Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
Peter Deacon <peterd@iea-software.com> Fri, 23 August 2013 00:12 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 049C121F9D0D for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 17:12:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PY94nLG03Bc for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 17:12:48 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id D0A3E21F9D1E for <radext@ietf.org>; Thu, 22 Aug 2013 17:12:47 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005896428@aspen.internal.iea-software.com>; Thu, 22 Aug 2013 17:12:46 -0700
Date: Thu, 22 Aug 2013 17:12:45 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alejandro Perez Mendez <alex@um.es>
In-Reply-To: <5215C9AD.1060805@um.es>
Message-ID: <alpine.WNT.2.00.1308221602490.1748@SMURF>
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF> <5215C9AD.1060805@um.es>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: radext@ietf.org
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 00:12:53 -0000
On Thu, 22 Aug 2013, Alejandro Perez Mendez wrote: > Hello Peter, > thanks for the comments. See some responses below. >>> Based on the discussion in Berlin we are ready to start another >>> adoption call for the solution for fragmentation of RADIUS packets. >> I would support this draft with narrower scope as interim solution >> addressing a specific use. >> Have some concerns with draft as a general solution: >> Section 2. >> RFC5176 dynamic auth clients are not necessarily always RADIUS servers. >> We have production systems where CoA client and RADIUS server are >> separate with separate roles. Seeing value in maintaining separation I >> do not favor Additional-Authorization. >> Accounting proposal is not atomic and depends on assumptions about type >> of content. (e.g long attribute not able to fit within 4096 byte limit >> cannot be transmitted) > I probably misunderstood your comment. We do not deal with CoA or > Accounting exchanges. They are left the way they are. Hi Alejandro, >From section 2 "scope of this document". Perhaps it might be best to simply address what is supported and remove extraneous references to what is not changed (CoA and Accounting). Specifically: " Instead, the CoA client MUST send a CoA-Request packet containing session identification attributes, along with Service-Type = Additional- Authorization, and a State attribute. Implementations not supporting fragmentation will respond with a CoA-NAK, and an Error-Cause of Unsupported-Service. Implementations supporting this specification may not be able to change authorization data for a particular session. In that case, they MUST respond with a CoA-NAK, as above. Otherwise, the implementation MUST start fragmentation via Access-Request, using the methods defined here." >> Proposed 'T' bit in extended long attributes means existing systems >> supporting extended attributes may require enhancement to pass needed >> data. Despite 'SHOULD' language from RFC6929 I do not believe it >> reasonable expectation proxy systems able to understand an attribute >> known to be broke would elect to forward such an attribute anyway. >> Attribute proxy not possible without proxy server modification to >> support draft. >> Existing proxy servers not supporting draft may lose ability to >> understand/enforce policy when attribute fragmentation is used. > According to your previous comment, that would be partially true, but > only when the proxy supports RFC6929. Thinking about a case where there is a fragmented "Pre-authorization" request. Attributes normally sent with Access-Request could be scattered about in different Access-Requests requests? I'm a little confused with "authentication" terminology normally during Access-Request there are attributes which provide context to authentication and then attributes which perform authentication. Attributes normally in Access-Request that are not passwords or EAPs is essentially "Pre-authorization" or is there another separation? >From section 2 " Specifically, its scope is limited to the exchange of authorization data, as other exchanges do not require of such a mechanism. In particular, authentication exchanges have already been defined to overcome this limitation" Is this still true in -06? For example am I allowed to send NAS-Id in first request and a NAS-Port-Type attribute in subsequent message where they are later combined by RADIUS server? If so just as an example what happens if an old proxy server is doing something that depends on both of these items being present? If just one is present there could be behavior it misses? regards, Peter
- [radext] Adoption call for draft-perez-radext-rad… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Diego R. Lopez
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Sanchez, Mauricio
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Diego R. Lopez