Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Peter Deacon <peterd@iea-software.com> Mon, 02 September 2013 17:43 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5E6611E8133 for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 10:43:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3V3dGTqIQf2Z for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 10:42:55 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id 81A5221F9FF1 for <radext@ietf.org>; Mon, 2 Sep 2013 10:42:55 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005897504@aspen.internal.iea-software.com>; Mon, 2 Sep 2013 10:42:54 -0700
Date: Mon, 02 Sep 2013 10:42:53 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5224AB2B.7000808@deployingradius.com>
Message-ID: <alpine.WNT.2.00.1309020919250.2692@SMURF>
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF> <5224AB2B.7000808@deployingradius.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Sep 2013 17:43:00 -0000

On Mon, 2 Sep 2013, Alan DeKok wrote:

>> Proposed 'T' bit in extended long attributes means existing systems
>> supporting extended attributes may require enhancement to pass needed
>> data.  Despite 'SHOULD' language from RFC6929 I do not believe it
>> reasonable expectation proxy systems able to understand an attribute
>> known to be broke would elect to forward such an attribute anyway.

>  The draft authors had a conference call this morning about this, and
> other issues.

>  RFC 6929 Section 5.2 says:

>   This practice is NOT RECOMMENDED.  Proxy servers SHOULD forward
>   attributes, even attributes that they do not understand or that are
>   not in a local dictionary.  When forwarded, these attributes SHOULD
>   be sent verbatim, with no modifications or changes.  This requirement
>   includes "invalid attributes", as there may be some other system in
>   the network that understands them.

>  I believe that this text directly addresses the "T" bit, and the
> possibility of fragmenting attributes across multiple packets.  You say
> that it's not reasonable to expect a proxy to forward such an attribute.
> You haven't given any reason for that opinion.

Yep, it sure is what I was referring to by "'SHOULD' language".

Seems like a fairly common and obvious security 101 precaution in our (my) 
space you just don't forward what you know to be broke especially where it 
involves authentication/authorization parameters.  I see no reason at all 
to allow such behavior to take place.

>  Until we have such discussion, we have real-world data from Eduroam,
> among other examples.  There have been real-world issues with proxies
> receiving attributes they don't understand, or think are malformed.
> Some proxies would then discard the packets or offending attributes.

>  This misbehavior caused real-world deployment problems.  The solution
> was to ensure that all proxies forwarded these attributes, even if they
> didn't understand them.

There are two issues which seem to be embedded in the above.

1. Forwarding of attributes you don't understand.

2. Incursions into standard space by vendor "A" and others.


Regarding #1

My opinion there certainly is value in administrative configuration 
allowing forwarding of unknown attributes.  I encourage all vendors to 
provide such an option to their customers.

Whether this is done or not seems to be orthogonal to the issue of 
rejecting a known attribute you know to be malformed.

Regarding #2

As far as I'm concerned this is ancient history, has been for years and
irrelevant in 2013.  Capitulating to an environment where nobody can be 
sure what an attribute even means is unacceptable.

Some attribute dictionaries have long memories and are quite easily 
changed.

As with #1 the underlying issue seems to be orthogonal.  With this issue 
the conflict is invoked by systems not agreeing on attribute "type". In 
case of fragment draft "type" is not in question.  The problem here a 
type's format has been changed retroactively in an incompatible manner.

I do not support use of above as "cover" to justify incompatible 
retroactive changes.




My recommendation going forward is to find an alternative option which 
does not depend on incompatible M flag behavior.

One option in the definition of any long attributes to convey eduroam/SAML 
data specify how partial content should be handled and allocate new flags 
to effect inter-packet continuation without changing existing behavior.

regards,
Peter