Re: [radext] Small issues in the ALPN draft
Jan-Frederik Rieckers <rieckers@dfn.de> Wed, 20 March 2024 03:53 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9BFC15109D for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 20:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMb6J1xgldLM for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 20:53:34 -0700 (PDT)
Received: from b1004.mx.srv.dfn.de (b1004.mx.srv.dfn.de [IPv6:2001:638:d:c302:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AD36C151084 for <radext@ietf.org>; Tue, 19 Mar 2024 20:53:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :references:content-language:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1710906807; x=1712721208; bh=iUzPsZgKJUYLBd4WiV/E+ZOC+MmTfTyVUFMWogzbI9I=; b= I//ilpOw7fyyUNNnklL3vixuAbZ56TwSOfMsa0t5qyHB6ByH7kuE73E5jOp4pf5I aGaluJc5g1nQBtzAjF7zvY7rMytBM6q1ipzKE7J+elgIbX+sJ17Cg09Dk0/WD7ob Zk0p2Cb4z51BXu2zsjit9KyPR7qxL0hK8/k3VYmnRnU=
Received: from mail.dfn.de (mail.dfn.de [IPv6:2001:638:d:c102::150]) by b1004.mx.srv.dfn.de (Postfix) with ESMTPS id 769A32200DA for <radext@ietf.org>; Wed, 20 Mar 2024 04:53:27 +0100 (CET)
Received: from [31.133.131.50] (dhcp-8332.meeting.ietf.org [31.133.131.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 719823D6 for <radext@ietf.org>; Wed, 20 Mar 2024 04:53:19 +0100 (CET)
Message-ID: <edcbd00f-860e-4035-9abc-c9f23e8a5560@dfn.de>
Date: Wed, 20 Mar 2024 13:53:14 +1000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: radext@ietf.org
References: <3a5885c2-fa5a-4aae-a1f4-e79b9456ad94@dfn.de> <3C061F54-4D3A-4523-AC5B-E744A22A8EA3@deployingradius.com> <c1a00b2f-e716-4e8e-87d3-0d8dedeb8957@dfn.de> <E2A51B6B-A621-41B7-8371-B5110AD29624@deployingradius.com>
From: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Enigmail-Draft-Status: N11222
Organization: DFN e.V.
In-Reply-To: <E2A51B6B-A621-41B7-8371-B5110AD29624@deployingradius.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080006020809030101080902"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/xpV_6fYWFrje92FHIL2t-yU15b4>
Subject: Re: [radext] Small issues in the ALPN draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 03:53:39 -0000
On 20.03.24 13:35, Alan DeKok wrote: > On Mar 20, 2024, at 11:49 AM, Jan-Frederik Rieckers <rieckers@dfn.de> wrote: >> We have the problem of different cache times. If the client (stupidly, but conforming with the spec) implements a lowest-free-token algorithm, and the cache times for client and server don't match, the client may purge an outstanding request after 15 sec and re-use the token value for a new request, but the server identifies this as misbehavior, because it purges outstanding requests only after 30 sec and therefore closes the connection. > > If the server has replied to a packet for token X, and then receives a *different* packet with token X, then that's fine. The problem only occurs if the server didn't reply yet. If there is already a reply, then I agree, this isn't a problem. But for outstanding packets, the server and client MUST have a matching idea of when a token can be reused, in order to have a stable connection. With RADIUS/UDP, a server would just discard the second (new) packet and the client would do retransmission until the server finally throws away the first (old) packet and recognizes the second as the new packet for this identifier. I'm not sure how it would work with RADIUS/TCP, I suppose the server would just throw away the old packet, since the client clearly lost interest in it? (retransmissions are forbidden in RADIUS/TCP, so there is no need to do deduplication) Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Alexander Clouter
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Heikki Vatiainen
- Re: [radext] Small issues in the ALPN draft Alan DeKok