IETF Logo Mail Archive

Re: [radext] FW: New Version Notification for draft-henry-radext-stable-mac-identifier-00.txt

Bernard Aboba <bernard.aboba@gmail.com> Thu, 18 November 2021 03:25 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51A23A089A for <radext@ietfa.amsl.com>; Wed, 17 Nov 2021 19:25:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6GXnZ4YrzhX for <radext@ietfa.amsl.com>; Wed, 17 Nov 2021 19:25:40 -0800 (PST)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3BD33A089C for <radext@ietf.org>; Wed, 17 Nov 2021 19:25:40 -0800 (PST)
Received: by mail-pg1-x52d.google.com with SMTP id h63so4043221pgc.12 for <radext@ietf.org>; Wed, 17 Nov 2021 19:25:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:content-transfer-encoding:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=EbmYFRlsdo/a1R/cfSb1Z/2lS3VR0alS1ENoQ0dtYag=; b=aTwqJ+JrDWfe3HCa1ml2zG5K+CSTZvecGDVZyRF1L2yb0yjB/8cPp6G9kPWQam4Qwt e5cht0Su6FSTsjiQYs0ZAhlMtWK8i+l0ogZO9Nki9vMjoWKMsgvpubccBrX3CpcAExvT 7WLhCGKa6U087WzrHpW8iH+Qaj0rO+rk4Gf+OGNdup2neSIgfrCI4RiKAuOEtueWfrfC UWyVKzVL7SUo+yu3hgiQ9IYjHwptNNH+fjyMbFU3zPk6KPWE7NpD+hqqZegpF1RH1grp PJVGvL0bXP0PlMUztdacOrZZb0zRxDRPR1Luoxdwmir66ba+U9NEgao5cTDQAyNUD+h8 zW+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=EbmYFRlsdo/a1R/cfSb1Z/2lS3VR0alS1ENoQ0dtYag=; b=BrptGrAHdK7FuKzRlF9nTLiIm9fDMrzFFXkvhx352YIcp3/Moytbn9nF4KYZ7FMpCW D/tpsFKMbqHQEtvfIN9fA/IHsHW70kkizwxROCJDxXtrkyxCU+v05Ybs0IrxEl8YKu64 dZMHBqTI5JLC9N6QBlJRwvdnahaVnIt8jvVG8BkzTgAunR7pk/AsFW1dSVAXpfAsk4jm 5HKUJAtcdsTZqlKZV2EqMkLATY4cdMRZYQR7fMxucrkBvNAccJB74EK8FQ4RBAWac1aa ZmIzu13ef5tZpUu3h4198/ACw/3im/OU9DdSdyaXFIul9HRUSroszo34FrJScZxnH7DJ m7JQ==
X-Gm-Message-State: AOAM531AztYxAHKl8goo9yQ9vymoB6UNPjTeK6JQuMY7Cncldm5m6RBO 1kV04TWGmmIbyu6YZb2y4vfpreugHUPm4g==
X-Google-Smtp-Source: ABdhPJyihZbNdqta0f0hSx159BuQ2pasrkFJUoAT/lpzkkm/s+AbZTEWFmH0BP7Ixz7efkfOY19RzQ==
X-Received: by 2002:a65:6a4b:: with SMTP id o11mr9013083pgu.305.1637205938287; Wed, 17 Nov 2021 19:25:38 -0800 (PST)
Received: from smtpclient.apple (c-24-16-156-188.hsd1.wa.comcast.net. [24.16.156.188]) by smtp.gmail.com with ESMTPSA id t4sm1040327pfj.166.2021.11.17.19.25.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 17 Nov 2021 19:25:37 -0800 (PST)
From: Bernard Aboba <bernard.aboba@gmail.com>
X-Google-Original-From: Bernard Aboba <Bernard.Aboba@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Wed, 17 Nov 2021 19:25:36 -0800
Message-Id: <BA4E0F5E-2780-422F-AADA-C0993F950212@gmail.com>
References: <6602207E-84AF-4454-8ED8-E3B829186A56@cisco.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, radext@ietf.org, "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
In-Reply-To: <6602207E-84AF-4454-8ED8-E3B829186A56@cisco.com>
To: "Jerome Henry (jerhenry)" <jerhenry=40cisco.com@dmarc.ietf.org>
X-Mailer: iPad Mail (19B74)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/ipjB6y39vWhYy354SALRQLKiX-g>
Subject: Re: [radext] FW: New Version Notification for draft-henry-radext-stable-mac-identifier-00.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2021 03:25:45 -0000

On Nov 17, 2021, at 05:34, Jerome Henry (jerhenry) <jerhenry=40cisco.com@dmarc.ietf.org> wrote:
> 
> Good morning Benjamin,
> 
> (disclaimer: I am not Nancy __)
> 
> This changed behavior causes the failure of multiple assumptions that have been made over the past 3 decades on the idea that one client = 1 MAC. In the case we address in this draft, we look into bringing back stability in the exchanges between an authenticator (AP/Wireless LAN controller) and RADIUS, when one side or the other gets a stable identifier (I fully agree that the context is not clear in the draft, we'll expand it).

[BA] The idea that one client = 1 MAC (or one client = 1 IP address) became suspect once multi-homing became common and even more so once virtualization took off. 

As noted in RFC 8016, multiple approaches have been tried to “bring back stability”. One approach is to attempt to make it appear as if the address has not changed (e.g. mobile IP).  

However, another approach is to provide “stability” by making the upper layer protocol agnostic to the IP address change.  If properly executed, this approach can make it more difficult for an observer on the wire to link the multiple addresses.

Examples of this approach include TLS 1.3 and protocols built on it (such as EAP TLS 1.3).  The TURN protocol initially made an assumption that a relay allocation was linked to the IP address.  Once the disadvantages became clear, TURN mobility (RFC 8016) was developed.

v2.23.0 | Report a Bug | By Email