IETF Logo Mail Archive

Re: [radext] configuration auto-discovery [was: draft-cullen-radextra-status-realm-00]

Alexander Clouter <alex+ietf@coremem.com> Mon, 14 August 2023 15:34 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B5F4C14CE4F for <radext@ietfa.amsl.com>; Mon, 14 Aug 2023 08:34:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="k/CG6Vp5"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="OWigbIYO"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRYEve1SwYRN for <radext@ietfa.amsl.com>; Mon, 14 Aug 2023 08:34:35 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 455B0C14CE42 for <radext@ietf.org>; Mon, 14 Aug 2023 08:34:34 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 3EF005C0003 for <radext@ietf.org>; Mon, 14 Aug 2023 11:34:34 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Mon, 14 Aug 2023 11:34:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1692027274; x=1692113674; bh=Ii c4c/gcSjVgLPP5EMrDVzlQJ6M9aaKb12MjWveCk50=; b=k/CG6Vp5LihqOYrX4A PQH0PUag0GVMhS+Ab0fegWJrNrdJ3qisJOiwwMAPFr1q8oGZROB7Mrm6hnvmvgA9 9pG/mMhtANLgm0WkbZdFpoiZBG8Ki0pXU4CqSIzIpEkYwVauf+F89AM3Rmvsa4tR pDP7Ej+HYLZCXIyl9G/40JfI1o0UDsm2JObsVlRiAkCzOc3UD6vgg3rG8Wr4ou2e vOmeJ2+BH2nEp4RKRurkR/5AvOp6AOuYkJgBuyNR0IZAr5pMAzlNlG9gNiaj+e9l tK4OrPlPTVPIJ/OBIfLkz1BacyMcTN/7Mwx1Ib/bm07dF5I5z0NnMjidjmTtqrFl J9sw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1692027274; x=1692113674; bh=Iic4c/gcSjVgL PP5EMrDVzlQJ6M9aaKb12MjWveCk50=; b=OWigbIYOOjDrpCCh7vbWx+xFVbrJM YvpcSyseIPzY6A03AaJ4929qutpijHgXOza4nNcHkv6AO9H1BPfTqfzjtPnC6TKa pfV5zr3xxKgbktgO1ZVmHZyRRHNh5VUf7MQ0afWVrzTom2yd6t/stERwAY5himTp vxDfQW/yKuQfr7DnkELf+sMJisRwI4leTwaVlsysD1JqlUwiRNs+KMlESST3f8jk N8OWvx1GBqhb9VuOI52WLGKa4MM4QymCpQFXzx5LVb9B0uj2BzXSZNogWl6uNR4w nGbm4VvgIDJDNphaDQzivhjU9mHsQJQrd5Ic06TKHg5npSsh4jNAZoC8A==
X-ME-Sender: <xms:iknaZDqrBjKgXbHmlP7HYZwRpetar39oDwey0d3Q-eJStDwrnS045w> <xme:iknaZNofG7g3q06qcSKLYA2RBlZ4Lr4hH2O8EBlBidcldrI_QFUAmp0wd7V2aMQYk 54JjrjwsarbWP8gzg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedruddtgedgledtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedftehlvgigrghnuggvrhcuvehlohhuthgvrhdfuceorghl vgigodhivghtfhestghorhgvmhgvmhdrtghomheqnecuggftrfgrthhtvghrnhepvdetje fhhefggeelueelfeetieekgfevhfehkeehvedvkeeufeekieeifffhvdegnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprghlvgigodhivghtfh estghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:iknaZAPEgiJ8DwTPAtb39WMwfyzAdgEEKkQxeZMfsj1lSqUr3b_GmQ> <xmx:iknaZG6Tb7_1NZdEu1TYk2ziJOyopYYrI2MhE-3oiyvb3dMb6OOJdg> <xmx:iknaZC5eokq-h7Ntq4f9b8_oKCTvKcGUXtHrawBGBOTvV0GUwaeDxQ> <xmx:iknaZEGD5-g-A5EKFFER8VvFRAVo4SboaM08TNGMHBjLQJ7XWRdkpQ>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E8F632A20085; Mon, 14 Aug 2023 11:34:33 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-624-g7714e4406d-fm-20230801.001-g7714e440
Mime-Version: 1.0
Message-Id: <1bb810eb-a133-45d0-987d-86d5f5f5b871@app.fastmail.com>
In-Reply-To: <23A95285-EEF4-4CCE-A68B-8EF6AEFCD668@deployingradius.com>
References: <0FCC9942-32CE-4B98-8F71-175F410882E7@deployingradius.com> <5B16D759-758E-4701-8C7E-4A563AC74274@gmail.com> <f3da5d88-fb33-f40e-303d-10000434cf0d@dfn.de> <23A95285-EEF4-4CCE-A68B-8EF6AEFCD668@deployingradius.com>
Date: Mon, 14 Aug 2023 16:34:13 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/lDggX68TlB50bTNhSUrkAyWeCn4>
Subject: Re: [radext] configuration auto-discovery [was: draft-cullen-radextra-status-realm-00]
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 15:34:40 -0000

On Mon, 14 Aug 2023, at 15:38, Alan DeKok wrote:
>
> * RADIUS cannot signal "please send this packet on a different route".

...pure spit balling.

Say we invent a new type of RADIUS reject...call it 'Access-Unreachable'.

Not important here and now, as it is detail, but this packet could have a 'scope' to communicate if this is just the realm the Access-Request was for or "all realms" or something in between.

>   The difficulty is that the servers here are proxies.  If they were 
> home servers, then when server A is dead, the client simply falls back 
> to server B.
>
>   But when we have proxies, server A is alive, but can't forward 
> packets for a particular realm.  But maybe server B can forward those 
> packets.  This last piece is what drives the idea of a realm routing 
> protocol.

With our new response packet we can have each proxy take part in a *depth*-first search primed by the existing administrative file/DNS/database setup.

A >--+--- B --+-- C --- D --+--> E
     |        |             |
      \-- W --+-- X --- Y --/

So A is trying to get to E.

 * System D is dead: C responds to B "unreachable" and B can then try X. If X is dead, it will response "unreachable" to A which will try W.
 * System C is dead: B will respond to A "unreachable" and 
 * System E is dead: D will response to C and the C to B "unreachable". B will try X which will get "unreachable" from Y. B responds to A "unreachable" causing it to try "W" and it will end up with "unreachable" from X

This is not really routing, but just building a dynamic filter list of when *not* to use your configured proxy upstream.

Things then backtrack until they get through. Actually, lets call the packet Access-Cut for the Prolog fans out there :)

The tricky part would be figuring out when to unblock traffic to the upstream by realm. This probably would be a good fit for regularly polling Status-Realm with the TTL set to one.

This would be an optimisation effort. The system would have to discover unreachable before it can start reporting unreachable downstream.

Time now for the "Smithers Release The Hounds" stage and have this idea torn apart.

Cheers

v2.23.0 | Report a Bug | By Email