IETF Logo Mail Archive

[radext] configuration auto-discovery [was: draft-cullen-radextra-status-realm-00]

Alexander Clouter <alex+ietf@coremem.com> Tue, 08 August 2023 15:15 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E397BC1519A3 for <radext@ietfa.amsl.com>; Tue, 8 Aug 2023 08:15:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="g6q3Ptjz"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="dii0Xwkv"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PstcT2i_NopL for <radext@ietfa.amsl.com>; Tue, 8 Aug 2023 08:15:10 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ADD6C151985 for <radext@ietf.org>; Tue, 8 Aug 2023 08:15:09 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 0FAB85C017C for <radext@ietf.org>; Tue, 8 Aug 2023 11:15:05 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Tue, 08 Aug 2023 11:15:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1691507705; x=1691594105; bh=6a /Pkcy+yYpLyi+lr3Ck/MhXTS1bm9/yOEEPuWeXfDc=; b=g6q3PtjzK7T7F+fGbu /Aafr0u1qae1M6u8deXZpFk9uo4A0bcQBoLGYUD5dMmIyFmT2PHyVmxXpfPVT1aP rraymSfKWuhTbe9shz+C+VQXZpnQUfm0BmiSQrp4c43jTZfMCDiEf8fEA/Y3g5c/ nkd5VStbV5UwAzKum6J2GAfzY5wgC68co+R1Vg0A8kunct5i9QmdneoeSZ76BXhw i5Z7A8Yb2qnwrJWpwp9CCJrq5oy2QTXU9ndaLAr9tY2puSER+SWCVu6Ag4AkgX3z EDCZjTpvprph2Qf9eeF80mHm0Gvqt7XPsHBEv5XsEjQBihi0MDP06YflK+kkg7Nu /Isw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1691507705; x=1691594105; bh=6a/Pkcy+yYpLy i+lr3Ck/MhXTS1bm9/yOEEPuWeXfDc=; b=dii0XwkvD0DfqHJbBvwN25r3CmZ0D 5S4ea6axt0AF3xLapBJrBZpaWO08N9LhVMoFWOyCXUu9ggNYlFBe/S8/U1oK2u4Y e7Wc8Gabkkpyxb0QeiBTtESJpK4jg8b+Q0+h/O3QNAi51eX9A/W0fKHko1Qh8KgU xTm1N3gdUJ8Fe6ygiLeauSDkYaLlml0QSiWP4Dc7XILiS64/e7YpOLF2fCAh4JDU tAN1RdkY6nRxtuR2Jizm2BI81w6aMu2KwN3koF6W+1yq8wZxK+voOB06AcHbtxjd P3vloikDFIIaka5m9zjFXJAyZqT9NOGf0XHdjPt9yZfCLLXWWwv24LzyQ==
X-ME-Sender: <xms:-FvSZMR2E92Kblc4JpaYMeRO6xT446Ej1K6A1hKKgZk4JifPFNzhbA> <xme:-FvSZJzFo1ryuBA6igq9Qg9VmGI64tRE48_bvQj-Ok1GgOa2UPpDgkjQLzvPUiYEC IBOlUgmBukuaVO5Xw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrledvgdekiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgv gidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpedvteejhf ehgfegleeuleefteeikefgvefhheekheevvdekueefkeeiieffhfdvgeenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhgvgidoihgvthhfse gtohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:-FvSZJ2jdSYeX84X8oXYbM8w7idgRmsJJ-njicFCKDHd36h9nqkxNA> <xmx:-FvSZAAktVChghxlSN7DaML38xU_AxPcyEgADQhg76wvwOcLpYapVw> <xmx:-FvSZFgYvIejJArnBpQIB44CG1kXrfwvtDYjuZtkfqIi5xCo5MoC1w> <xmx:-VvSZAt26ghytC9S8ykhyQZLnS2LVpQSN6cP0jv5NDWknFFCp-lhmw>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A8AF82A20085; Tue, 8 Aug 2023 11:15:04 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-624-g7714e4406d-fm-20230801.001-g7714e440
Mime-Version: 1.0
Message-Id: <ccc54e38-4a51-4e27-b19e-9650bc29c484@app.fastmail.com>
In-Reply-To: <B0E4CC12-60EC-4443-AB8E-61FE1CCC493C@deployingradius.com>
References: <BB2CA78D-4C7B-4A5D-A1D5-F09993636373@gmail.com> <PH0PR11MB5928CB4C125CD3E8891073B6D20CA@PH0PR11MB5928.namprd11.prod.outlook.com> <B0E4CC12-60EC-4443-AB8E-61FE1CCC493C@deployingradius.com>
Date: Tue, 08 Aug 2023 16:13:37 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: "radext@ietf.org" <radext@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/di8e3vXEz47jaOvNapqUDVqa4Vc>
Subject: [radext] configuration auto-discovery [was: draft-cullen-radextra-status-realm-00]
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2023 15:15:15 -0000

On Tue, 8 Aug 2023, at 13:52, Alan DeKok wrote:
> What would be best is some kind of RADIUS routing protocol which let 
> you configure routes, realms, capabilities, etc.  I've been looking 
> into that for a long time, and there's been insufficient interest for 
> people to demand it.  Maybe now is the time?

As this configuration is already OOB ("administratively configured") do we have to make this part of the RADIUS protocol?

Other OOB options:

 * [multi-hop] further RFC7585 to detail DNS TXT records (vaguely DDNS-esque) on the host's record set?
 * [single hop] ALPN for RADIUS/1.1, but use custom Client/Server Hello extensions (SSL_CTX_add_custom_ext) to negotiate functionality

Only throwing ideas out there as I know these options only work for some deployments, other people may have their own thoughts and ideas.

Cheers

v2.23.0 | Report a Bug | By Email