IETF Logo Mail Archive

Re: [radext] draft-cullen-radextra-status-realm-00

Terry Burton <tez@terryburton.co.uk> Tue, 28 March 2023 10:35 UTC

Return-Path: <tez@terryburton.co.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0095EC14CE5E for <radext@ietfa.amsl.com>; Tue, 28 Mar 2023 03:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=terryburton.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCkwRVKVaoL1 for <radext@ietfa.amsl.com>; Tue, 28 Mar 2023 03:35:04 -0700 (PDT)
Received: from mail-ot1-x361.google.com (mail-ot1-x361.google.com [IPv6:2607:f8b0:4864:20::361]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E318CC14CE5D for <radext@ietf.org>; Tue, 28 Mar 2023 03:35:04 -0700 (PDT)
Received: by mail-ot1-x361.google.com with SMTP id q23-20020a05683031b700b006a1370e214aso3218408ots.11 for <radext@ietf.org>; Tue, 28 Mar 2023 03:35:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=terryburton.co.uk; s=google; t=1679999703; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=n0c9AHISVse/h4f87vb9yYxQVNIaF7MHMmIDKmQLAtc=; b=dQS1O+KBrH3SaFbU8Mur141wgHNEAPKp5/oMGAYfGrsIWh10je+CXucYEhU24N5FSP vOi8hhejbRtDcXsmbqd/oxJ8CiLiMOJoeg4r5eL6jTPwy3lHsLlKvp+i0yPHaAWdn4RH ioHxXegY+CO0+ufZGBu13m5pBA4tMr1Hk6qBTnxXFb4nHox7EXhd7DAqEfjBnhaNpXoi KsO/f9F3dArXcRCxfpnh8ScIzGLbCLYS7Wz+Ufblpt0WtsIv7ylgRX6NthXo8ZbUNFdW +palY7z7UdFriphCndY/0jwDwc6Jq87mSHAYDhg0IuRjUhjxAaoZRsQwbVSB4e8qmwr0 TvGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679999703; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=n0c9AHISVse/h4f87vb9yYxQVNIaF7MHMmIDKmQLAtc=; b=hczhthJgzG5BeVtPJ7P3jBkAldAmaNNiUqbk5Z4OaMBC9VOWeTyDmVco7sz+NZtEMg /7zFhAAEMxUIU5xNCylYgHnxrKa4a2Ak/tFR3yJvJp/h0KTZkoykdhTglcWVniyYXMGP wt9XhUWSqsnQIgxONF5gXNX5mP4/CpQTkbDI8bPxAYb21auLIWCQvTsfkHmIvA+LXW+n RaPtMt2YOqvpL9zVK2MCV8V3pIZVi2+75FU2VH/+3mxGhPrr4A7RHtJXEpcFJEd8Cvl5 bple3yyxUTYuU9fL1LOQ67YAmvGgJqfY1Nw/bQl02yMxLNehDxRF8EqPum7VzDOkL5Uh hvig==
X-Gm-Message-State: AO0yUKWRrTwK9UqnDGLpwdDQz1LZ+VcX4Np7uwRNLzBIKfMAtmqg6SQh 17ymgfc0naSgC8/AYs9xOEVU9UbxaNRf1bovz0Iq8eB1aFZJ0ZhShbHxbTyA
X-Google-Smtp-Source: AK7set9aYWXi4hKm6N7H8LkvX5NGXcXKXdXIBxN9tTVAWNBVsmqhCdQRr88AGNvogfLiH7vj2ee3rDb51JIG
X-Received: by 2002:a05:6830:1ca:b0:6a1:1315:7974 with SMTP id r10-20020a05683001ca00b006a113157974mr6581880ota.7.1679999703499; Tue, 28 Mar 2023 03:35:03 -0700 (PDT)
Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com. [209.85.210.174]) by smtp-relay.gmail.com with ESMTPS id cy23-20020a056830699700b0069f977a75fcsm1868565otb.1.2023.03.28.03.35.03 for <radext@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Mar 2023 03:35:03 -0700 (PDT)
X-Relaying-Domain: terryburton.co.uk
Received: by mail-pf1-f174.google.com with SMTP id dw14so7654255pfb.6 for <radext@ietf.org>; Tue, 28 Mar 2023 03:35:03 -0700 (PDT)
X-Received: by 2002:a63:795:0:b0:50f:76fb:84a2 with SMTP id 143-20020a630795000000b0050f76fb84a2mr3881172pgh.5.1679999702726; Tue, 28 Mar 2023 03:35:02 -0700 (PDT)
MIME-Version: 1.0
From: Terry Burton <tez@terryburton.co.uk>
Date: Tue, 28 Mar 2023 11:34:26 +0100
X-Gmail-Original-Message-ID: <CANsiXEK56aVwtjGqrLYsq-syC=zrHVqNzgKV7_gkkZXAkQhQ=w@mail.gmail.com>
Message-ID: <CANsiXEK56aVwtjGqrLYsq-syC=zrHVqNzgKV7_gkkZXAkQhQ=w@mail.gmail.com>
To: radext@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/ssqjXz7zoqEO4E_ZNED5nOEB9Ac>
Subject: Re: [radext] draft-cullen-radextra-status-realm-00
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 10:35:10 -0000

Regarding draft-cullen-radextra-status-realm-00.


Section 4.2: "When a RADIUS Proxy receives a RADIUS Request packet, it
checks to see if the Request contains a Server-Identifier attribute
indicating that it has already processed this packet. If so, it
discards the packet. If not, it adds its own Server Identifier to the
packet before forwarding it."

Should consideration be given to MTU constraints that may be
encountered by increasing the hop-by-hop packet size?


Section 6: "If the Max-Hop-Count attribute is present and the value is
zero, the Request MUST NOT be forwarded and an error response SHOULD
be returned, as appropriate to the request type."

May be beneficial to define the appropriate behaviour for each request type:

  - Access-Request: What error should go in an Access-Reject?
  - Accounting-Request: Presumably we don't actually want to send an
accounting response? (vs "SHOULD be returned.")
  - Status-Realm-Request: As explained elsewhere,
Status-Realm-Response with Response-Code = 4 ("Max-Hop-Count
exceeded").
  - CoA: ...


Section 7:

Status-Realm-Response-Code table needs work:

  - 256 is missing.
  - Is there an intended difference between 3 and 259?
  - 260 has multiple definitions.

Assuming that 5-255 means temporary reachability issue and 260-511
means "internal error" (may or may not be reachable), i.e. differing
semantics rather than extension of the same range.

Is the intent to allow automation on the basis of the Status-Realm, or
only to support administration?

If the former, to avoid ossification it may be worth splitting the
values into ranges against which one might associate differing
behaviours, e.g. Temporary path faults (e.g. "definately
unreachable"), temporary configuration faults (e.g. "unable to
dynamically look up a realm"), permanent configuration "faults"
(invalid realm / prohibited realm), unexpected errors. New definitions
can be added to the appropriate range.

Are there recommended policy behaviours for "realm unreachable",
"status unknown" and "reserved"?


Section 15:

Might be worth extending the table of attributes (or add another
table) to show other types of request Max-Hop-Count and
Server-Information are valid for.


Thanks.

v2.34.0 | Report a Bug | By Email | System Status