IETF Logo Mail Archive

Re: [radext] Extended IDs

"Naiming Shen (naiming)" <naiming@cisco.com> Wed, 13 December 2017 00:08 UTC

Return-Path: <naiming@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9F151270AE for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 16:08:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaQgFFyl0p3M for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 16:08:02 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F698126CBF for <radext@ietf.org>; Tue, 12 Dec 2017 16:08:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3954; q=dns/txt; s=iport; t=1513123682; x=1514333282; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=4ggkjwO/bV/qPgVLXIvd5MJJBIaGNypAHDXMeUZJoro=; b=SacZymR1vE3qN7L2wWBZIvT2bs8draK/nhSz6/RmLn835uW+k5U1Xean 5ooHtO4KZlvnOrgJzCPQoRNq626tSRsaUNIYvnKOIYZDrYRxU1T7B6eHO mC9O42SNfqEL6IjOCidU8jruBUi1HC5+xcsgUdmfImGoZ0aB0htmYti4m M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BJAgAGbzBa/4gNJK1dDgsBAQEBAQEBAQEBAQEHAQEBAQGDPmZ0JweDe5kmgVcmlxGCFQoYC4RJTwIahG5AFwEBAQEBAQEBAWsohSMBAQEBAgEBARsGEToLBQsCAQgYAgImAgICJQsVEAIEDgWKIAgQqD+CJ4pgAQEBAQEBAQEBAQEBAQEBAQEBAQEBHYEPglSCC4M/KQuBaYEOgy4BgUcRLSOCWzGCMgWjFwKHeY0rghZjhS+EDocxljcCERkBgToBIQI1gU5vFToqAYF+CYQNP3iIB4EzgRUBAQE
X-IronPort-AV: E=Sophos;i="5.45,395,1508803200"; d="scan'208";a="321237950"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 13 Dec 2017 00:08:01 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id vBD081YU018813 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Dec 2017 00:08:01 GMT
Received: from xch-rcd-004.cisco.com (173.37.102.14) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 12 Dec 2017 18:08:00 -0600
Received: from xch-rcd-004.cisco.com ([173.37.102.14]) by XCH-RCD-004.cisco.com ([173.37.102.14]) with mapi id 15.00.1320.000; Tue, 12 Dec 2017 18:08:00 -0600
From: "Naiming Shen (naiming)" <naiming@cisco.com>
To: Adam Bishop <Adam.Bishop@jisc.ac.uk>
CC: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Extended IDs
Thread-Index: AQHTKHKrqtJDphnIu0Ga679ujWV4vKMqT+8AgBZxrICAAJ7zgA==
Date: Wed, 13 Dec 2017 00:08:00 +0000
Message-ID: <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk>
In-Reply-To: <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.173.17]
Content-Type: text/plain; charset="utf-8"
Content-ID: <7414E7FCE9118642BA581CAF1C27871D@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/iGMgF7KRcOPsJ75SJnmM_cM5HNY>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 00:08:05 -0000

I have seen some comments about the draft-chen proposal has the potential of
leaking the extended-ID by the proxy server.

First of all, if an implementation has bugs or the configuration is mishandled,
then we need have ways to debug and troubleshoot. Being an attribute gives
explicitly ways for debugging; An implementation should also have instrustment
for better debug in radius programs.

Second, similar to some types of attributes, a proxy can be configured to
explicitly filter them out (Filter Radius Attributes). If we are arguing we can
not rely on the proxy to filter them out, since there might be bugs or
misconfiguration, thus we should not even allow those attributes in radius
packets, that logic does not sound reasonable;

Third, if assume an operation completely messed up, and leaking this
extended-ID towards the home-server, I still need to see a good example
on what the harm is that, and why this can not be debugged. The draft
I agree needs to add some text on various cases and how to debug
those in each of them.

Best Regards,
- Naiming

> On Dec 12, 2017, at 12:39 PM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
> 
> On 28 Nov 2017, at 13:54, Stefan Winter <stefan.winter@restena.lu> wrote:
>> In your reply to this call for adoption, please indicate which of the
>> two drafts you think should be adopted. You can of course also indicate
>> that none of the two are fit for purpose. The only thing you really
>> shouldn't do is to vote for both; that wouldn't help the discussion move on.
> 
> Having read both drafts, I think the approach in draft-dekok is more suitable for adoption.
> 
> While assigning additional meaning to existing values can be problematic, there is sufficient explanation already present in the draft to reassure me that this shouldn’t interact negatively with existing implementations, and avoids changing or extending the header.
> 
> I agree with the observation that draft-chen could be problematic in federated deployments due to the potential for the identifier to leak between hops.
> 
> Regards,
> 
> Adam Bishop
> 
>  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
> 
> jisc.ac.uk
> 
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
> 
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email