Re: [radext] Concerns with Operator-NAS-Identifer

Alan DeKok <aland@deployingradius.com> Sat, 18 August 2018 00:49 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 527AB130F97; Fri, 17 Aug 2018 17:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1r0lCo6VnfQ; Fri, 17 Aug 2018 17:49:06 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 1BD5A130F1F; Fri, 17 Aug 2018 17:49:06 -0700 (PDT)
Received: from [192.168.46.58] (198-84-237-221.cpe.teksavvy.com [198.84.237.221]) by mail.networkradius.com (Postfix) with ESMTPSA id 48E982E1B; Sat, 18 Aug 2018 00:49:03 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <20180817222700.GU40887@kduck.kaduk.org>
Date: Fri, 17 Aug 2018 20:49:01 -0400
Cc: Mohit Sethi <mohit.m.sethi@ericsson.com>, radext-chairs@ietf.org, radext@ietf.org, draft-ietf-radext-coa-proxy@ietf.org, The IESG <iesg@ietf.org>, Eric Rescorla <ekr@rtfm.com>, adam@nostrum.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <57080C37-C7AD-4E3E-9A5C-E7613C89221F@deployingradius.com>
References: <473c4665-0b08-05ca-c56c-2b37c4710280@ericsson.com> <2804F208-BAF7-469C-8BFE-896EE30F8674@deployingradius.com> <20180817222700.GU40887@kduck.kaduk.org>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/o_SKcshjocuQNcrb09Zs7_LRzjM>
Subject: Re: [radext] Concerns with Operator-NAS-Identifer
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Aug 2018 00:49:09 -0000

On Aug 17, 2018, at 6:27 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>  There is nothing in the coa-proxy that says you *must* remove NAS-Identifier, etc.  I could make that clearer, I suppose.
> 
> I see (in both -05 and -07) in the "Operator-NAS-Identifier" section (3.3
> or 3.4, respectively):

  Yes... I saw that after sending the message

>   [...] When the Operator-
>   NAS-Identifer attribute is added to a packet, the following
>   attributes MUST be deleted: NAS-IP-Address, NAS-IPv6-Address, NAS-
>   Identifier.  The proxy MUST then add a NAS-Identifier attribute, in
>   order satisfy the requirements of Section 4.1 of [RFC2865], and
>   Section 4.1 of [RFC2866].  The contents of the NAS-Identifier SHOULD
>   be the Realm name of the visited network.
> 
> Does that not do what you want?
> 
> (There isn't exactly anything that precludes the contents of this "newly
> added" NAS-Identifier from being the same value that was removed or
> something that would fit the use case described by Mohit, though, is
> there?)

  I think it's OK to change that to a SHOULD.  With a comment that not doing so may leak private information.

  Alan DeKok.