Re: [radext] Proposed new charter text
Peter Deacon <peterd@iea-software.com> Mon, 23 March 2015 18:14 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC9A1AD0CF for <radext@ietfa.amsl.com>; Mon, 23 Mar 2015 11:14:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2f2gb_WEiIhv for <radext@ietfa.amsl.com>; Mon, 23 Mar 2015 11:14:25 -0700 (PDT)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id 3E8121AD0CE for <radext@ietf.org>; Mon, 23 Mar 2015 11:14:25 -0700 (PDT)
Received: from SMURF.peterd.ws (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0005964441@aspen.iea-software.com>; Mon, 23 Mar 2015 11:14:24 -0700
Date: Mon, 23 Mar 2015 11:14:30 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com>
Message-ID: <alpine.WNT.2.20.1.1503230923000.3600@SMURF>
References: <5502B836.5000100@restena.lu> <alpine.WNT.2.20.1.1503221133420.3600@SMURF> <9C712CB9-7834-4049-9318-54E769F7661D@deployingradius.com> <alpine.WNT.2.20.1.1503221518060.3600@SMURF> <2DB68EA1-97A6-4263-9E7F-9BD24B567C7A@deployingradius.com> <alpine.WNT.2.20.1.1503221852040.3600@SMURF> <5FA970CC-2E05-4EFC-8AE6-840D334B28E4@deployingradius.com>
User-Agent: Alpine 2.20.1 (WNT 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="1035896201-25012-1427127805=:3600"
Content-ID: <alpine.WNT.2.20.1.1503230923510.3600@SMURF>
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/tQ3T5ItVmMb-x94M4hsqcl2Mi9o>
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Proposed new charter text
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 18:14:27 -0000
On Mon, 23 Mar 2015, Alan DeKok wrote: To clear up any confusion I will go back and expand on my previous question. Roaming network consisting of a number of participating organizations all sharing access. 'Home' system, roaming network (RoamA,B,C) and 'Visit' systems all controlled by separate companies. Each use different RADIUS systems. The word STATE refers to Operator-NAS-Identifier or something like it. +------+ +-------+ +-------+ +-------+ +-------+ +----------+ | Home | - | RoamA | - | RoamB | - | RoamC | - | Visit | - | VisitNAS | +------+ +-------+ +-------+ +-------+ +-------+ +----------+ Scenario A: 'Home' user logs on to 'VisitNAS' as user@home using realm proxy, Access-Request proxied to home server and user admitted to the network. At a later time home server decides to send a DM request to disconnect user@home. It transmits a request to RoamA containing roughly: Operator-Name="1visit" Operator-NAS-Identifier=010100100101010 Acct-Session-Id="dontchawishwewerealwaysunique" NAS-Port-Id="Astern123" NAS-IP-Address=10.1.1.1 This request does NOT contain User-Name. Issues: - 'RoamA' can either use STATE included in the request to verify Acct-Session-Id is related to a session belonging to 'Home' before it enters the roaming network or it can simply punt responsibility up thru the proxy chain. - If 'RoamA' decides to punt to 'RoamB' or 'RoamC' the same problem of using STATE to verify Acct-Session-Id is related is encountered. Also since there is no standard way of communicating 'Home' originated the request roaming network will need to manage some OOB or proprietary method of facilitating origination information so that it can render a coherent judgment. - If RoamA-C all fail to verify Acct-Session-Id the request responsibility is punted to 'Visit' - If 'Visit' trusts the roaming network and STATE is never used to verify relationship of DM to 'Home' the effective outcome any 'Home' network is able to disconnect any of their competitors users with only knowledge of session identifying attributes. - If 'Visit' is more cautious and can get trusted originating 'Home' information from 'Roam' and STATE this could be used to verify the relationship itself. Scenario B: 'Home' user logs on to 'VisitNAS' as user using policy based proxy on a VSA. Access-Request proxied to home server and user admitted to the network. At a later time home server decides to send a DM request to disconnect user. It transmits a request to RoamA containing roughly: Operator-Name="1visit" Operator-NAS-Identifier=010100100101010 User-Name="user" Acct-Session-Id="dontchawishwewerealwaysunique" NAS-Port-Id="Astern123" NAS-IP-Address=10.1.1.1 This request does NOT contain VSA used for policy based proxy. Issues are identical to scenario A. STATE is helpful in addressing situations where there is a mismatch between session identification and means of proxy. > The draft implements CoA proxying based on Operator-Name. This is > sufficient for all proxies to get the packet to the visited domain, > independent of anything else in the packet. The Operator-Name *is* > “sufficient information” for all proxies. The proxies need no other > information, and can safely ignore every single other attribute in the > packet. No unfortunately this does not work across administrative domains as operators are able to affect operation of unrelated sessions belonging to other operators without the checks in place. While all parties explicitly trust roaming infrastructure they may not necessarily trust each other. regards, Peter
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Peter Deacon
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Sam Hartman
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Secure COA Alan DeKok
- Re: [radext] Secure COA Sam Hartman
- Re: [radext] Proposed new charter text Peter Deacon
- [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Stefan Winter
- Re: [radext] Proposed new charter text Alan DeKok
- Re: [radext] Proposed new charter text Stefan Winter