[radext] Concerns with Operator-NAS-Identifer
Mohit Sethi <mohit.m.sethi@ericsson.com> Thu, 16 August 2018 18:39 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 662BA130E40 for <radext@ietfa.amsl.com>; Thu, 16 Aug 2018 11:39:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tJoDXshomDyU for <radext@ietfa.amsl.com>; Thu, 16 Aug 2018 11:39:23 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4755A128CFD for <radext@ietf.org>; Thu, 16 Aug 2018 11:39:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1534444761; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=REN/iga79XkAEqdRHcq97GYrqQbAMocMCtKonH3D9jo=; b=YHthxByK0/QDLc2ucjelQ3BqXg+JkGGakLdEJ0a+pO/OhhTfsUHj3HG7Vg9GTZtp w2fXqkGx2552iiMyq9Sl7eJa3PjG2vmo2suJSMLsqEDPs61M5/Gy4OLTZmhXORm4 ALXvCKcupztwbTggNS579FJv0KQqajIXyOyAz5HMWHc=;
X-AuditID: c1b4fb2d-223ff700000055ff-33-5b75c4d9a230
Received: from ESESSMB501.ericsson.se (Unknown_Domain [153.88.183.119]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 40.C9.22015.9D4C57B5; Thu, 16 Aug 2018 20:39:21 +0200 (CEST)
Received: from ESESSMR502.ericsson.se (153.88.183.110) by ESESSMB501.ericsson.se (153.88.183.119) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 16 Aug 2018 20:39:21 +0200
Received: from ESESBMB502.ericsson.se (153.88.183.169) by ESESSMR502.ericsson.se (153.88.183.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 16 Aug 2018 20:39:21 +0200
Received: from nomadiclab.fi.eu.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.185) with Microsoft SMTP Server id 15.1.1466.3 via Frontend Transport; Thu, 16 Aug 2018 20:39:20 +0200
Received: from nomadiclab.fi.eu.ericsson.se (localhost [127.0.0.1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id 1D8ED481870; Thu, 16 Aug 2018 21:39:21 +0300 (EEST)
Received: from [127.0.0.1] (localhost [IPv6:::1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id 892F8480F3E; Thu, 16 Aug 2018 21:39:20 +0300 (EEST)
To: radext-chairs@ietf.org, radext@ietf.org, draft-ietf-radext-coa-proxy@ietf.org, iesg@ietf.org, Eric Rescorla <ekr@rtfm.com>, Benjamin Kaduk <kaduk@mit.edu>, adam@nostrum.com
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <473c4665-0b08-05ca-c56c-2b37c4710280@ericsson.com>
Date: Thu, 16 Aug 2018 21:39:20 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-AV-Checked: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplkeLIzCtJLcpLzFFi42KZGbG9XPfmkdJog+/vNSz2/F3EbjHvyVNW ixWvz7FbzPgzkdli+caZTBZPO74wWbS8msnmwO6xZMlPJo+mM0eZPWbtfMLiMflxG3MASxSX TUpqTmZZapG+XQJXxtV/R1gLDilU7H17hLGB8ZNUFyMnh4SAicTa5S/Zuxi5OIQEjjJKLDh6 iA3C+cYocW/5RxY452HzHiYI5yKjxOXWZ1Blmxklup4eZIRwFjJKrL36DGyaiMA+RonDvbeY QdawCehJdJ47DmYLC+hKHJ3yiBHE5hWwl5j7dw8LiM0ioCrxccUJMFtUIEJi9fIXrBA1ghIn Zz4BizMLWEjMnH+eEcLWlli28DUzhC0ucevJfCaIl5QlFrQsAqsRElCX2NpxgHECo/AsJKNm IRk1C8moWUhGLWBkWcUoWpxaXJybbmSsl1qUmVxcnJ+nl5dasokRGEkHt/zW3cG4+rXjIUYB DkYlHt6ze0qjhVgTy4orcw8xSnAwK4nwntsMFOJNSaysSi3Kjy8qzUktPsQozcGiJM6rt2pP lJBAemJJanZqakFqEUyWiYNTqoGxdkJcV/jVhSEf3C+na3HMXdAxxd6YpeZG2tl30zM32rQe f7urdY2AHQvrFU15jYfCbJOLZp0o0Qpcs1l7s71S6cyWxg2/fFdmTfxTENu9W9vLtPtse4Nz xad9rO+3Scpnxmd/PbMrztlvWUfSl0tLtd6dfOb2QOzU+91e3VPuv7226BDXj3uXlFiKMxIN tZiLihMBL6eHk6ACAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/wXdZ8dibYVOTr-BQWgV5f_HNX1g>
Subject: [radext] Concerns with Operator-NAS-Identifer
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 18:39:26 -0000
Hi all, I have been a quiet observer on the radext list because of my interest in EAP, RADIUS and DIAMETER deployments. Recent comments from Adam and Ekr got me to look at this draft and its text on Operator-NAS-Identifer in more detail. Let me preface by first admitting that I certainly do not have as much deployment experience as some others on the list. So take my comments with tons of skepticism and please be a little gentle when shooting me down. The draft version -06 says that visited network SHOULD add Operator-NAS-Identifer attribute to the Access-Request or Accounting-Request packets. And when it is added, other attributes such as NAS-IP-Address, NAS-IPv6-Address, NAS-Identifier MUST be deleted. The text also says that for meeting the requirements of Section 4.1 of [RFC2865], a NAS-Identifier is added anyway. Finally, the draft says the following "We suggest that the contents of the NAS-Identifier be the Realm name of the Visited Network. That is, for everyone outside of the Visited Network, there is only one NAS: the Visited Network itself. For the Visited Network, the identity of the NAS is private information, which is opaque to everyone else." "We suggest" leaves a lot to interpretation in a standards document. Besides, this suggestion might break some deployments. Let me explain this a bit with an example: Many enterprises (rightly or wrongly) want to control which users can connect to which NAS. For example, employees of ACME should be allowed to connect to NAS A which allows access to the internal network and resources. Guests of ACME should only be allowed to connect to NAS B which allows restricted access to the Internet. Of course the situation gets more complex when a shared NAS is used and access separation is done with VLANs. Let's say that ACME has offices in London, Bangkok and San Jose with local AAA servers and users in realms acme.uk (for London), acme.th (for Bangkok) and acme.com (for San Jose). Employees often roam to different sites of ACME. When an employee from San Jose is in London, his/her authentication requests are forwarded to the AAA for acme.com based on the realm in the Network Access Identifier (NAI)/Radius User-Name attribute. Depending on which NAS the user is trying to connect through, the AAA would decide whether to send an Access-Accept or Access-Reject. In cases like this, the visited networks belongs to the same enterprise. The visited network can choose to hide some its internal network setup by using the same NAS-Identifier for a WLAN profile, VLAN interface, or AP group. I found Cisco describing this scenario at this page (please see the bottom of the page where it says "The NAS-ID is sent to the RADIUS server by the controller through an authentication request to classify users to different groups so that the RADIUS server can send a customized authentication response."): https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01000111.html and here I found Juniper describing something similar: https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-nas-port-id-overview.html I know of 1 deployment where such access control is done (the network administrator for this deployment has changed jobs and is not a regular participant but I can try and ask him to chime in). Of course there might be other deployments as well. In summary, there are situations when the visited network would want to differentiate the NAS classes through which a user is trying to connect and reveal that to the remote AAA making the access decision. The visited network is still in control of what and how much information it reveals. The NAS-Identifier string provides a lot of flexibility to network operators and suggesting some change to its use perhaps needs more thorough reasoning. --Mohit
- [radext] Concerns with Operator-NAS-Identifer Mohit Sethi
- Re: [radext] Concerns with Operator-NAS-Identifer Benjamin Kaduk
- Re: [radext] Concerns with Operator-NAS-Identifer Alan DeKok