IETF Logo Mail Archive

Re: [radext] Watchdog behaviour (was: Confirmation of discussions on RADIUS/(D)TLS at IETF117)

Heikki Vatiainen <hvn@radiatorsoftware.com> Fri, 04 August 2023 19:58 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE72C15108F for <radext@ietfa.amsl.com>; Fri, 4 Aug 2023 12:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mLpGeyK-iIR5 for <radext@ietfa.amsl.com>; Fri, 4 Aug 2023 12:58:46 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49704C151088 for <radext@ietf.org>; Fri, 4 Aug 2023 12:58:45 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-4fe21e7f3d1so4284235e87.3 for <radext@ietf.org>; Fri, 04 Aug 2023 12:58:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20221208.gappssmtp.com; s=20221208; t=1691179124; x=1691783924; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=/8LWcR9ehfelybWd9GJ1ywb7oI3zS/aHzXn7Thg6VuY=; b=qq3d+6L8ysrgx6yAy8ijLbLSi9GlzRKZrdRbWt1DJ9HOPbHtUWrA/QVOYGWB/5wen0 gTGbkAyH52gA+6GXtRS2Yo5CsHNRQPfcij03iK88kAxQAxqK9SQoHp3kLMcuSFmCku3M dQPCSZ1BY7iAtkaKKvvOTknjZ3qypG+dpv+ZsytXawuGa0yKcWcyUaD6ZEV0tq9+aL8S d6zimOe8KclgUXQmbyfiqb+a99+8BGrGpxsWhpJrMsWRf0Gfnzfmbs3OXDc44Qwun1LI 2L9s/jZexCYeA9wibpqzIAbunGPy2Q1xsJYNk9NNqVdpk6MIfaYVnFClREl6yGKtEP91 wgpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691179124; x=1691783924; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/8LWcR9ehfelybWd9GJ1ywb7oI3zS/aHzXn7Thg6VuY=; b=IVv532GhuFwta9/XCtLrkQ9bwRSLoUXwrezXBpXbqatOr5gTMVTw2ZWjThvD6VnxOn q65ej058FtVv08OJInBPtsWwneNRf2bFlDryxPVTJ6Ddm3/zUBKyYQvo9PMzTmVD6Hmz I2mqtr0e8NkkEDv3qjJuYAPWDfzcd6SLxzuSSSQKlfwCbR3gEkBso1RKLHl4wkP117L7 cGRW0r/JTiVLKuw/53Iiw7bl8xO9TUngD4EPlpT+CubbAbuc1REh8pjnm1dTVIqVlVQT Vn/zbfAYQTh2Ugs8iUXt0+rOF6UQlcuw9aIY3+DPaT310AkiqZg9Y3TvJX6We0QY7S9h wIdw==
X-Gm-Message-State: AOJu0YwOpHihcmA7qZkqWtDUOgIeALuT+gdkXH92giN3Q+0ELthIyzSo 2pOurs9DqKmNCLLKysZrZ5X+so33wSVMaI6dOF5nXQSv6fziG9i0
X-Google-Smtp-Source: AGHT+IEcmtMdWb0dQDxuGfSQIsJoTD+ZMcF72isRCeRfG0k8CyKOttjpcKtdxd56r4CVnQPrET5RGQ8NZwUDfaXcxFE=
X-Received: by 2002:ac2:5f69:0:b0:4f8:5717:e421 with SMTP id c9-20020ac25f69000000b004f85717e421mr1824164lfc.40.1691179123975; Fri, 04 Aug 2023 12:58:43 -0700 (PDT)
MIME-Version: 1.0
References: <a401c4c2-3ddd-3d93-3fbc-b3fc02a1d26c@dfn.de> <CB09256A-196E-451F-B438-A1D0F392B9A1@deployingradius.com> <ee50a5e6-8bee-09d4-15fa-cfce02a9e4bb@dfn.de> <PH0PR11MB5928B0658A978DD26251D9F8D208A@PH0PR11MB5928.namprd11.prod.outlook.com> <CAA7Lko_0zP=y=zoZjyX9uhwM=7VOASgUy9-pSQzjVQic8w+Mhg@mail.gmail.com> <da966a05-4c5a-4c83-bbe1-e8dced5752e4@app.fastmail.com>
In-Reply-To: <da966a05-4c5a-4c83-bbe1-e8dced5752e4@app.fastmail.com>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Fri, 04 Aug 2023 22:58:27 +0300
Message-ID: <CAA7Lko9cr5MKM4OkZi5XWdrF2LYpbwnw=QwgCrzwJWDrQxs8xQ@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="000000000000efc65306021e526f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/n6ec1mJd0juy9w8vs8I9AD8Op0A>
Subject: Re: [radext] Watchdog behaviour (was: Confirmation of discussions on RADIUS/(D)TLS at IETF117)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2023 19:58:47 -0000

On Fri, 4 Aug 2023 at 20:41, Alexander Clouter <alex+ietf@coremem.com>
wrote:

> On Fri, 4 Aug 2023, at 18:12, Heikki Vatiainen wrote:
>
> On Thu, 3 Aug 2023 at 10:15, Mark Grayson (mgrayson) <mgrayson=
> 40cisco.com@dmarc.ietf.org> wrote:
>
> > Radsecproxy offers two different ways of doing status server. Either
> >"on", which sends a packet each $timeinterval (I think it's 30 or 60
> > seconds, would need to confirm) or "minimal" which only sends status
> > server requests if replies to requests are outstanding.
>
> We don’t want to break idle_timeout mechanisms, especially for dynamically
> discovered routes.
>
>
> That's a good point. Do any of the current RFCs have guidance on closing
> dynamically opened connections? Should there be, or is this for the
> implementations to decide?
>
> Here's a hopefully useful idea on how to use watchdog (Status-Server) with
> dynamic connections:
> - when the dynamic connection has been established, do a watchdog request
> (Status-Server) over the connection
> - if there's an answer, the connection is likely good, otherwise there is
> likely a problem
>
>
> Why not just send the request that triggered the discovery for the initial
> test? Seems it would just needlessly add an RTT to the overall RTT of the
> request/response?
>

This request is sent before the watchdog request. The watchdog can follow
immediately the initial request. When this is done, there are two
outstanding requests and depending on what answers are received, or not,
the state of the connection starts to become known. With dynamic discovery,
I'd say it helps debugging when it's immediately seen that the remote ends
answers to at least Status-Server requests.

This also shaves one watchdog timeout from the time it takes to determine
if the peer is able to respond at all.

However, this idea is more of an implementation detail and may be useful in
some cases. That's why I didn't suggest to put it in a draft. What Margaret
wrote in a separate message some moments is fine with me.

> - when the connection is up, run watchdog (Status-Server) periodically but
> do not reset idle_timeout timer when watchdog response is received
>
> This allows the dynamic connection to be timed out while still allowing
> monitoring whether or not the peer is still responsive.
>
>
> This yak shaving is starting to make me wonder if we should just define
> BFD-over-RADIUS. :)
>

Had to lookup 'yak shaving'. I first thought it means I was spreading too
much burro on this bread, which seems to be close, but a different animal
[1].

[1] Fawlty Towers, season 1, episode 1

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.23.0 | Report a Bug | By Email