Re: [radext] Small issues in the ALPN draft
Jan-Frederik Rieckers <rieckers@dfn.de> Wed, 20 March 2024 01:49 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73CB6C15155E for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 18:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aifu5qycwetm for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 18:49:23 -0700 (PDT)
Received: from b1004.mx.srv.dfn.de (b1004.mx.srv.dfn.de [IPv6:2001:638:d:c302:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 041AAC15154E for <radext@ietf.org>; Tue, 19 Mar 2024 18:49:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :references:content-language:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1710899357; x=1712713758; bh=yX+fdW9paxoqbSkbfLJYYGKltVNXbH8tE9mVdZpYEfg=; b= Tk1blwNFZ02Zz/E1xM4Ki7AqXC1qMbr2z223W8itiW1dIbIfI2sKZEZBwo3g5TYy 7yJaUT2F7ps+5+aW5ftOM/9yRcMwj81p1jmXO8I+ege1ZG3J8/hSs5nRGYsyTcmY aMpSQN1m4FUAhpIB8+uBCOBmgSukpqW1EdJSrF/a+WY=
Received: from mail.dfn.de (mail.dfn.de [IPv6:2001:638:d:c102::150]) by b1004.mx.srv.dfn.de (Postfix) with ESMTPS id 0615A2200DA for <radext@ietf.org>; Wed, 20 Mar 2024 02:49:17 +0100 (CET)
Received: from [IPV6:2001:67c:370:128:e50f:ae49:e9e9:6081] (unknown [IPv6:2001:67c:370:128:e50f:ae49:e9e9:6081]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 3B1933D6 for <radext@ietf.org>; Wed, 20 Mar 2024 02:49:15 +0100 (CET)
Message-ID: <c1a00b2f-e716-4e8e-87d3-0d8dedeb8957@dfn.de>
Date: Wed, 20 Mar 2024 11:49:11 +1000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: radext@ietf.org
References: <3a5885c2-fa5a-4aae-a1f4-e79b9456ad94@dfn.de> <3C061F54-4D3A-4523-AC5B-E744A22A8EA3@deployingradius.com>
From: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Enigmail-Draft-Status: N11222
Organization: DFN e.V.
In-Reply-To: <3C061F54-4D3A-4523-AC5B-E744A22A8EA3@deployingradius.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms030402040309090505010607"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/yYNcVyK_VrjrcFXIftGttC9N2WY>
Subject: Re: [radext] Small issues in the ALPN draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 01:49:27 -0000
On 19.03.24 08:39, Alan DeKok wrote: >> Section 4.2.1: >> Typo: "For An implementation" -> "For an implementation" > > I can't see that. 3rd paragraph, 3rd sentence. >> After having read the document again, I'm also not exactly clear about the reasoning behind the 3rd paragraph (closing a connection that re-uses token values). >> Having a rationale behind this specification would be good. > > Updated: > > ... If it determines that the sender is re-using Token values for distinct outstanding packets, then an error should be logged, and the connection MUST be closed. There is no way to negotiate correct behavior in the protocol. Either the parties both operate normally and can communicate, or one end misbehaves, and no communication is possible. > > > The idea is that you can't negotiate your way out of protocol violations. If a server receives two packets at the same time, with the same Token but different packet contents, then the client is broken. There's no way to say "please follow the spec". Ok, after reading the draft again it gets a bit more clear, but I believe I found a different problem with that. My problem with that was at the time of reading, that immediately after the "If your peer re-uses a token, then cut him out" came the "remember the responses for at least 5 seconds", so the "distinct outstanding packets" wasn't as clear. We have the problem of different cache times. If the client (stupidly, but conforming with the spec) implements a lowest-free-token algorithm, and the cache times for client and server don't match, the client may purge an outstanding request after 15 sec and re-use the token value for a new request, but the server identifies this as misbehavior, because it purges outstanding requests only after 30 sec and therefore closes the connection. In RFC 5080, if a server sees a duplicate, it silently discards it. So this behavior would be a significant change in the RADIUS protocol, as far as I see it. Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Alexander Clouter
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Heikki Vatiainen
- Re: [radext] Small issues in the ALPN draft Alan DeKok