IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Alejandro Perez Mendez <alex@um.es> Thu, 22 August 2013 07:56 UTC

Return-Path: <alex@um.es>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEF7911E80F9 for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 00:56:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.298
X-Spam-Level:
X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KIzQaiRVM3gG for <radext@ietfa.amsl.com>; Thu, 22 Aug 2013 00:56:27 -0700 (PDT)
Received: from xenon12.um.es (xenon12.um.es [155.54.212.166]) by ietfa.amsl.com (Postfix) with ESMTP id B68EC11E815C for <radext@ietf.org>; Thu, 22 Aug 2013 00:56:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon12.um.es (Postfix) with ESMTP id E49F04BD88 for <radext@ietf.org>; Thu, 22 Aug 2013 09:56:25 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon12.um.es
Received: from xenon12.um.es ([127.0.0.1]) by localhost (xenon12.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id yYKlrxG0tMFi for <radext@ietf.org>; Thu, 22 Aug 2013 09:56:25 +0200 (CEST)
Received: from [192.168.10.2] (84.124.135.236.dyn.user.ono.com [84.124.135.236]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon12.um.es (Postfix) with ESMTPSA id 0EDF64BD20 for <radext@ietf.org>; Thu, 22 Aug 2013 09:56:23 +0200 (CEST)
Message-ID: <5215C426.2040603@um.es>
Date: Thu, 22 Aug 2013 09:56:22 +0200
From: Alejandro Perez Mendez <alex@um.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130806 Thunderbird/17.0.8
MIME-Version: 1.0
To: radext@ietf.org
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <52146E31.1030701@restena.lu> <5214AE3C.4010909@deployingradius.com> <5214C457.70204@restena.lu>
In-Reply-To: <5214C457.70204@restena.lu>
Content-Type: multipart/alternative; boundary="------------000007060503090902040306"
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 07:56:32 -0000

El 21/08/13 15:44, Stefan Winter escribió:
> Hi,
>
>>    The PMTU / 4096 octet problem is one which I think should be supported
>> by the draft.  Telling operators to "fix their equipment" works in some
>> cases.  In others, it's useful to be able to fragment at sizes which are
>> *known* to work.
> I don't have particularly hard feelings about this; so if there's use
> for it, the text can also stay as it is.
>
>>    Fragmentation in this draft is only for authorization (Access-Request
>> / Access-Accept).  CoA can be done via sending a CoA with "Service-Type
>> = Additional-Authorization".  The client should then do fragmentation as
>> per the draft.  It's just too much to add fragmentation in multiple
>> places in the protocol.
> That's how I understood the first two paras in the document. The third
> one seemed to deal with the CoA-ACK/NAK replies, but there I got lost
> why these would need to be fragmented.

We will improve that paragraph, to make it clearer.

>
>>    Additional fragmentation in proxies can be done.  But it likely
>> involves re-assembly and subsequent re-sending / re-fragmentation of the
>> entire data.  Doing "on the fly" additional fragmentation is just too
>> hard (IMHO).
> So it would suffice to state that chunks are not supposed to be
> fragmented as-is; they need to be re-assembled into the long packet, and
> then that needs to be chunked again.

We could add that sentence if it serves to clarify further that aspect.

>
>>    We need a new flag for extended-type attributes.  Each Access-Request
>>   / Access-Accept packet MUST be a perfect RADIUS packet in and of
>> itself.  Some proxies MAY support RFC 6929, and will toss the packet if
>> it isn't formatted correctly.  i.e. if the attribute fragments "fall
>> off" the end of a packet.
> That doesn't seem right. If a proxy supports RFC6929, but not the
> fragmentation draft, it will not know that the T flag exists and can't
> react accordingly. It will see an M flag and some gibberish in the
> Reserved field (which RFC6929 says should simply be ignored). It will
> observe that the M flag requirements are violated and has every right to
> drop the packet.

Probably you are right. Indeed we have repeatedly discuss about that 
flag's utility, but we decided that having it will not harm anyone. 
However, it makes specification slightly complexer, and if it is not 
really useful, I agree it should be just removed.

>
>>    Fragmentation doesn't work with Access-Challenge.  There was a lot of
>> discussion between the draft authors about this.  The fragmentation is
>> *only* for authorization.  And it carries *only* authorization data, not
>> authentication data.  Think of it as pausing an existing RADIUS
>> conversation, and inserting a "fragmented data" exchange.
> That's understood; I didn't want Access-Challenge packets to be
> fragmented. My concern was that an initial (long) Access-Request needs
> to be fragmented, but that upon completing its reassembly, the server
> side finds that it is in the middle of an exchange which requires
> Access-Challenge as a subsequent packet. It must be possible to finalise
> the fragmented packet reassambly not just with an Accept or Reject; it
> may need to be a Challenge to complete the subsequent authentication
> that is done after the pre-authz.

Nope, the first Access-Request packet of an Authentication conversation 
is supposed to not need to be fragmented, as authentication mechanisms 
(e.g. RADIUS-EAP) already deal with packet size. If a Client generates a 
large Access-Request packet with EAP-Message, would be most probably to 
the inclusion of additional authorization attributes, and then, a 
pre-authz exchange is the way to go.

>
>>    We're assuming that proxy decisions are made via User-Name.  If it's
>> done via anything else... well... sorry, but it won't work.  There are
>> trade-offs which have to be made.
>>
>>    And eduroam proxying via SSID is just weird.  Isn't the SSID for
>> eduroam just "EDUROAM"?
> Sure it is. But you may be participating in more than one consortium
> with your hotspot.
>
> Imagine a single access point which is part of "eduroam" and "S-Mobile";
> and emits both SSIDs. Both consortia use RADIUS auth; the access point
> is dumb and only knows "its" authentication server.
>
> At that point, the RADIUS server which gets the AP's packet needs to
> realise: if a user tried to log into the eduroam SSID, I'll proxy the
> packet to eduroam infrastructure; if the user tried S-Mobile, I'll proxy
> to their infrastructure.
>
> That's real life (but not on very many sites, as far as I can see).
>
> "Sorry" may well be the appropriate answer. But that answer should be
> written explicitly into the draft.

We need to clearly state that, so far, proxying is only supported by 
means of User-Name attribute. Although I guess that's allowing a 
different attribute could be something configurable.

Best regards,
Alejandro
>
> Greetings,
>
> Stefan Winter
>
>
>
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email