Re: [radext] AD review http://tools.ietf.org/html/draft-ietf-radext-dtls-09

Alan DeKok <aland@deployingradius.com> Wed, 16 April 2014 16:47 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C33A11A00FB for <radext@ietfa.amsl.com>; Wed, 16 Apr 2014 09:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqvYm-5uUynY for <radext@ietfa.amsl.com>; Wed, 16 Apr 2014 09:47:35 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id ADD3A1A01AC for <radext@ietf.org>; Wed, 16 Apr 2014 09:47:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 7D83622401C5; Wed, 16 Apr 2014 18:47:00 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnK2q9FEEvzL; Wed, 16 Apr 2014 18:46:57 +0200 (CEST)
Received: from Thor.local (unknown [64.229.83.96]) by power.freeradius.org (Postfix) with ESMTPSA id D1E5722403B8; Wed, 16 Apr 2014 18:46:56 +0200 (CEST)
Message-ID: <534EB3FF.5040507@deployingradius.com>
Date: Wed, 16 Apr 2014 12:46:55 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Benoit Claise <bclaise@cisco.com>
References: <534D42E8.8020501@cisco.com>
In-Reply-To: <534D42E8.8020501@cisco.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/uHWMP58d4O3vGv3QMYSYuAI8kTM
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] AD review http://tools.ietf.org/html/draft-ietf-radext-dtls-09
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 16:47:37 -0000

Benoit Claise wrote:
> - In section 5.1:
> 
>    A RADIUS/DTLS server MUST track ongoing DTLS client session based the
>    following 4-tuple:
> 
> Does the MUST also apply to the DTLS Data and Last Traffic as well?

  The MUST means that the 4 tuple MUST contain the DTLS session
information.  The Last Traffic need be there only if it's used.  The
implementation-specific DTLS data information is there only if it's
needed by the implementation.

  I'll update the text to make this clearer.

> - Any reason why this sentence is repeated. Maybe the third one wants to
> stress_ for all DTLS sessions_?

  Yes.  I'll make that clear.

> - Section 7 "Implementation experience" should follow RFC 6982
> "Implementation Status" format.
> Example:
> https://datatracker.ietf.org/doc/draft-ietf-eman-energy-aware-mib/ or
> https://datatracker.ietf.org/doc/draft-ietf-eman-energy-monitoring-mib/

  I'll take a look.

> - IANA considerations.
> Please make sure to spell out the exact IANA registry.

  Done.

> Editorial:
> - OLD:
> 
>    This specification does not, however, solve all of the problems
>    associated with RADIUS.
> 
> NEW:
>    This specification does not, however, solve all of the problems
>    associated with RADIUS/UDP

  Done.

> - Some misalignement in section 5.1:
>    Each 4-tuple points to a unique session entry, which contains the
>    following information:

  I'll update the text.

>       10.1
>       <http://tools.ietf.org/html/draft-ietf-radext-dtls-09#section-10.1>.
>       Legacy RADIUS Security
> 
>    protocol.  We suggest that RADIUS clients and servers implement
>    either this specification, or [RFC6614 <http://tools.ietf.org/html/rfc6614>].
> 
> "protocol" looks lonely there :-)

  Fixed.

> - please extend CSPRNG

  Done.

> - 
>    When DTLS is used, the fixed IP address model can be relaxed.  As
>    discussed earlier in Section 2.2.1 <http://tools.ietf.org/html/draft-ietf-radext-dtls-09#section-2.2.1>, client identies should be
>    determined from TLS parameters.
> 
> identies?

  Fixed.

  Alan DeKok.