IETF Logo Mail Archive

[radext] RE : Re: Alissa Cooper's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)

<lionel.morand@orange.com> Tue, 06 September 2016 15:03 UTC

Return-Path: <lionel.morand@orange.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2976C12B3C3; Tue, 6 Sep 2016 08:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Level:
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Up3n-PuN60H0; Tue, 6 Sep 2016 08:03:47 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias91.francetelecom.com [193.251.215.91]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3A1012B3A1; Tue, 6 Sep 2016 08:03:46 -0700 (PDT)
Received: from omfedm08.si.francetelecom.fr (unknown [xx.xx.xx.4]) by omfedm11.si.francetelecom.fr (ESMTP service) with ESMTP id 5AAB33B426F; Tue, 6 Sep 2016 17:03:45 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.42]) by omfedm08.si.francetelecom.fr (ESMTP service) with ESMTP id 2C5862380BD; Tue, 6 Sep 2016 17:03:45 +0200 (CEST)
Received: from OPEXCLILM43.corporate.adroot.infra.ftgroup ([fe80::ec23:902:c31f:731c]) by OPEXCLILM41.corporate.adroot.infra.ftgroup ([fe80::c845:f762:8997:ec86%19]) with mapi id 14.03.0301.000; Tue, 6 Sep 2016 17:03:44 +0200
From: lionel.morand@orange.com
To: Alan DeKok <aland@deployingradius.com>
Thread-Topic: RE : Re: [radext] Alissa Cooper's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
Thread-Index: AQHSCE/cp8Isvqe0LUuPSPGEr4QoVw==
Date: Tue, 06 Sep 2016 15:03:44 +0000
Message-ID: <9128_1473174225_57CEDAD1_9128_1350_1_6B7134B31289DC4FAF731D844122B36E01F9F961@OPEXCLILM43.corporate.adroot.infra.ftgroup>
References: <147137412687.22998.17081075232946825763.idtracker@ietfa.amsl.com> <CAHbuEH7+Gw=zDiN66Aydmie2M4dXcVqjLKWHixR7Qe6ECfN9Hg@mail.gmail.com> <D0152C61-D391-482B-BF1E-45180F89DA41@cooperw.in> <EACFFDF5-3974-4778-8EDD-A68410BAD972@gmail.com> <28413_1473165080_57CEB718_28413_354_4_6B7134B31289DC4FAF731D844122B36E01F9F38E@OPEXCLILM43.corporate.adroot.infra.ftgroup>, <4DCE81CA-FC1F-4CFF-82E1-135E158087C6@deployingradius.com>
In-Reply-To: <4DCE81CA-FC1F-4CFF-82E1-135E158087C6@deployingradius.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_6B7134B31289DC4FAF731D844122B36E01F9F961OPEXCLILM43corp_"
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2016.6.17.114517
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/wAZ22qDTPWgu09tqCLWtwWtrYW4>
Cc: "draft-ietf-radext-ip-port-radius-ext@ietf.org" <draft-ietf-radext-ip-port-radius-ext@ietf.org>, "radext@ietf.org" <radext@ietf.org>, Alissa Cooper <alissa@cooperw.in>, "kathleen.moriarty.ietf@gmail.com" <kathleen.moriarty.ietf@gmail.com>, IESG <iesg@ietf.org>, "radext-chairs@ietf.org" <radext-chairs@ietf.org>
Subject: [radext] RE : Re: Alissa Cooper's Discuss on draft-ietf-radext-ip-port-radius-ext-11: (with DISCUSS and COMMENT)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2016 15:03:52 -0000

Hi Alan,

" In this case, there are multiple parent attributes which define essentially the same sub-TLVs.  It would be nice to be able to re-use these these sub-TLVs, without having multiple different definitions for them."

How do you know that a newly defined sub-TLV will/may be reused or not in other (future) parent attributes?

In the document describing the new attribute, you may have a clear idea about the use in multiple parent attributes for one sub-TLV (Foo) and you may consider that another sub-TLV (Bar) will be used only once. But tomorrow, for another purpose, the sub-TLV Bar appears to be really useful and it is decided to use it in multiple (new) attributes.

How will you ensure that the same value can be reused for Bar if not reserved?

Regards,

Lionel

Le 6 sept. 2016 15:16, Alan DeKok <aland@deployingradius.com> a écrit :
On Sep 6, 2016, at 8:31 AM, lionel.morand@orange.com wrote:
> Which means that whatever the parent attribute, value 1 will have to be reserved for IP-Port, value 2 for IP-Port-Limit, etc. even if these TLVs are never unused in these attributes.
> The argument given by Alan is that "a TLV called "foo" should have the same TLV-Type value (e.g. 1) across multiple parent TLVs.  There is enough space to do sparse allocation."

  In this draft, yes.  Where the same sub-TLVs are used in multiple different parent TLVs.

  It's not a hard & fast recommendation.  It's just one of the little things that would be nice, if it can be done.

> Following these recommendations, the section 7.3 should be revised as follow, with a TLV-Type defined per parent attribute:

  That needs to be done, as IANA requires very specific instructions.

  My $0.02 is that I'd like to see:

IP-Port-Type-Parent-A have the same "TLV-Type" value as IP-Port-Type-Parent-B.

> And the values x.x.{1-11} will have to be reserved for any new attribute of type "TLV" defined in the ranges 241.{6-240}, 242.{1-240}, 243.{1-240}, 244.{1-240}, 245.{1-240} and 246.{1-240}.

  That's not what I'm saying.

> It would be like defining a new registry for sub-TLVs. That is, in my opinion, in contradiction with the definition of the TLV data type given in section 7.3 of RFC6929 (see above).

  I would be in for of a new registry for sub-TLVs, but only where those sub-TLVs are re-used a lot.

  As an example, let's say we had firewall rules defined in RADIUS TLVs.  Each firewall rule can specify a src/dst IP/port, for 4 different fields.  The firewall rules have an "input" set, for packets destined locally, and an "output" set, for packets destined remotely.

  Let's say we have the following definitions for "input" attributes.  I'll omit numbers for clarity, but assume that order matters:

INPUT
        SRC-IP-Input
        DST-IP-Input
        SRC-Port-Input
        DST-Port-Input

  We need to define something similar for the output rules.  We could do this:

OUTPUT
        SRC-IP-Output
        DST-IP-Output
        SRC-Port-Output
        DST-Port-Output

  Which is nice.  The sub-TLVs have the same order.

  Or, if numbering doesn't matter, we could do:

OUTPUT
        SRC-Port-Output
        DST-Port-Output
        SRC-IP-Output
        DST-IP-Output

  Or:

OUTPUT
        SRC-Port-Output
        SRC-IP-Output
        DST-IP-Output
        DST-Port-Output

  I think that either of these last two options is objectively worse than the first one.

  Note that I'm not suggesting that *all* attributes have these 4 sub-TLVs defined.  Just the attributes which define firewall rules.

  In this case, there are multiple parent attributes which define essentially the same sub-TLVs.  It would be nice to be able to re-use these these sub-TLVs, without having multiple different definitions for them.

  I hope that clarifies things.

  Alan DeKok.


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email