Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
Peter Deacon <peterd@iea-software.com> Mon, 02 September 2013 17:43 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5E6611E8133 for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 10:43:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3V3dGTqIQf2Z for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 10:42:55 -0700 (PDT)
Received: from aspen.internal.iea-software.com (remote.iea-software.com [70.89.142.196]) by ietfa.amsl.com (Postfix) with ESMTP id 81A5221F9FF1 for <radext@ietf.org>; Mon, 2 Sep 2013 10:42:55 -0700 (PDT)
Received: from SMURF (unverified [10.0.3.195]) by aspen.internal.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005897504@aspen.internal.iea-software.com>; Mon, 2 Sep 2013 10:42:54 -0700
Date: Mon, 02 Sep 2013 10:42:53 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5224AB2B.7000808@deployingradius.com>
Message-ID: <alpine.WNT.2.00.1309020919250.2692@SMURF>
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF> <5224AB2B.7000808@deployingradius.com>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Sep 2013 17:43:00 -0000
On Mon, 2 Sep 2013, Alan DeKok wrote: >> Proposed 'T' bit in extended long attributes means existing systems >> supporting extended attributes may require enhancement to pass needed >> data. Despite 'SHOULD' language from RFC6929 I do not believe it >> reasonable expectation proxy systems able to understand an attribute >> known to be broke would elect to forward such an attribute anyway. > The draft authors had a conference call this morning about this, and > other issues. > RFC 6929 Section 5.2 says: > This practice is NOT RECOMMENDED. Proxy servers SHOULD forward > attributes, even attributes that they do not understand or that are > not in a local dictionary. When forwarded, these attributes SHOULD > be sent verbatim, with no modifications or changes. This requirement > includes "invalid attributes", as there may be some other system in > the network that understands them. > I believe that this text directly addresses the "T" bit, and the > possibility of fragmenting attributes across multiple packets. You say > that it's not reasonable to expect a proxy to forward such an attribute. > You haven't given any reason for that opinion. Yep, it sure is what I was referring to by "'SHOULD' language". Seems like a fairly common and obvious security 101 precaution in our (my) space you just don't forward what you know to be broke especially where it involves authentication/authorization parameters. I see no reason at all to allow such behavior to take place. > Until we have such discussion, we have real-world data from Eduroam, > among other examples. There have been real-world issues with proxies > receiving attributes they don't understand, or think are malformed. > Some proxies would then discard the packets or offending attributes. > This misbehavior caused real-world deployment problems. The solution > was to ensure that all proxies forwarded these attributes, even if they > didn't understand them. There are two issues which seem to be embedded in the above. 1. Forwarding of attributes you don't understand. 2. Incursions into standard space by vendor "A" and others. Regarding #1 My opinion there certainly is value in administrative configuration allowing forwarding of unknown attributes. I encourage all vendors to provide such an option to their customers. Whether this is done or not seems to be orthogonal to the issue of rejecting a known attribute you know to be malformed. Regarding #2 As far as I'm concerned this is ancient history, has been for years and irrelevant in 2013. Capitulating to an environment where nobody can be sure what an attribute even means is unacceptable. Some attribute dictionaries have long memories and are quite easily changed. As with #1 the underlying issue seems to be orthogonal. With this issue the conflict is invoked by systems not agreeing on attribute "type". In case of fragment draft "type" is not in question. The problem here a type's format has been changed retroactively in an incompatible manner. I do not support use of above as "cover" to justify incompatible retroactive changes. My recommendation going forward is to find an alternative option which does not depend on incompatible M flag behavior. One option in the definition of any long attributes to convey eduroam/SAML data specify how partial content should be handled and allocate new flags to effect inter-packet continuation without changing existing behavior. regards, Peter
- [radext] Adoption call for draft-perez-radext-rad… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Stefan Winter
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Diego R. Lopez
- Re: [radext] Adoption call for draft-perez-radext… Peter Deacon
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Sam Hartman
- Re: [radext] Adoption call for draft-perez-radext… Alan DeKok
- Re: [radext] Adoption call for draft-perez-radext… Jouni Korhonen
- Re: [radext] Adoption call for draft-perez-radext… Sanchez, Mauricio
- Re: [radext] Adoption call for draft-perez-radext… Alejandro Perez Mendez
- Re: [radext] Adoption call for draft-perez-radext… Diego R. Lopez