IETF Logo Mail Archive

[radext] Re: Gorry Fairhurst's Discuss on draft-ietf-radext-radiusdtls-bis-15: (with DISCUSS and COMMENT)

Alan DeKok <alan.dekok@inkbridge.io> Fri, 06 March 2026 00:26 UTC

Return-Path: <alan.dekok@inkbridge.io>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 44035C549776; Thu, 5 Mar 2026 16:26:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=inkbridge.io header.b="Y/Hu9osf"; dkim=pass (2048-bit key) header.d=inkbridge.io header.b="kElP2638"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nzB0ng_W3g-O; Thu, 5 Mar 2026 16:26:57 -0800 (PST)
Received: from mail2.networkradius.com (mail2.networkradius.com [184.95.211.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7C55EC54976E; Thu, 5 Mar 2026 16:26:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inkbridge.io; s=sep2024; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tQ8xo1xjNkiQBVFjRFBKDWXpRgqso6AVmjwYsLX7Qug=; b=Y/Hu9osfyIKlPjjJbB3rVlp1X2 6BfnqffoBHOR2yUFs0MQFiY/BPMHuzyXcYd85829kwpt/tt/2bFh9VRbFm18Q7wlPi1WSCqxjT7EQ brAOdCNusgcelwPkCgP/rS+N8QktBQYAvUphW8jmJRwJ7zCWBvUnVRTP5niEdihpjF8hB9Pez25Y5 sA9+JNx+edbc35IHT82WwaoQ+Ghzb2ZsptKxkNNJaGTat0cdKAA5gg+ziti9cqGVhsH+LVq8gVOMn MJ0Abb/3jH8RrEFS0UW0EOO2vo8qybmqQtYeBLTLhIjb6fSpfQHIWQdsnhuBra/Pf2QSQKdAyHxdQ SQl/SUZg==;
Received: from mail.servers.fr.internal.networkradius.com ([192.168.42.56]:59950 helo=mail.networkradius.com) by mail2.networkradius.com with esmtp (Exim 4.97) (envelope-from <alan.dekok@inkbridge.io>) id 1vyJ1j-00000000szT-3Na6; Fri, 06 Mar 2026 00:26:47 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inkbridge.io; s=sep2024; t=1772756807; bh=tQ8xo1xjNkiQBVFjRFBKDWXpRgqso6AVmjwYsLX7Qug=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=kElP2638PAXVbWdp0Wz3rVJchI6WGw/SNZtrgR6aHyHgI0aMZIJJjFDeo04cHB4Bc myIA002MX6RchrESSZZFCo1SoNZZ/imhG0tsfy8QGwGOretkKXsK/D8fwQb5iHJPPz ffCv8YQlpjf4BlkSEoDCPnCylFlZh/BNbtZMRHZBcfGoaTqC4x8zdRo3igbwD03rUw ZHClMoxese734y5+6ly9F8XdQ35WXRvZ0X1QpQC0trnmrlOLUC0yvHQWaSr7WutsXQ CMGOklH/eOul9uammPlivkZaUKZHVoT9bizBN2dUqHSBPtUE0R7KQ64hnGkDVJfE1S oC+bhEltuGclA==
Received: from smtpclient.apple (24-246-4-149.cable.teksavvy.com [24.246.4.149]) by mail.networkradius.com (Postfix) with ESMTPSA id 51572148; Fri, 6 Mar 2026 00:26:46 +0000 (UTC)
Content-Type: multipart/signed; boundary="Apple-Mail=_A22EE177-7841-4E14-A644-FC059F53457D"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.4\))
From: Alan DeKok <alan.dekok@inkbridge.io>
In-Reply-To: <d61c9879-a4b2-4978-9ead-d1ac92242b21@erg.abdn.ac.uk>
Date: Thu, 05 Mar 2026 19:26:34 -0500
Message-Id: <78A01BFD-CCF2-4B02-92BD-DDC0F8BBC50F@inkbridge.io>
References: <177263477673.4189860.18422256499304151674@dt-datatracker-6ff7c68975-7k42g> <70F300A2-4747-47AD-948E-5CBC1E599F06@inkbridge.io> <d61c9879-a4b2-4978-9ead-d1ac92242b21@erg.abdn.ac.uk>
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
X-Mailer: Apple Mail (2.3826.700.81.1.4)
Message-ID-Hash: H4FNF5SFUTAFZLJBUFTGNNTUDM7BPJ6J
X-Message-ID-Hash: H4FNF5SFUTAFZLJBUFTGNNTUDM7BPJ6J
X-MailFrom: alan.dekok@inkbridge.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-radext-radiusdtls-bis@ietf.org, mrcullen42@gmail.com, radext-chairs@ietf.org, radext@ietf.org, valery@smyslov.net
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: Gorry Fairhurst's Discuss on draft-ietf-radext-radiusdtls-bis-15: (with DISCUSS and COMMENT)
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/sGc_Re6X0qtAYrWS0GlTT96LOls>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

On Mar 5, 2026, at 1:29 PM, Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
> - I think a new revision could address these issues, and I'd be happy to work with the editors, if that is useful to find text - see comments below, marked [GF].

  I'll propose some changes via a GitHub PR.

  I'll address the biggest topics here: PMTUD and congestive collapse.

> [GF] I think this can be explained in a few sentences - but at the moment I don't understand from the I-D.

  I'll give some clarification, starting from the basics.

  RADIUS is a client-server protocol which runs at the application layer.  While a RADIUS proxy can receive and forward RADIUS traffic, it's doing so at the application layer.  For example, a system with one client, one proxy, and one server looks like this:

	client <--> proxy <--> server

  The difficulty here is that PMTUD runs at the IP layer, not at the application layer.  i.e. PMTUD for the "client <--> proxy" link is independent of PMTUD for the "proxy <--> server" link.

  In addition, there is no way in RADIUS to signal PMTU at the application layer, in a RADIUS packet.   RADIUS also does not allow for "too large" RADIUS packets to be fragmented at the application layer, across multiple RADIUS packets.

  So while a proxy can separately discover PMTU for all of the links it has, it has no way to share that information with the client, or with the server.  And if a proxy receives packets on the "client <--> proxy" link, but which are too large for the "proxy <--> server" link, the proxy has no way to fragment the packet, or signal the client to send smaller packets/

  Which means that while the client can do PMTUD for one link, it has no way of knowing if those packets will make it across the next link.  The proxy has no way of telling the client anything about the next link.

  The result is that when a proxy receives a packet that it can't forward, pretty much the only option is to discard it.

> [GF] The term "congestion collapse" is a pretty significant thing, inducing congestion is something that happens over shared paths.

  Common deployments of RADIUS use not  just one intermediate proxy, but multiple proxies.  These deployments include trees of proxies, where packets are forwarded repeatedly until they reach the destination.  For redundancy, each individual node in the tree may in fact be multiple servers in a fail-over or load-balancing pool.

  As noted above, RADIUS is a hop-by-hop protocol, with essentially no way to signal anything.  So it can't signal if packets are lost, links are down, etc.

  The possibility of congestive collapse comes in because proxies may need to retransmit packets due to loss, timeouts, etc.  If these retransmissions are the same packet, then these retransmissions provide for a linear increase in the number of packets.

  i.e. a lost packet results in the transmission of the same packet.

  If instead the retransmissions are new packets, then there is the possibility for an exponential increase in the number of packets.  One lost packet can result in multiple new packets being transmitted.

  Each proxy will see multiple new packets instead of one duplicate retransmission.  If there are problems forwarding those packets, then each of these multiple new packets will in turn result in multiple new packets: an exponential increase.

  i.e. one packet turns into 4.  Each of those 4 packets could turn into 4, resulting in 16 packets.  etc.

 Alan DeKok.

v2.46.0 | Report a Bug | By Email | System Status