Re: [radext] WGLC for draft-ietf-radext-dynamic-discovery-09
Stefan Winter <stefan.winter@restena.lu> Tue, 14 January 2014 14:15 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E84C51AE074 for <radext@ietfa.amsl.com>; Tue, 14 Jan 2014 06:15:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.237
X-Spam-Level:
X-Spam-Status: No, score=-1.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, J_CHICKENPOX_37=0.6, RP_MATCHES_RCVD=-0.538, WEIRD_PORT=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzQnpKII5pmj for <radext@ietfa.amsl.com>; Tue, 14 Jan 2014 06:15:31 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 06B961AE077 for <radext@ietf.org>; Tue, 14 Jan 2014 06:15:31 -0800 (PST)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 5D8E310583; Tue, 14 Jan 2014 15:15:19 +0100 (CET)
Received: from [IPv6:2001:a18:1:8:921b:eff:fe1b:d2e7] (unknown [IPv6:2001:a18:1:8:921b:eff:fe1b:d2e7]) by smtprelay.restena.lu (Postfix) with ESMTPS id 48FB81057E; Tue, 14 Jan 2014 15:15:19 +0100 (CET)
Message-ID: <52D54673.9000600@restena.lu>
Date: Tue, 14 Jan 2014 15:15:15 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: lionel.morand@orange.com, Jouni Korhonen <jouni.nospam@gmail.com>, "radext@ietf.org" <radext@ietf.org>
References: <15BCB5AD-55A0-4C74-B9BB-67448122EFF6@gmail.com> <23ABE552-71C9-4231-82B0-0D1861C922CB@gmail.com> <11892_1389706983_52D53EE7_11892_12055_1_6B7134B31289DC4FAF731D844122B36E43D683@PEXCVZYM13.corporate.adroot.infra.ftgroup>
In-Reply-To: <11892_1389706983_52D53EE7_11892_12055_1_6B7134B31289DC4FAF731D844122B36E43D683@PEXCVZYM13.corporate.adroot.infra.ftgroup>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="7Nd7ALn24ASoOJunQT4IT38mQeMLHLmHl"
X-Virus-Scanned: ClamAV
Cc: "radext-chairs@tools.ietf.org" <radext-chairs@tools.ietf.org>, "draft-ietf-radext-dynamic-discovery@tools.ietf.org" <draft-ietf-radext-dynamic-discovery@tools.ietf.org>
Subject: Re: [radext] WGLC for draft-ietf-radext-dynamic-discovery-09
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 14:15:33 -0000
Hi,
> But, just after a brief review of the last version, I have the following comments/questions.
>
> In Section 2.1.1.1. Registration of Application Service and Protocol Tags
>
>
> This specification defines three S-NAPTR service tags:
>
>
> +-----------------+-----------------------------------------+
> | Service Tag | Use |
> +-----------------+-----------------------------------------+
> | aaa+auth | RADIUS Authentication, i.e. traffic as |
> | | defined in [RFC2865] |
> | - - - - - - - - | - - - - - - - - - - - - - - - - - - - - |
> | aaa+acct | RADIUS Accounting, i.e. traffic as |
> | | defined in [RFC2866] |
> | - - - - - - - - | - - - - - - - - - - - - - - - - - - - - |
> | aaa+dynauth | RADIUS Dynamic Authorisation, i.e. |
> | | traffic as defined in [RFC5176] |
> +--------------- --+-----------------------------------------+
>
> Figure 1: List of Service Tags
>
> [LM] For historical reasons, "aaa" is already assigned to Diameter. The proposed values for RADIUS related Application Service Tags are not wrong per se but it could be misleading... What about using "RADIUS+" instead of "aaa+" to avoid such possible confusion?
We developed the RADIUS spec in sync with the Diameter equivalent, and
this was the way forward everybody agreed to.
There are multiple things to consider in this:
* IANA assignments of a service tag are NOT sensitive to a "+"
separator; the entire thing is a string of bytes. It either literally
matches the service you are looking for or not. In that light, two
different strings which by chance have the first four characters in
common does not mean they have anything to do with each other.
* There is no possibility for a naming clash between Diameter's
aaa+ap<int> and RADIUS aaa+{auth,acct,dynauth}.
* The protocol tag which follows the service tag in the DNS NAPTR record
makes clear that we're talking RADIUS, not Diameter.
* I don't think "aaa" as a whole is owned by Diameter anyway... Even in
the Diameter spec, there is a protocol tag for Diameter following the
service tag. Both in combination make the NAPTR type "owned" by
Diameter. And the old RFC3588 definition uses the monolithic "aaa+D2x"
string (where x varies, and the D hard-codes Diameter).
> [LM] I don't know if it is something commonly in use but I was wondering if it would be also suitable to define a service tag for Auth+Acc when both types of traffic are sent to the same server.
It may or may not be that both types of traffic end up at the same
server. If they do, adding a second NAPTR for Accounting doesn't add
much overhead. I would be concerned about this if there were "hundreds"
of NAPTR records per domain to evaluate, and economising on their number
was important. I didn't ever encounter this in reality though.
Looking sideways, not even the Diameter S-NAPTR spec allows to
concatenate multiple application IDs into one service tag, so... if you
guys haven't found a use case for it in 3G big-scale, I don't think it's
necessary or urgent?
> [LM] I think that the case for initial Accounting-Request is missing. Sorry if this point was discussed earlier on the mailing list.
It may well have been, I don't remember it though. :-)
You are right; where the NAS has a User-Name for its Accounting record,
it would need to discover a destination using the algorithm, so this
should be reflected in an added bullet. I'll do this for the next
revision update.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
- [radext] WGLC for draft-ietf-radext-dynamic-disco… Jouni Korhonen
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… Jouni Korhonen
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… Stefan Winter
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… lionel.morand
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… Stefan Winter
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… lionel.morand
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… Stefan Winter
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… lionel.morand
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… Stefan Winter
- Re: [radext] WGLC for draft-ietf-radext-dynamic-d… Stefan Winter