Re: [radext] A proposal to allow more than 256 packets on any connection
Enke Chen <enkechen@cisco.com> Wed, 26 April 2017 19:37 UTC
Return-Path: <enkechen@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07496129450 for <radext@ietfa.amsl.com>; Wed, 26 Apr 2017 12:37:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GvykJLi18kUw for <radext@ietfa.amsl.com>; Wed, 26 Apr 2017 12:37:39 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF0C1293F4 for <radext@ietf.org>; Wed, 26 Apr 2017 12:37:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5836; q=dns/txt; s=iport; t=1493235458; x=1494445058; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=divfo5pgQc8k+OZv8NiadeOu73l6NdoLLcPbpm70dqg=; b=TWkUhL45e5ufY9xS1qoSrjCXFC52NJaRw2fYotMQO7mO3E9Qw7yW+QRs DwQrkx1cHqJZxQ63R87kY3Ph1wB1H51ntTnMimMwLwPszUJW+2ZdJz/Z9 J9N93+DdBoSHhyVj5aj7mndmhE6D5b2x3izFM7JCfoBocx5bkvM6zYpED I=;
X-IronPort-AV: E=Sophos;i="5.37,255,1488844800"; d="scan'208";a="418057522"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Apr 2017 19:37:38 +0000
Received: from [10.82.220.141] (rtp-vpn3-1160.cisco.com [10.82.220.141]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v3QJbb2j029180; Wed, 26 Apr 2017 19:37:37 GMT
To: Bernard Aboba <bernard.aboba@gmail.com>
References: <149306333665.25840.6313986250597447759.idtracker@ietfa.amsl.com> <1AB9F08E-0739-4BE3-9827-3EA830DC113B@freeradius.org> <CAOW+2ds=FjVxfmexhYrNMGV0-O+nYohSN=ou-O4upsoA90g0og@mail.gmail.com>
Cc: Alan DeKok <aland@freeradius.org>, radext@ietf.org, Enke Chen <enkechen@cisco.com>, Naiming Shen <naiming@cisco.com>
From: Enke Chen <enkechen@cisco.com>
Message-ID: <d101bdb1-60ef-d649-92e7-f2db0b829a93@cisco.com>
Date: Wed, 26 Apr 2017 12:37:36 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAOW+2ds=FjVxfmexhYrNMGV0-O+nYohSN=ou-O4upsoA90g0og@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/xIRMjM_wTIcmJIMfOifAM-FxI7I>
Subject: Re: [radext] A proposal to allow more than 256 packets on any connection
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 19:37:41 -0000
Hi, Bernard: In this case it is more like a "wart removal" than a "heart transplant" :-) Regards, -- Enke On 4/24/17 2:20 PM, Bernard Aboba wrote: > Alan said: > > "Note that I'm *not* proposing a change to the Id field, or to much else in the protocol." > > [BA] +1 to that. > > RADIUS is 25+ years old, and given the pace of change on the Internet, one can make a case that protocol age is somewhat akin to "dog years". > > That would make RADIUS 175 years old! > > Changing the Id field in RADIUS is somewhat akin to attempting a heart transplant on a 175 year-old. > > While some doctor might try this (more as a "cash-ectomy" than a legitimate procedure), let's not pretend that it is in the best interest of the patient. > > Carry on! > > > On Mon, Apr 24, 2017 at 1:00 PM, Alan DeKok <aland@freeradius.org <mailto:aland@freeradius.org>> wrote: > > I've written a draft to allow more than 256 packets on any connection. Note that I'm *not* proposing a change to the Id field, or to much else in the protocol. > > The document is a first draft, and doesn't cover some of the protocol details. But the concept is very simple: > > a) use Status-Server to negotiate the new functionality (see below for details) > > b) allow clients to use Request Authenticator as a unique key for packets, in addition to src/dst ip/port, Code, and Id > > i) For Access-Request packets, Request Authenticator is a bunch of random numbers, which is fine. > > ii) for other packet types Request Authenticator is the signature of the packet contents and the secret. So if the contents are the same, the Request Authenticator is the same. If the contents are different, it's different. > > c) have the server send a new attribute: Original-Request-Authenticator in response packets. This allows clients to correlate responses with requests, using the key mentioned in (b), above. > > For negotiation, a client sends Status-Server containing Original-Request-Authenticator of all zeroes. If the server has the functionality, it sends a response containing Original-Request-Authenticator with value copied from the original Request Authenticator. > > All other packet signing / Id management stays the same. > > I think this is the minimal possible change to RADIUS which solves the underlying problem. As such, I hope it's also the least contentious. > > To do for the spec: > > - more text on how Original-Request-Authenticator works in response packets > > - more text on why this works for all packet types > > - make the text less hacky (it was written in less than a day, after the concept was worked out) > > - get WG review (I don't think we can achieve consensus quickly on this) > > Alan DeKok. > > > Begin forwarded message: > > > > From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > > Subject: New Version Notification for draft-dekok-radext-request-authenticator-00.txt > > Date: April 24, 2017 at 3:48:56 PM EDT > > To: "Alan DeKok" <aland@freeradius.org <mailto:aland@freeradius.org>> > > > > > > A new version of I-D, draft-dekok-radext-request-authenticator-00.txt > > has been successfully submitted by Alan DeKok and posted to the > > IETF repository. > > > > Name: draft-dekok-radext-request-authenticator > > Revision: 00 > > Title: Correlating requests and replies in the Remote Authentication Dial In User Service (RADIUS) Protocol via the Request Authenticator. > > Document date: 2017-04-24 > > Group: Individual Submission > > Pages: 14 > > URL: https://www.ietf.org/internet-drafts/draft-dekok-radext-request-authenticator-00.txt <https://www.ietf.org/internet-drafts/draft-dekok-radext-request-authenticator-00.txt> > > Status: https://datatracker.ietf.org/doc/draft-dekok-radext-request-authenticator/ <https://datatracker.ietf.org/doc/draft-dekok-radext-request-authenticator/> > > Htmlized: https://tools.ietf.org/html/draft-dekok-radext-request-authenticator-00 <https://tools.ietf.org/html/draft-dekok-radext-request-authenticator-00> > > Htmlized: https://datatracker.ietf.org/doc/html/draft-dekok-radext-request-authenticator-00 <https://datatracker.ietf.org/doc/html/draft-dekok-radext-request-authenticator-00> > > > > > > Abstract: > > RADIUS contains a one-octet Identifier field which is used to > > correlate requests and replies. This field limits the number of > > outstanding requests to 256. Experience shows that this limitation > > is problematic for high load systems. This document proposes to use > > the Request Authenticator field as an additional unique identifier. > > The replies can then be correlated to requests by copying the Request > > Authenticator from the request to a new attribute in the response, > > called the Original-Request-Authenticator. > > > > > > > > > > Please note that it may take a couple of minutes from the time of submission > > until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org>. > > > > The IETF Secretariat > > > > > _______________________________________________ > radext mailing list > radext@ietf.org <mailto:radext@ietf.org> > https://www.ietf.org/mailman/listinfo/radext <https://www.ietf.org/mailman/listinfo/radext> > > > > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext >
- [radext] A proposal to allow more than 256 packet… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Ignacio Goyret
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Bernard Aboba
- Re: [radext] A proposal to allow more than 256 pa… Ignacio Goyret
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Peter Deacon
- Re: [radext] A proposal to allow more than 256 pa… Ignacio Goyret
- Re: [radext] A proposal to allow more than 256 pa… Alan DeKok
- Re: [radext] A proposal to allow more than 256 pa… Ignacio Goyret
- Re: [radext] A proposal to allow more than 256 pa… Enke Chen