Re: [radext] Extended IDs
"Naiming Shen (naiming)" <naiming@cisco.com> Wed, 13 December 2017 00:08 UTC
Return-Path: <naiming@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9F151270AE for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 16:08:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaQgFFyl0p3M for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 16:08:02 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F698126CBF for <radext@ietf.org>; Tue, 12 Dec 2017 16:08:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3954; q=dns/txt; s=iport; t=1513123682; x=1514333282; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=4ggkjwO/bV/qPgVLXIvd5MJJBIaGNypAHDXMeUZJoro=; b=SacZymR1vE3qN7L2wWBZIvT2bs8draK/nhSz6/RmLn835uW+k5U1Xean 5ooHtO4KZlvnOrgJzCPQoRNq626tSRsaUNIYvnKOIYZDrYRxU1T7B6eHO mC9O42SNfqEL6IjOCidU8jruBUi1HC5+xcsgUdmfImGoZ0aB0htmYti4m M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BJAgAGbzBa/4gNJK1dDgsBAQEBAQEBAQEBAQEHAQEBAQGDPmZ0JweDe5kmgVcmlxGCFQoYC4RJTwIahG5AFwEBAQEBAQEBAWsohSMBAQEBAgEBARsGEToLBQsCAQgYAgImAgICJQsVEAIEDgWKIAgQqD+CJ4pgAQEBAQEBAQEBAQEBAQEBAQEBAQEBHYEPglSCC4M/KQuBaYEOgy4BgUcRLSOCWzGCMgWjFwKHeY0rghZjhS+EDocxljcCERkBgToBIQI1gU5vFToqAYF+CYQNP3iIB4EzgRUBAQE
X-IronPort-AV: E=Sophos;i="5.45,395,1508803200"; d="scan'208";a="321237950"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 13 Dec 2017 00:08:01 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id vBD081YU018813 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Dec 2017 00:08:01 GMT
Received: from xch-rcd-004.cisco.com (173.37.102.14) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 12 Dec 2017 18:08:00 -0600
Received: from xch-rcd-004.cisco.com ([173.37.102.14]) by XCH-RCD-004.cisco.com ([173.37.102.14]) with mapi id 15.00.1320.000; Tue, 12 Dec 2017 18:08:00 -0600
From: "Naiming Shen (naiming)" <naiming@cisco.com>
To: Adam Bishop <Adam.Bishop@jisc.ac.uk>
CC: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Extended IDs
Thread-Index: AQHTKHKrqtJDphnIu0Ga679ujWV4vKMqT+8AgBZxrICAAJ7zgA==
Date: Wed, 13 Dec 2017 00:08:00 +0000
Message-ID: <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk>
In-Reply-To: <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.173.17]
Content-Type: text/plain; charset="utf-8"
Content-ID: <7414E7FCE9118642BA581CAF1C27871D@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/iGMgF7KRcOPsJ75SJnmM_cM5HNY>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 00:08:05 -0000
I have seen some comments about the draft-chen proposal has the potential of leaking the extended-ID by the proxy server. First of all, if an implementation has bugs or the configuration is mishandled, then we need have ways to debug and troubleshoot. Being an attribute gives explicitly ways for debugging; An implementation should also have instrustment for better debug in radius programs. Second, similar to some types of attributes, a proxy can be configured to explicitly filter them out (Filter Radius Attributes). If we are arguing we can not rely on the proxy to filter them out, since there might be bugs or misconfiguration, thus we should not even allow those attributes in radius packets, that logic does not sound reasonable; Third, if assume an operation completely messed up, and leaking this extended-ID towards the home-server, I still need to see a good example on what the harm is that, and why this can not be debugged. The draft I agree needs to add some text on various cases and how to debug those in each of them. Best Regards, - Naiming > On Dec 12, 2017, at 12:39 PM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote: > > On 28 Nov 2017, at 13:54, Stefan Winter <stefan.winter@restena.lu> wrote: >> In your reply to this call for adoption, please indicate which of the >> two drafts you think should be adopted. You can of course also indicate >> that none of the two are fit for purpose. The only thing you really >> shouldn't do is to vote for both; that wouldn't help the discussion move on. > > Having read both drafts, I think the approach in draft-dekok is more suitable for adoption. > > While assigning additional meaning to existing values can be problematic, there is sufficient explanation already present in the draft to reassure me that this shouldn’t interact negatively with existing implementations, and avoids changing or extending the header. > > I agree with the observation that draft-chen could be problematic in federated deployments due to the potential for the identifier to leak between hops. > > Regards, > > Adam Bishop > > gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 > > jisc.ac.uk > > Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. > > Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext
- [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Robert Raszuk
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Astrid Smith
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stig Venaas
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Arran Cudbard-Bell
- Re: [radext] Extended IDs peter
- Re: [radext] Extended IDs Bernard Aboba
- Re: [radext] Extended IDs Alan DeKok
- [radext] FW: Extended IDs Albert Tian
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs David Carrel
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Jun Zhuang
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alexander Clouter