 Aug 2013 10:19:57 +0200
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130806 Thunderbird/17.0.8
MIME-Version: 1.0
To: radext@ietf.org
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF>
In-Reply-To: <alpine.WNT.2.00.1308210755460.1748@SMURF>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 08:20:15 -0000

Hello Peter,

thanks for the comments. See some responses below.

El 21/08/13 20:05, Peter Deacon escribió:
> On Fri, 9 Aug 2013, Jouni Korhonen wrote:
>
>> Based on the discussion in Berlin we are ready to start another
>> adoption call for the solution for fragmentation of RADIUS packets.
>
> I would support this draft with narrower scope as interim solution 
> addressing a specific use.
>
> Have some concerns with draft as a general solution:
>
> Section 2.
>
> RFC5176 dynamic auth clients are not necessarily always RADIUS 
> servers. We have production systems where CoA client and RADIUS server 
> are separate with separate roles.  Seeing value in maintaining 
> separation I do not favor Additional-Authorization.
>
> Accounting proposal is not atomic and depends on assumptions about 
> type of content.  (e.g long attribute not able to fit within 4096 byte 
> limit cannot be transmitted)

I probably misunderstood your comment. We do not deal with CoA or 
Accounting exchanges. They are left the way they are.

>
> Proposed 'T' bit in extended long attributes means existing systems 
> supporting extended attributes may require enhancement to pass needed 
> data.  Despite 'SHOULD' language from RFC6929 I do not believe it 
> reasonable expectation proxy systems able to understand an attribute 
> known to be broke would elect to forward such an attribute anyway.

umm, you are probably right. Let's see what Alan says about this.

>
> General.
>
> Attribute proxy not possible without proxy server modification to 
> support draft.
>
> Existing proxy servers not supporting draft may lose ability to 
> understand/enforce policy when attribute fragmentation is used.

According to your previous comment, that would be partially true, but 
only when the proxy supports RFC6929.

>
> Section 5.
>
> A policy of limiting large RADIUS UDP packets to MTU would about 
> triple number of round trips needed to convey same information.

That's probably right. You are able to send the data, but you have to 
pay a price. Compromise is the key here.

>
> Section 10.
>
> Message-Authenticator does not offer replay protection.  Recommend 
> text "This signature prevents forging to the limits of the existing 
> security."

Thanks, we will update the text accordingly.

Regards,
Alejandro
>
> regards,
> Peter
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email