Re: [radext] Short draft on using larger packets for TLS fragmentation
Peter Deacon <peterd@iea-software.com> Mon, 08 July 2013 15:46 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63C1821F9CB9 for <radext@ietfa.amsl.com>; Mon, 8 Jul 2013 08:46:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aw4S5VH-A2KK for <radext@ietfa.amsl.com>; Mon, 8 Jul 2013 08:46:44 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id 3FC4621F9C56 for <radext@ietf.org>; Mon, 8 Jul 2013 08:46:43 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005890892@aspen.internal.iea-software.com>; Mon, 8 Jul 2013 08:46:43 -0700
Date: Mon, 08 Jul 2013 08:46:23 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Sam Hartman <hartmans@painless-security.com>
In-Reply-To: <tsly59hu6n8.fsf@mit.edu>
Message-ID: <alpine.WNT.2.00.1307072023550.3140@SMURF>
References: <tsly59hu6n8.fsf@mit.edu>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: radext@ietf.org
Subject: Re: [radext] Short draft on using larger packets for TLS fragmentation
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 15:46:49 -0000
On Sun, 7 Jul 2013, Sam Hartman wrote: > There seems to be consensus on the idea that TCP level fragmentation is > the right way to fragment TLS when you can afford to change the proxies. > In fact, we may even have consensus that since RADSEC is experimental > that it's reasonable to assume that people who need fragmentation and > RADSEC can upgrade their proxies. > I'm tempted to write a short draft that revises RADSEC, permits larger > RADIUS messages and introduces a mechanism for saying that you cannot > respond to a request without being able to send a larger fragment. Only concern with this approach UDP compatibility is lost. > This does not provide negotiation nor does it provide support for the > proxy unmodified case. However at least as I've been reading the WG > discussion, we all seem to agree this is the best approach when it is > possible. Also, such a draft would not preclude using a future > negotiation mechanism and could work well along-side Alex's draft. My draft addresses TCP limits (4.2) while concurrently providing for UDP interop (4.1) should it be desired. Those who see no value in UDP interop can elect not to implement Section 4.1. Section 4.2 provides for larger messages via TCP and communicating message limits. It's not even necessary to support 4.2 command code and attributes to communicate message limits. Support for large messages is allowed to be an administrative option provided it is not enabled by default. regards, Peter
- [radext] Short draft on using larger packets for … Sam Hartman
- Re: [radext] Short draft on using larger packets … Peter Deacon
- Re: [radext] Short draft on using larger packets … Sam Hartman