IETF Logo Mail Archive

Re: [radext] Client ID exhaustion

Alan DeKok <aland@deployingradius.com> Thu, 27 April 2017 20:13 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362BF129C39 for <radext@ietfa.amsl.com>; Thu, 27 Apr 2017 13:13:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5cq_0aOTQzmw for <radext@ietfa.amsl.com>; Thu, 27 Apr 2017 13:13:06 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 86BE112956A for <radext@ietf.org>; Thu, 27 Apr 2017 13:09:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id AB30F2888; Thu, 27 Apr 2017 20:09:34 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0pxly4yUMR3; Thu, 27 Apr 2017 20:09:34 +0000 (UTC)
Received: from [192.168.120.42] (23-233-24-114.cpe.pppoe.ca [23.233.24.114]) by mail.networkradius.com (Postfix) with ESMTPSA id 14D1C5BC; Thu, 27 Apr 2017 20:09:33 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <201704271850.v3RIowo6026896@cliff.eng.ascend.com>
Date: Thu, 27 Apr 2017 16:09:32 -0400
Cc: radext@ietf.org, Enke Chen <enkechen@cisco.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <44D6E749-D8AF-4E34-BF03-F54D2911D486@deployingradius.com>
References: <f521cd74-028d-33e7-4b94-0a9d65bd7d37@restena.lu> <e4c8aee2-c97f-e89e-8b48-6c943651238f@cisco.com> <B2D57E9F-C8B7-4E1C-9234-C1B41A08ABA7@deployingradius.com> <201704271850.v3RIowo6026896@cliff.eng.ascend.com>
To: Ignacio Goyret <ignacio.goyret@nokia.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/f8zYAgxfaePXF69eh8ywebhOti0>
Subject: Re: [radext] Client ID exhaustion
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 20:13:08 -0000

On Apr 27, 2017, at 2:46 PM, Ignacio Goyret <ignacio.goyret@nokia.com> wrote:
> A better alternative is to use a more appropriate tool like Diameter
> which solves all these issues quite well.

  There are multiple reasons why that's not going to happen.

  One is technical.  Diameter is rather more complex than RADIUS.  People won't implement a massive new protocol just to get incremental benefits.

  Another is economic.  There are millions of deployments of open source RADIUS solutions.  I include in this multiple WiFI equipment vendors, whose products simply wouldn't exist without open source.  They and their customers are just not going to pay six figures for a commercial Diameter implementation.

  The biggest single failure of Diameter is it's inability to provide a smooth upgrade path from RADIUS.

>> i.e. Asking implementations to open 1-4 source ports is reasonable.  Asking them to implement 2000 source ports for a high load situation is possible, but is less reasonable.
> 
> Dealing with thousands of ports requires extra care but it is not
> an impossible task.

  I used said "less reasonable", not "impossible".

  The additional gyrations required to scale an application to 1000's of ports are the same, or maybe slightly more complex than the changes required by my proposal.

  While opening multiple source ports is a technical solution, proposals from multiple people seem to indicate it's not a good solution.  You can believe that the people making these proposals are incompetent, or you can believe that they have good reasons for their proposals.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email