Re: [radext] Review of draft-cheng-behave-cgn-cfg-radius-ext
Dean cheng <dean.cheng@huawei.com> Fri, 07 March 2014 01:31 UTC
Return-Path: <dean.cheng@huawei.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B920D1A0186 for <radext@ietfa.amsl.com>; Thu, 6 Mar 2014 17:31:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.852
X-Spam-Level:
X-Spam-Status: No, score=0.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, J_CHICKENPOX_74=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zrY0bgRN5EWO for <radext@ietfa.amsl.com>; Thu, 6 Mar 2014 17:31:23 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id 0EB071A0010 for <radext@ietf.org>; Thu, 6 Mar 2014 17:31:21 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml203-edg.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BBV08756; Fri, 07 Mar 2014 01:31:17 +0000 (GMT)
Received: from LHREML401-HUB.china.huawei.com (10.201.5.240) by lhreml203-edg.huawei.com (172.18.7.221) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 7 Mar 2014 01:30:41 +0000
Received: from SJCEML703-CHM.china.huawei.com (10.212.94.49) by lhreml401-hub.china.huawei.com (10.201.5.240) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 7 Mar 2014 01:31:16 +0000
Received: from SJCEML701-CHM.china.huawei.com ([169.254.3.52]) by SJCEML703-CHM.china.huawei.com ([169.254.5.78]) with mapi id 14.03.0158.001; Thu, 6 Mar 2014 17:31:09 -0800
From: Dean cheng <dean.cheng@huawei.com>
To: "lionel.morand@orange.com" <lionel.morand@orange.com>, Alan DeKok <aland@deployingradius.com>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Review of draft-cheng-behave-cgn-cfg-radius-ext
Thread-Index: AQHPN4898xpGI46XLUWhu3b9ziIo/ZrRdusAgANf4kA=
Date: Fri, 07 Mar 2014 01:31:08 +0000
Message-ID: <DC7880973D477648AC15A3BA66253F6865F81B67@SJCEML701-CHM.china.huawei.com>
References: <5315A1E1.2040405@deployingradius.com> <30324_1393940713_5315D8E9_30324_2050_1_6B7134B31289DC4FAF731D844122B36E4DF2BC@PEXCVZYM13.corporate.adroot.infra.ftgroup>
In-Reply-To: <30324_1393940713_5315D8E9_30324_2050_1_6B7134B31289DC4FAF731D844122B36E4DF2BC@PEXCVZYM13.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.212.245.143]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/zQgfv_hx4y0ynCrlxPKHBXKy8OE
Subject: Re: [radext] Review of draft-cheng-behave-cgn-cfg-radius-ext
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 01:31:25 -0000
Hi Lionel, I think the port defined in RFC2865 (in Section 5.42 "Port-Limit") is physical or logical port, whereas the "Port-Session-Limit" proposed in this draft is for TCP/UDP port, and so they are different. We'll change to use TLV in the next revision. Thanks Dean > -----Original Message----- > From: radext [mailto:radext-bounces@ietf.org] On Behalf Of > lionel.morand@orange.com > Sent: Tuesday, March 04, 2014 5:45 AM > To: Alan DeKok; radext@ietf.org > Subject: Re: [radext] Review of draft-cheng-behave-cgn-cfg-radius-ext > > The Port-Session-Limit Attribute is defined as follow: > > This attribute is of type complex [RFC6158] and specifies the limit > of TCP ports, or UDP ports, or the sum of the two, or ICMP > identifiers, or the sum of the three, which is configured on a > device > supporting port ranges corresponding to a specific subscriber. > > Isn't it the same purpose than the Port-Limit defined in RFC 2865? > > Port-Limit > > This Attribute sets the maximum number of ports to be provided to > the user by the NAS. This Attribute MAY be sent by the server to > the client in an Access-Accept packet. It is intended for use in > conjunction with Multilink PPP [12] or similar uses. It MAY also > be sent by the NAS to the server as a hint that that many ports > are desired for use, but the server is not required to honor the > hint. > > By the way, I share the comment on Alan about avoiding polymorphic > attributes and recommend the use of TLV. > I guess that two different TLV-types will have to be defined, one for > external/public address+port (NAT assigned) and the other for > internal/private address+port, and both TLV consisting in two sub- > attributes, one in the format of "Framed-IP-address" and one ine the > format of "Port". > > Lionel > > > -----Message d'origine----- > De : radext [mailto:radext-bounces@ietf.org] De la part de Alan DeKok > Envoyé : mardi 4 mars 2014 10:50 À : radext@ietf.org Objet : [radext] > Review of draft-cheng-behave-cgn-cfg-radius-ext > > This is a quick review of the document prior to RADEXT WG meeting. > > > This document proposes three new RADIUS attributes as RADIUS > protocol's extensions, and they are used for separate purposes as > follows: > > Any draft is a RADIUS protocol extension. I'd suggest changing this > text to: > > This document proposes three new attributes as follows: > > > The following paragraphs could be re-organized. They currently give > a description first, followed by the attribute name. The text also > seems > redundant: > > The session limit is carried by a new RADIUS attribute ... > > Yes, most drafts define a new attribute. I would just say: > > o Port-Session-Limit > > Sent in Access-Accept or CoA-Request. Limits the of total number > of > TCP/UDP ports and/or ICMP identifiers which a subscriber can use. > > i.e. give the name, which packets it can occur in, and a short > description of its meaning. The later sections will expand on these > descriptions, so there's no need to give complicated definitions here. > > > o Session Limit - This is the maximum number of TCP ports, or UDP > > Is this the same as "Port-Session-Limit" above? If so, I suggest > using the same name. > > Also, all authorization attributes in RADIUS are for a particular > session. So there's no need to call them "Session" limits. By > definition, they're for one session, and only one session. > > > [Discussion: should these attributes be allocated from the > extended RADIUS attribute code space?] > > I don't think it matters. They could be allocated from the standard > space. > > > 3.1 Port-Session-Limit > > This attribute is of type complex [RFC6158] ... > > There is no reason to make these attributes type "complex". Everyone > would be better served by using TLVs, as defined in RFC 6929. > > > > 3.2 Port-Session-Range > > ... > The port range follows the encoding specified in [RFC6431]; > > RFC 6431 defines a data structure of 4 fields. This attribute re- > uses that, but inserts it in the middle of other complex fields. So it > does not appear to follow the requirements to be an "opaque data type" > as given in RFC 6158 Section A.1.3. > > > 3.3. Port-Forwarding-Map Attribute > > ... In addition, the attribute may contain a > 32-bit IPv4 address or a 128-bit IPv6 address, respectively, as > their > respective NAT mappings internal IP address. > > This definition violates RFC 6158 Section 3.4, which prohibits > polymorphic attributes. > > > 7.2. Name Spaces > > This document establishes a new name space for Session Type (see > Section 3.1 for the initial reservation of values. The allocation > of > future values is according to RFC Required policy [RFC5226] > > I don't think any previous RADIUS specification defined an IANA name > space for sub-fields of an attribute. All of the existing enumerated > types are of data type "integer". > > > Over all, the goal of the document seems reasonable. But the > encoding of the attributes violates most of RFC 6158, without giving > any reason as to why. Implementing it as-is would impose undue burden > on implementors. > > I suggest using TLVs instead of these complex data types. That would > avoid the need for polymorphic attributes, too. > > Alan DeKok. > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext > > _______________________________________________________________________ > __________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc pas etre diffuses, > exploites ou copies sans autorisation. Si vous avez recu ce message par > erreur, veuillez le signaler a l'expediteur et le detruire ainsi que > les pieces jointes. Les messages electroniques etant susceptibles > d'alteration, Orange decline toute responsabilite si ce message a ete > altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; they should not be > distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and > delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have > been modified, changed or falsified. > Thank you. > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext
- [radext] Review of draft-cheng-behave-cgn-cfg-rad… Alan DeKok
- Re: [radext] Review of draft-cheng-behave-cgn-cfg… lionel.morand
- Re: [radext] Review of draft-cheng-behave-cgn-cfg… Dean cheng
- Re: [radext] Review of draft-cheng-behave-cgn-cfg… Dean cheng