Re: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)

"Mark Grayson (mgrayson)" <mgrayson@cisco.com> Wed, 10 April 2024 07:58 UTC

IronPort-PHdr: A9a23:xOeF7hG5k+0H5ivwAjLW951GfuoY04WdBeZdwoAsh7QLdbys4NG4e kfe/v5qylTOWNaT5/FFjr/Ourv7ESwb4JmHuWwfapEESRIfiMsXkgBhSM6IAEH2NrjrOgQxH d9JUxlu+HToeVNNFpPGbkbJ6ma38SZUHxz+MQRvIeGgH4HIhtWs0Oaa8JzIaAIOjz24Mvt+K RysplDJv9INyct6f7w8yBbCvjNEev8Dw2RuKBPbk0P359y7+9ho9CE4hg==
IronPort-Data: A9a23:DixpwqPgrHsGgOjvrR3bl8FynXyQoLVcMsEvi/4bfWQNrUoh12FSx mMXCGGBP/uLZjanetp+YYXg/E1QuMXSn9dmTXM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCdaphyFjmF/kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/W1zlV e/a+ZWFZAf5g28saAr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQrl58R7PSq 07rldlVz0uBl/sfIorNfoXTLiXmdoXv0T2m0RK6bUQNbi9q/UTe2o5jXBYVhNw+Zz+hx7idw /0V3XC8pJtA0qDkwIwgvxdk/y5WPYxG8+HjHHuG6NWWkE3paUuy+qRCExRjVWEY0r4f7WBm/ PgcLnUGaQqOwrLwy7OgQe4qjcMmRCXpFNpA4Tc7k3eAVrB/Hcmrr6bivbe02B81idpHDO3ZY eISaCFka1LLZBgn1lI/Us5uzL302yagG9FegEOetatn7S/N8FAv253xbsGNIv6hGewAyy50o UqdojymWUtFXDCF8hKf+36hlvPnnC7nVsQVDrLQyxJxqFSXwmpWAxoMWB7r5/K4kUW5HdlYL iT45xbCs4Ay1UygEP3AXCThuXvbvjEGa4RpQsElvVTlJrXv3y6VAW0NTzhkYdMgtdMrSTFC6 rNvt42wbdCImOPMIU9x5oupQSWO1T/5xFLuiAcNSQ8DptLkuox23lTET81oF+i+idid9dDML 9Ki8nhWa1Y71JJjO0CHEbbv2GvESn/hFV5d2+kvdjj5hj6Vnab8D2BS1XDV7OxbMKGSRUSbs X4PlqC2tb9XV8/dy3DSHblVTNlFAspp1hWB0TaD+LF8plyQF4KLLOi8HRknfRg5bJxYEdMXS BaC4Vk5CGBv0IuCNvIvPNnrVKzGPIDrFM/uUbjPf8FSb51qPA6B92cGWKJj9z6FraTYqolmY c3zWZ/1VR4yUP07pBLoHL11+eFwmUgDKZb7GMqTI+KPi+TOPRZ4iN4tbTOzUwzOxPrd+FSFo 4sPZpDiJtc2eLSWXxQ7OLU7dDgiBXM6Hpvx7cdQc4a+zsBORQnN19e5LWsdRrFY
IronPort-HdrOrdr: A9a23:EqFZ8aqzGZpRU4RUcqb1fBAaV5t5LNV00zEX/kB9WHVpm5Oj5q OTdaUgtSMc1gxxZJh5o6H/BEDhex/hHO1OkPgs1NaZLUTbUQ6TXeNfBOTZskfd8kHFh4lgPO JbAtdD4b7LfBRHZKTBkXSF+r8bqbHtntHM9IPjJjVWPH1Xgspbnn5E43OgYzZLrX59dOIE/f Snl6x6jgvlU046Ku68AX4IVfXCodrkqLLKCCRtOzcXrCO1oXeN8rDVLzi0ty1yb9pI+9gf2F mAtza8yrSosvm9xBOZ/XTU9Y5qlNzozcYGLNCQi+AOQw+cxDqAVcBEYfmvrTo1qOag5BIBi9 /XuSotOMx19jf4Yny1mx3wwAPtuQxeqkMKiGXowUcLk/aJBg7SOPAxwL6xtSGpr3bIiesMk5 6jGVjp8Ka/Qymw2hgVrOK4Jy2C3nDE0kbK19RjwEC2leAlGedsRUt1xjINLL4QWC3984wpC+ 9oEYXV4+tXa0qTazTDsnBo28HEZAV6Iv6qeDl1hiWu6UkeoFlpi08DgMAPlHYJ85wwD5FC+u TfK6xt0LVDVNUfY65xDPoIBZLfMB2GfTvcdGaJZVj3HqAOPHzA75bx/bUu/emvPJgF1oE7lp jNWE5R8WQyZ0XtA8uT24AjyGGHfEytGTD2js1O7ZlwvbPxALLtLC2YUVgr19Ctpv0Oa/erLM pb+Kgmd8MLd1Gea7qh9zeOLqVvFQ==
From: "Mark Grayson (mgrayson)" <mgrayson@cisco.com>
To: Jan-Frederik Rieckers <rieckers@dfn.de>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)
Thread-Index: AQHaixmvXbCFma3uF0e0nfGNHK4RmLFhIT5I
Date: Wed, 10 Apr 2024 07:58:21 +0000
Message-ID: <PH0PR11MB5928CD1EB7DBD5349EB84055D2062@PH0PR11MB5928.namprd11.prod.outlook.com>
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de>
In-Reply-To: <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cKxaBytf8petkATjhq8JU4d6wL0w4aJNUEqywAUUs18BU01hKocVgjKWwj+0DjB8NBr4oj8esHJXrMuImfgFvNk9+wzKmaODGCTHid8A6XENNf0I7w+d6r9Ra/ONq1OsGoC4CZuJHK05BnupYrBORZaZFZih//Ve9waJ38ZguWxN7WAU9eFoMjvKYydcLYxelBzorK5ldUr63qdflIIhv0atuHSpI7y4aRyfbQ+Blt/akTnZhQk48yp+YnBjlGPAUxMdmBVApnmMt79cKtrz6iwMttXtRJg6Lxy5YKaHkyajqI33TMrr+RWaYWY4KUwUA72T6R53nfqwdlAtcuAsEmHPnk0Kgu4BeMAgG0Pk2w1h0Z4aGUT6ArhjH90Kydha0giSrfNNHGg8tr72yaIF02mi3znILbB9s0YfE2T1o5K2BVGrPYMfZvZAT6AcjDxX8PkxLP0XHu7+zt6pE+mRWApDbJk8F5xDd/ts5R0qDucWuUohnwP77Ow34CJZJYaTml10wL5YgtiVmwUz0woJt+h9mN1EMltrFTyIgZJ73cu5ZuKihTdXUqhxtHXaRMiduO6vYQTGwM053F5aRa+yspAMjYoec5oeYtTgDUw2dEW++QOz8d/ojbJy1KUWrjcweEru88glZeB0g3eSEOCnfw8dHwtBlOEuYOKGfEp/vt3TemDDdNRjDuRlZSCyfzt5tSrn7LgINCYqfUxR6FvGBNExN0afCyk6G1i83C41d0vFMxTEXBZmLzWjWttuzDGjLqZS4mIBiZNDH0vL62lGkXDEqi5D1CctIA+yki9AKIJnTn43bGD1Ysy1eBz0Q7dqyeCFe+oo14AU7ZjVM+j4NODEd54e0y3XscBMjTqIuVU1/q72F/FOwnUbwBVG89KsXSNyWboXz3gizWpOlolPBtG26OxgUBmAeNO/mqL66/lvw1nBRNc1J3FvLAHFb19z+VqLVd2zMslfghRUppI/Yo0Z+IKq6ITObVEN5PwZ6dfITTNNHIbKJrRJd9McVQyNkjE32Gg6Zuf8dWXFk6+6dHY8mTZatNzOK4XYC45JFQWBom3euaccVGphlRxTEflOQDWJQE28D2ApCqCA1b55EdvpkEqilN502YTN/B92P/4vhUQyLgvEtuV3P8g/ec68AbaOSsdntum+dQOW6aHnemhPeCm9++fiwVDFdRer5iobr2n52yNCljYjEQb1RviYi8QHVrPNKmZvz+IbMqEB7ENgF2lA1hp9Bi1TT1WVqcId8W94shZuZKjw7xwaeVGjcIslbBWgnvVFAyDJJeVSVSbKSiImx195/PxsSD/poIhlLR5xZcbuGA3fidOtq4rZVemqSNSVdXxd9B3hrXfkG++RCuWr0+CVwoXuUOMNcf8IBt52FxmSCoOWlZjcSRnCtXkYLIUohF79moc2db3zclYEbGjKux6ZX6IRFZ8Fzf6hlV6Ins/AwvXeUWTcsLg2xH8sdTi1VmuntgwEGTJ7JVpstANHiXWJMaWbQg+8ryvyg/aGHKZzECyGIbueLCHUEYo31KJlQWBrcplBFI1EyJSnOS0nFQP2DxCSTLW7/1XsKl8dRnuEkhbZKa6y9x0GPbfqMp8PD0S21hxHuO9ncw==
Content-Type: multipart/alternative; boundary="_000_PH0PR11MB5928CD1EB7DBD5349EB84055D2062PH0PR11MB5928namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5928.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b40ce928-ad71-4e99-23f5-08dc5933fd9c
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2024 07:58:21.2298 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cfM7LeI1q0X0IBlNIIAxk2BKOox4GecHBUKyEF3e/N93vEi8ZecT365QqViDsBjQID+bSmW5fRP3vKxj/FmnWg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR11MB8320
X-Outbound-SMTP-Client: 72.163.7.163, rcdn-opgw-2.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/hU3Vxz9DTCYNAFyuNJyPRV3q85U>
Subject: Re: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 07:58:44 -0000

As it relates to 7585, WBA recently had to clarify the same in terms of cache TTL,
but also recommendation on maximum TCP lifetime for dynamic connections:

there are some scenarios where significant traffic between access providers
and identity providers means any idle timeout is never triggered and the
dynamic connection becomes persistent, which then prevents the identity
provider from gracefully terminating connections on an old server instance.

  *   M

From: radext <radext-bounces@ietf.org> on behalf of Jan-Frederik Rieckers <rieckers@dfn.de>
Date: Wednesday, 10 April 2024 at 08:35
To: radext@ietf.org <radext@ietf.org>
Subject: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)

On 20.03.24 03:55, Jan-Frederik Rieckers wrote:
>>     ... If a RADIUS/(D)TLS client has multiple connection to a server,
>> it MUST NOT decide to mark the whole server as DOWN until all
>> connections to it have been marked DOWN.
>>
>>    Maybe add a discussion of what, exactly, is a "server". Destination
>> IP?  How is this affected by RFC 7585 dynamic DNS lookups?
>
> I've added a TODO for after the IETF.

I've started to write a section to explain how a server is uniquely
identified, but I am failing to come up with anything other than
destination IP address and destination port.
Is there some better qualifier?

I'm not sure if this warrants a whole section "Server Identity" which
basically just says "If it's the same IP addr and port, its the same
server".

This would probably still be the same with dynamic lookups. If you
already have a standing session with the server, then you wouldn't need
to open a new connection. Just save the reference to the server in your
dynamic lookup table.

This also opens up the discussion about RFC 7585 again.
This is currently an experimental RFC too, with one Erratum in "hold for
document update", so we could issue a -bis document there too.

I'd be happy to get the ball rolling on that one too, if there is interest.

Cheers,
Janfred
--
Herr Jan-Frederik Rieckers
Security, Trust & Identity Services

E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
https://www.dfn.de

Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser |
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 136623822

[radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
[radext] Certficate and certificate chain selecti… Heikki Vatiainen
Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
[radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
Re: [radext] Certficate and certificate chain sel… Alan DeKok
Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
[radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
[radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
Re: [radext] Server identity and RFC7585bis Stephen Farrell
Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
Re: [radext] Server identity and RFC7585bis Stephen Farrell
Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
Re: [radext] Server identity and RFC7585bis Alexander Clouter
Re: [radext] Server identity and RFC7585bis Alan DeKok
Re: [radext] Server identity and RFC7585bis Michael Richardson
Re: [radext] Server identity and RFC7585bis Alan DeKok
Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
Re: [radext] Server identity and RFC7585bis Fabian Mauchle
Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
Re: [radext] Session closure in DTLS Fabian Mauchle
Re: [radext] Session closure in DTLS Alan DeKok