IETF Logo Mail Archive

Re: [radext] Extended IDs

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Wed, 13 December 2017 06:34 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBF2128CDC for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 22:34:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VzDX4Qh0XT8q for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 22:34:32 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 375AF1271FD for <radext@ietf.org>; Tue, 12 Dec 2017 22:34:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4056; q=dns/txt; s=iport; t=1513146872; x=1514356472; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KPArTQNMN5tzD8SSbsJsMNhO+0jK0GB8LyazHyvhSws=; b=chCSlX0PLOE/5ha4Z/9jOfFEwjlY4BQsfbtH7dvWTOHQuzaQsKLIGR8t k/kcRY6xjLLF7JviPepJwNRt3QlKSWGxAapPIut/xcCnJcmakh21hrPzS 0cUVPMwgEDGHfBZheHDAPS/yC9VspEkvqTS4dbws3yMpWa/rr1EHqQQzv I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DjAAAGyTBa/5hdJa1dGQEBAQEBAQEBAQEBAQcBAQEBAYM+ZnQnB4N7iiGPBYF9lxGCFQoYC4FegmtPAhqEbj8YAQEBAQEBAQEBayiFIwEBAQECAQEBGwYROgsFBwQCAQgRBAEBAQICIwMCAgIlCxQBCAgCBAENBQiKGAgQqB+CJ4phAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWBD4JUgguBVoFpgyuDLgGBWC2CfoJjBaMZApUbk3CWOQIRGQGBOgEfOYFObxU6gimEVXiJLoEVAQEB
X-IronPort-AV: E=Sophos;i="5.45,397,1508803200"; d="scan'208";a="43931686"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Dec 2017 06:34:31 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id vBD6YUhQ024465 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Dec 2017 06:34:31 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 13 Dec 2017 00:34:30 -0600
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1320.000; Wed, 13 Dec 2017 00:34:30 -0600
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: "Naiming Shen (naiming)" <naiming@cisco.com>, Peter Deacon <peterd@iea-software.com>
CC: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Extended IDs
Thread-Index: AQHTKHKr27AOb9kvt06qaVfqXSaI2qMqT+8AgBZxrICAAJ70AIAADIcAgAACHICAAAuXAIAABzAAgAALsoCAAAh6AIAALG8AgAACmID//6GqsA==
Date: Wed, 13 Dec 2017 06:34:30 +0000
Message-ID: <677f41484d9f413aab126b623141d729@XCH-ALN-014.cisco.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk> <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com> <alpine.WNT.2.21.1.1712121615090.2252@smurf> <EE3BB1A7-EAD9-4BE1-9EA2-B780580E5C95@cisco.com> <alpine.WNT.2.21.1.1712121704430.2252@smurf> <B41EF4CD-309C-4E0F-BE7A-B77A244DA421@cisco.com> <alpine.WNT.2.21.1.1712121824110.2252@smurf> <313FEFCE-FD61-4394-804D-91BAE98CA687@cisco.com> <alpine.WNT.2.21.1.1712121947300.2252@smurf> <38A550CE-C1E5-441E-B25E-7E87D266F627@cisco.com>
In-Reply-To: <38A550CE-C1E5-441E-B25E-7E87D266F627@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.87.46]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/tIEIdWmMTx5yYqT3mqPz9jjniXQ>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 06:34:35 -0000

Once we are arguing "It doesn't work when there's bugs or misconfigs",
then we've sunk pretty low. But now that we're there, here is a more
likely bug: Retransmission with a new request-authenticator.
draft-dekok will interpret that as an entirely new request.
That is why keeping the id and authenticator separate is cleaner.

Thanks,
Jakob


-----Original Message-----
From: radext [mailto:radext-bounces@ietf.org] On Behalf Of Naiming Shen (naiming)
Sent: Tuesday, December 12, 2017 10:08 PM
To: Peter Deacon <peterd@iea-software.com>
Cc: radext@ietf.org
Subject: Re: [radext] Extended IDs


When I say “check the status of the server”, sorry I didn’t mean the server-status
message. When an operator decides to do manual configuration of a new feature
and override the normal automated discovery procedure, he/she needs to check
the radius server and/or radius proxy server software version, status, etc. He/she would
not just blindly configure the new feature, and go home to sleep and assume
everything is fine. That's just common sense. 

BTW, Status-server is not supported universally is not a problem here.
When the server software supports this draft, then it MUST implement the
Status-server message at least for this feature.

Regards,
- Naiming

> On Dec 12, 2017, at 9:58 PM, Peter Deacon <peterd@iea-software.com> wrote:
> 
> On Wed, 13 Dec 2017, Naiming Shen (naiming) wrote:
> 
>> If you insist misconfiguration is the greatest thing we have to deal with,
> 
> Decision to expand on original remarks in response to call for adoption was result of your inquiry:
> 
> "Third, if assume an operation completely messed up, and leaking this extended-ID towards the home-server, I still need to see a good example on what the harm is that, and why this can not be debugged. The draft I agree needs to add some text on various cases and how to debug those in each of them."
> 
> Otherwise I am happy with the relative strength of my remarks in their original context.
> 
>> then I can imagine you misconfigurae your server ip address and proxy ip address,
>> and packets will not be returned, how to you troubleshoot that? if you do
> 
> If when manually switched on in an environment where it should not be the result is not working at all that would be perfectly fine.  Unfortunatly as I have shown this is not the case with extended-id.
> 
> In this aspect of consideration ORA clearly has an advantage both in ability to detect and report failure and nature of failure itself.
> 
>> have ways, and this draft also have ways. Can you imaging an operator
>> insist to do a manual configuration without check the status of the server,
> 
> Yes absolutely.  This will defiantly occur.  Status-server is not universally supported.
> 
> regards,
> Peter

_______________________________________________
radext mailing list
radext@ietf.org
https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email