IETF Logo Mail Archive

Re: [radext] Small issues in the ALPN draft

Jan-Frederik Rieckers <rieckers@dfn.de> Wed, 20 March 2024 03:53 UTC

Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9BFC15109D for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 20:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMb6J1xgldLM for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 20:53:34 -0700 (PDT)
Received: from b1004.mx.srv.dfn.de (b1004.mx.srv.dfn.de [IPv6:2001:638:d:c302:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AD36C151084 for <radext@ietf.org>; Tue, 19 Mar 2024 20:53:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :references:content-language:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1710906807; x=1712721208; bh=iUzPsZgKJUYLBd4WiV/E+ZOC+MmTfTyVUFMWogzbI9I=; b= I//ilpOw7fyyUNNnklL3vixuAbZ56TwSOfMsa0t5qyHB6ByH7kuE73E5jOp4pf5I aGaluJc5g1nQBtzAjF7zvY7rMytBM6q1ipzKE7J+elgIbX+sJ17Cg09Dk0/WD7ob Zk0p2Cb4z51BXu2zsjit9KyPR7qxL0hK8/k3VYmnRnU=
Received: from mail.dfn.de (mail.dfn.de [IPv6:2001:638:d:c102::150]) by b1004.mx.srv.dfn.de (Postfix) with ESMTPS id 769A32200DA for <radext@ietf.org>; Wed, 20 Mar 2024 04:53:27 +0100 (CET)
Received: from [31.133.131.50] (dhcp-8332.meeting.ietf.org [31.133.131.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 719823D6 for <radext@ietf.org>; Wed, 20 Mar 2024 04:53:19 +0100 (CET)
Message-ID: <edcbd00f-860e-4035-9abc-c9f23e8a5560@dfn.de>
Date: Wed, 20 Mar 2024 13:53:14 +1000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: radext@ietf.org
References: <3a5885c2-fa5a-4aae-a1f4-e79b9456ad94@dfn.de> <3C061F54-4D3A-4523-AC5B-E744A22A8EA3@deployingradius.com> <c1a00b2f-e716-4e8e-87d3-0d8dedeb8957@dfn.de> <E2A51B6B-A621-41B7-8371-B5110AD29624@deployingradius.com>
From: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Enigmail-Draft-Status: N11222
Organization: DFN e.V.
In-Reply-To: <E2A51B6B-A621-41B7-8371-B5110AD29624@deployingradius.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080006020809030101080902"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/xpV_6fYWFrje92FHIL2t-yU15b4>
Subject: Re: [radext] Small issues in the ALPN draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 03:53:39 -0000


On 20.03.24 13:35, Alan DeKok wrote:
> On Mar 20, 2024, at 11:49 AM, Jan-Frederik Rieckers <rieckers@dfn.de> wrote:
>> We have the problem of different cache times. If the client (stupidly, but conforming with the spec) implements a lowest-free-token algorithm, and the cache times for client and server don't match, the client may purge an outstanding request after 15 sec and re-use the token value for a new request, but the server identifies this as misbehavior, because it purges outstanding requests only after 30 sec and therefore closes the connection.
> 
>    If the server has replied to a packet for token X, and then receives a *different* packet with token X, then that's fine.

The problem only occurs if the server didn't reply yet.

If there is already a reply, then I agree, this isn't a problem.

But for outstanding packets, the server and client MUST have a matching 
idea of when a token can be reused, in order to have a stable connection.

With RADIUS/UDP, a server would just discard the second (new) packet and 
the client would do retransmission until the server finally throws away 
the first (old) packet and recognizes the second as the new packet for 
this identifier.

I'm not sure how it would work with RADIUS/TCP, I suppose the server 
would just throw away the old packet, since the client clearly lost 
interest in it? (retransmissions are forbidden in RADIUS/TCP, so there 
is no need to do deduplication)

Cheers,

Janfred

-- 
Herr Jan-Frederik Rieckers
Security, Trust & Identity Services

E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education 
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
https://www.dfn.de

Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | 
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 136623822

v2.23.0 | Report a Bug | By Email