IETF Logo Mail Archive

Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06

Sam Hartman <hartmans@painless-security.com> Fri, 23 August 2013 12:29 UTC

Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4939311E80FF for <radext@ietfa.amsl.com>; Fri, 23 Aug 2013 05:29:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNEUwbSXYgZ6 for <radext@ietfa.amsl.com>; Fri, 23 Aug 2013 05:29:18 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 5113011E80F4 for <radext@ietf.org>; Fri, 23 Aug 2013 05:29:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 2541A202C9; Fri, 23 Aug 2013 08:27:45 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPX2S16_2pP5; Fri, 23 Aug 2013 08:27:44 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Fri, 23 Aug 2013 08:27:44 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id B18FD8803B; Fri, 23 Aug 2013 08:29:14 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alejandro Perez Mendez <alex@um.es>
References: <86D0772B-4561-46BD-950D-AF95BED87292@gmail.com> <alpine.WNT.2.00.1308210755460.1748@SMURF> <5215C9AD.1060805@um.es> <alpine.WNT.2.00.1308221602490.1748@SMURF> <5217470D.3090606@um.es>
Date: Fri, 23 Aug 2013 08:29:14 -0400
In-Reply-To: <5217470D.3090606@um.es> (Alejandro Perez Mendez's message of "Fri, 23 Aug 2013 13:27:09 +0200")
Message-ID: <tsl1u5kk2ud.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Cc: radext@ietf.org, Peter Deacon <peterd@iea-software.com>
Subject: Re: [radext] Adoption call for draft-perez-radext-radius-fragmentation-06
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 12:29:24 -0000

>>>>> "Alejandro" == Alejandro Perez Mendez <alex@um.es> writes:

    Alejandro> El 23/08/13 02:12, Peter Deacon escribió:
    >> On Thu, 22 Aug 2013, Alejandro Perez Mendez wrote:
    >> 
    >>> Hello Peter, thanks for the comments. See some responses below.
    >> 
    >>>>> Based on the discussion in Berlin we are ready to start
    >>>>> another adoption call for the solution for fragmentation of
    >>>>> RADIUS packets.
    >> 
    >>>> I would support this draft with narrower scope as interim
    >>>> solution addressing a specific use.
    >> 
    >>>> Have some concerns with draft as a general solution:
    >> 
    >>>> Section 2.  RFC5176 dynamic auth clients are not necessarily
    >>>> always RADIUS servers. We have production systems where CoA
    >>>> client and RADIUS server are separate with separate roles.
    >>>> Seeing value in maintaining separation I do not favor
    >>>> Additional-Authorization.
    >> 
    >>>> Accounting proposal is not atomic and depends on assumptions
    >>>> about type of content.  (e.g long attribute not able to fit
    >>>> within 4096 byte limit cannot be transmitted)
    >> 
    >>> I probably misunderstood your comment. We do not deal with CoA
    >>> or Accounting exchanges. They are left the way they are.
    >> 
    >> Hi Alejandro,
    >> 
    >> From section 2 "scope of this document".  Perhaps it might be
    >> best to simply address what is supported and remove extraneous
    >> references to what is not changed (CoA and
    >> Accounting). Specifically:
    >> 
    >> " Instead, the CoA client MUST send a CoA-Request packet
    >> containing session identification attributes, along with
    >> Service-Type = Additional- Authorization, and a State attribute.
    >> Implementations not supporting fragmentation will respond with a
    >> CoA-NAK, and an Error-Cause of Unsupported-Service.
    >> 
    >> Implementations supporting this specification may not be able to
    >> change authorization data for a particular session.  In that
    >> case, they MUST respond with a CoA-NAK, as above.  Otherwise, the
    >> implementation MUST start fragmentation via Access-Request, using
    >> the methods defined here."
    >> 

    Alejandro> The purpose of that text is to explain why we do not deal
    Alejandro> with CoA or Accounting, that is, why they do not need of
    Alejandro> a fragmentation solution. Removing them would provoke
    Alejandro> other people to ask why we do not support them.

I support retaining the section 2 text.

v2.23.0 | Report a Bug | By Email