IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Alan DeKok <aland@deployingradius.com> Mon, 02 September 2013 15:14 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39A7D11E80E0 for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 08:14:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6Kvb4hbvc-w for <radext@ietfa.amsl.com>; Mon, 2 Sep 2013 08:14:51 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1A15F21F9F70 for <radext@ietf.org>; Mon, 2 Sep 2013 08:14:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 2866922400FB; Mon, 2 Sep 2013 17:13:49 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x08FtQ-SrvGk; Mon, 2 Sep 2013 17:13:48 +0200 (CEST)
Received: from Thor-2.local (unknown [70.50.218.116]) by power.freeradius.org (Postfix) with ESMTPSA id 8A2B0224005C; Mon, 2 Sep 2013 17:13:48 +0200 (CEST)
Message-ID: <5224AB2B.7000808@deployingradius.com>
Date: Mon, 02 Sep 2013 11:13:47 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Deacon <peterd@iea-software.com>
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF>
In-Reply-To: <alpine.WNT.2.00.1308210755460.1748@SMURF>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Sep 2013 15:14:57 -0000

Peter Deacon wrote:
> Proposed 'T' bit in extended long attributes means existing systems
> supporting extended attributes may require enhancement to pass needed
> data.  Despite 'SHOULD' language from RFC6929 I do not believe it
> reasonable expectation proxy systems able to understand an attribute
> known to be broke would elect to forward such an attribute anyway.

  The draft authors had a conference call this morning about this, and
other issues.

  RFC 6929 Section 5.2 says:

   This practice is NOT RECOMMENDED.  Proxy servers SHOULD forward
   attributes, even attributes that they do not understand or that are
   not in a local dictionary.  When forwarded, these attributes SHOULD
   be sent verbatim, with no modifications or changes.  This requirement
   includes "invalid attributes", as there may be some other system in
   the network that understands them.

  I believe that this text directly addresses the "T" bit, and the
possibility of fragmenting attributes across multiple packets.  You say
that it's not reasonable to expect a proxy to forward such an attribute.
 You haven't given any reason for that opinion.

  Until we have such discussion, we have real-world data from Eduroam,
among other examples.  There have been real-world issues with proxies
receiving attributes they don't understand, or think are malformed.
Some proxies would then discard the packets or offending attributes.

  This misbehavior caused real-world deployment problems.  The solution
was to ensure that all proxies forwarded these attributes, even if they
didn't understand them.

  In conclusion, I believe we're safe in adding the "T" bit in the
fragmentation draft.  Implementations compliant with 6929 will ignore
the "T" bit, but SHOULD still forward the attributes they believe are
malformed (when the T bit is set)

  If you're saying that your implementation discards these attributes, I
would suggest that your implementation is incompatible with new
standards, and existing deployments.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email