Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
Alejandro Perez Mendez <alex@um.es> Thu, 22 August 2013 08:20 UTC
Return-Path: <alex@um.es>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C7DC11E810D for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 01:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.998
X-Spam-Level:
X-Spam-Status: No, score=-4.998 tagged_above=-999 required=5 tests=[AWL=-1.399, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5R-OYsCDdRRG for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 01:20:07 -0700 (PDT)
Received: from xenon13.um.es (xenon13.um.es [155.54.212.167]) by ietfa.amsl.com (Postfix) with ESMTP id 86D8E11E8180 for <radext@ietf.org>; Thu, 22 Aug 2013 01:20:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon13.um.es (Postfix) with ESMTP id 7D4065D5B4 for <radext@ietf.org>; Thu, 22 Aug 2013 10:19:59 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon13.um.es
Received: from xenon13.um.es ([127.0.0.1]) by localhost (xenon13.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id TSQfKXmKdEHh for <radext@ietf.org>; Thu, 22 Aug 2013 10:19:58 +0200 (CEST)
Received: from [192.168.10.2] (84.124.135.236.dyn.user.ono.com [84.124.135.236]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon13.um.es (Postfix) with ESMTPSA id D24B25D575 for <radext@ietf.org>; Thu, 22 Aug 2013 10:19:58 +0200 (CEST)
Message-ID: <5215C9AD.1060805@um.es>
Date: Thu, 22 Aug 2013 10:19:57 +0200
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130806 Thunderbird/17.0.8
MIME-Version: 1.0
To: radext@ietf.org
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF>
In-Reply-To: <alpine.WNT.2.00.1308210755460.1748@SMURF>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 08:20:15 -0000
Hello Peter, thanks for the comments. See some responses below. El 21/08/13 20:05, Peter Deacon escribió: > On Fri, 9 Aug 2013, Jouni Korhonen wrote: > >> Based on the discussion in Berlin we are ready to start another >> adoption call for the solution for fragmentation of RADIUS packets. > > I would support this draft with narrower scope as interim solution > addressing a specific use. > > Have some concerns with draft as a general solution: > > Section 2. > > RFC5176 dynamic auth clients are not necessarily always RADIUS > servers. We have production systems where CoA client and RADIUS server > are separate with separate roles. Seeing value in maintaining > separation I do not favor Additional-Authorization. > > Accounting proposal is not atomic and depends on assumptions about > type of content. (e.g long attribute not able to fit within 4096 byte > limit cannot be transmitted) I probably misunderstood your comment. We do not deal with CoA or Accounting exchanges. They are left the way they are. > > Proposed 'T' bit in extended long attributes means existing systems > supporting extended attributes may require enhancement to pass needed > data. Despite 'SHOULD' language from RFC6929 I do not believe it > reasonable expectation proxy systems able to understand an attribute > known to be broke would elect to forward such an attribute anyway. umm, you are probably right. Let's see what Alan says about this. > > General. > > Attribute proxy not possible without proxy server modification to > support draft. > > Existing proxy servers not supporting draft may lose ability to > understand/enforce policy when attribute fragmentation is used. According to your previous comment, that would be partially true, but only when the proxy supports RFC6929. > > Section 5. > > A policy of limiting large RADIUS UDP packets to MTU would about > triple number of round trips needed to convey same information. That's probably right. You are able to send the data, but you have to pay a price. Compromise is the key here. > > Section 10. > > Message-Authenticator does not offer replay protection. Recommend > text "This signature prevents forging to the limits of the existing > security." Thanks, we will update the text accordingly. Regards, Alejandro > > regards, > Peter > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext
- [radext] Adoption call for draft-perez-radext-rad… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Diego R. Lopez
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Sanchez, Mauricio
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Diego R. Lopez