Re: [radext] New WGLC for RADIUSv11
Alan DeKok <aland@deployingradius.com> Thu, 07 March 2024 19:57 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6AC7C14F68E for <radext@ietfa.amsl.com>; Thu, 7 Mar 2024 11:57:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYiifERhdTHE for <radext@ietfa.amsl.com>; Thu, 7 Mar 2024 11:57:11 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DEC2C14F5FC for <radext@ietf.org>; Thu, 7 Mar 2024 11:57:10 -0800 (PST)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id 33F4D453; Thu, 7 Mar 2024 19:57:08 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <50dba6a8-9f9c-43aa-9e97-79c72e68f796@newtoncomputing.co.uk>
Date: Thu, 07 Mar 2024 14:57:06 -0500
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D812B30-4036-4F0F-9F96-60304A935B54@deployingradius.com>
References: <A9DCF202-6963-4069-A9F1-7F79860FF405@gmail.com> <50dba6a8-9f9c-43aa-9e97-79c72e68f796@newtoncomputing.co.uk>
To: Matthew Newton <matthew-ietf@newtoncomputing.co.uk>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/sVOPN5ZwMGjheCCxnM3gbJ5XvIk>
Subject: Re: [radext] New WGLC for RADIUSv11
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 19:57:13 -0000
On Mar 7, 2024, at 10:29 AM, Matthew Newton <matthew-ietf@newtoncomputing.co.uk> wrote: > Introduction, (Page 6 paragraph 1): > > "A major benefit of this extensions is that a home server which implement it can also be more easily verified for FIPS-140 compliance." > > -> (extensions -> extension, implement -> implements) > > "A major benefit of this extension is that a home server which implements it can also be more easily verified for FIPS-140 compliance." Fixed, thanks. > Section 3.5, (Page 18 paragraph 8): > > "Similarly, when a server does resumption for a session which had previously negotiated "radius/1.1", If the client attempts to resume the sessions without signaling the use of RADIUS/1.1, the server MUST close the connection." > > ", If" -> ", if" Fixed, thanks. > ("signaling" rather than "signalling" throughout the document grates rather, but I suspect those over the pond would disagree!) It is definitely a point of concern, albeit a minor one. > This paragraph is not clear to me. I think it is trying to say that multiple Codes are permitted per connection, but the Token is unique on that connection connection (e.g. you can NOT have an Access-Request with Token A and an Accounting-Request with the same Token A). However the last sentence seems to say that an implementation sending both Access-Requests and Accounting-Requests on the same connection is not permitted. The first part of that is right. But the second part isn't. An implementation can send multiple codes over the same connection. It cannot use the same Token value for two different Codes. How about this: In contrast, the Token field MUST be managed solely on a per-connection basis, independent of any packet Code. An implementation can, for example, send both an Access-Request and an Accounting-Request over one connection at the same time, but those two packets MUST use different values for the Token field. That is, the method for generating new Token values MUST be independent of the packet Code. Systems generating the Token can do so via any method they choose. For simplicity, it is RECOMMENDED that the Token values be generated from a 32-bit counter which is unique to each connection. Such a counter SHOULD be initialized to a random value, taken from a random number generator, whenever a new connection is opened. The counter can then be incremented for every new packet that the client sends. This method ensures that the Tokens are unique, and are also independent of any packet Code. Alan DeKok.
- [radext] New WGLC for RADIUSv11 Margaret Cullen
- Re: [radext] New WGLC for RADIUSv11 Jan-Frederik Rieckers
- Re: [radext] New WGLC for RADIUSv11 Alan DeKok
- Re: [radext] New WGLC for RADIUSv11 Margaret Cullen
- Re: [radext] New WGLC for RADIUSv11 Stefan Paetow
- Re: [radext] New WGLC for RADIUSv11 Alexander Clouter
- Re: [radext] New WGLC for RADIUSv11 Fabian Mauchle
- Re: [radext] New WGLC for RADIUSv11 Nick Porter
- Re: [radext] New WGLC for RADIUSv11 mohamed.boucadair
- Re: [radext] New WGLC for RADIUSv11 Matthew Newton
- Re: [radext] New WGLC for RADIUSv11 Alan DeKok
- Re: [radext] New WGLC for RADIUSv11 Matthew Newton
- Re: [radext] New WGLC for RADIUSv11 Heikki Vatiainen