IETF Logo Mail Archive

Re: [radext] Adam Roach's Discuss on draft-ietf-radext-coa-proxy-05: (with DISCUSS and COMMENT)

Alan DeKok <aland@deployingradius.com> Tue, 14 August 2018 16:11 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9023130E58; Tue, 14 Aug 2018 09:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySG6JyaYF1zz; Tue, 14 Aug 2018 09:11:07 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 82BB0130934; Tue, 14 Aug 2018 09:11:07 -0700 (PDT)
Received: from [192.168.20.32] (CPEf4cc55220745-CM64777ddff610.cpe.net.cable.rogers.com [173.32.191.82]) by mail.networkradius.com (Postfix) with ESMTPSA id 0451CD1; Tue, 14 Aug 2018 16:11:05 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <b6c70613-40b1-9c78-ec63-927ffdffa094@nostrum.com>
Date: Tue, 14 Aug 2018 12:11:04 -0400
Cc: Winter Stefan <stefan.winter@restena.lu>, radext@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-radext-coa-proxy@ietf.org, radext-chairs@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <44429A5F-F978-4D7B-8330-C6A665E8BF53@deployingradius.com>
References: <153421241151.25112.5942779659969287406.idtracker@ietfa.amsl.com> <DCBC0F8A-E486-4844-8C7A-CCDEBD41A0E4@deployingradius.com> <0d9cc14c-d065-87fa-5ea1-f76fde1c9c2f@nostrum.com> <B33A4595-EDBE-41C5-9FD6-5EEACB6EEDE4@deployingradius.com> <b6c70613-40b1-9c78-ec63-927ffdffa094@nostrum.com>
To: Adam Roach <adam@nostrum.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/maatCACrnwZj5WDCECqpei7nwWM>
Subject: Re: [radext] Adam Roach's Discuss on draft-ietf-radext-coa-proxy-05: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2018 16:11:10 -0000

On Aug 14, 2018, at 11:51 AM, Adam Roach <adam@nostrum.com> wrote:
> I think we're getting off in the weeds here exactly because the language in the document is ambiguous. I think I made some assumptions that might not match yours. Let's try a level set.
> 
> The document says that the token "SHOULD be cryptographically strong." What does this mean, and why do you need it?

  The Operator-NAS-Identifier may contain information, such as an encrypted IP address.  In which case it should use sane encryption methods.

  If it's just an opaque token, then the token value should be created via some sane method.  Mainly to avoid accidental re-use.

> The document says that the token "SHOULD be verifiable by the Visited Network." What does this mean, and why do you need it?

  The visited network needs to know that the token maps to an actual NAS.

  If the token is an encrypted blob, it can decrypt the blob and verify it that way.  If the token is an opaque value, then the network needs to store the values it sends out.  Incoming values are then checked against the list to see if they're known.

  I think part of the confusion is that I don't want to restrict how people use it.  It might be simpler to just give one recommendation, and leave it at that.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email