Re: [radext] Extended IDs
Alan DeKok <aland@deployingradius.com> Fri, 01 December 2017 16:39 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C241712940B for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 08:39:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryccUzRV6_a0 for <radext@ietfa.amsl.com>; Fri, 1 Dec 2017 08:39:56 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id C1518128A32 for <radext@ietf.org>; Fri, 1 Dec 2017 08:39:56 -0800 (PST)
Received: from [192.168.20.53] (CPEf4cc55220745-CM64777ddff610.cpe.net.cable.rogers.com [99.248.225.186]) by mail.networkradius.com (Postfix) with ESMTPSA id C303A4D9; Fri, 1 Dec 2017 16:39:55 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <8DE62B3C-D2FA-4467-9CCE-7F8D039B87E2@cisco.com>
Date: Fri, 01 Dec 2017 11:39:54 -0500
Cc: "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8D51B0BA-8F24-437D-B841-7F796F1174CF@deployingradius.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <8BD2C2F2-D42E-4B84-8F86-3A803160DD74@cisco.com> <b6ed7a87de434ea4a39f584a92e933b9@XCH-ALN-014.cisco.com> <285C5C94-578E-4293-81A2-9D73E1105ABE@deployingradius.com> <8DE62B3C-D2FA-4467-9CCE-7F8D039B87E2@cisco.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/h5_byQIGRcOLR_Pw8iAphG-qtJc>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 16:39:59 -0000
On Dec 1, 2017, at 11:15 AM, Jakob Heitz (jheitz) <jheitz@cisco.com> wrote: > > What if the quantum computers turn out to live up to their promises? Then we can throw out all this authentication stuff and decide to not share our Ethernets with the attackers instead. No more request authenticator. I'm sorry, but that just isn't realistic. If quantum computers can crack encryption, then RADIUS security will be the least of our issues. > The request authenticator is already overloaded. It may be used for the CHAP challenge. Now, you want another overload? I'd like to use an existing field, yes. The draft explains why this works. In detail. > The request authenticator is not reflected back in any return packets. The response authenticator is a different number. Suppose the client has several requests outstanding with the same id. When it receives a response, it has to hash it with every request authenticator from these outstanding requests to figure out which one the response is for. Please don't claim there are problems with the draft until you read it. The draft EXPLICITLY STATES that the request authenticator is echoed back in a new attribute. It has many, many, pages to discuss all possible issues with that practice. > Conflicting requests: if the server receives a request identical to one it received before and has a cached response, then retransmit the cache, else process it again. How to determine “identical request” is a local matter. Those are duplicate requests. They were defined 10 years ago in RFC 5080, Section 2.2.2, including how to determine what a "duplicate request" is. https://tools.ietf.org/html/rfc5080#section-2.2.2 RFC 5080 also defines what RADIUS servers should do with these requests. My comment was about *conflicts*. i.e. a RADIUS server receives an Access-Request from a client (src/dst, IP/port, ID 0, request authenticator A). While the server is processing that packet, the client (for whatever reason) sends a *different* packet with the same src/dst IP/port. ID 0, but a *different* request authenticator. Should be server respond to the first packet? Or should the server respond to the second packet? Or should it respond to both? Again... this issue is discussed in detail in my draft. > Comparing ID alone is clearly not enough. Comparing anything less than the whole request packet risks misidentified duplicates. That simply isn't true. Again, please read the draft. This is discussed in excruciating detail. Including the possibility of false positives, false negatives, etc. > If the short cut misleads, then don’t take the short cut. I think the only short cut here is the decision to skip reading the draft before commenting on it. Alan DeKok.
- [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Robert Raszuk
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Astrid Smith
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stig Venaas
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Arran Cudbard-Bell
- Re: [radext] Extended IDs peter
- Re: [radext] Extended IDs Bernard Aboba
- Re: [radext] Extended IDs Alan DeKok
- [radext] FW: Extended IDs Albert Tian
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs David Carrel
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Jun Zhuang
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alexander Clouter