This is an announcement of RADEXT WG = last call on=20 the

"RADIUS Design = Guidelines" document, prior=20 to sending

it to the IESG for publication as a = Proposed=20

Standard. The document is = available for inspection here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.= txt

RADEXT WG last call will complete on = January 15,=20 2008. Please respond

to this solicitation if you have read = the=20 document, regardless of whether you

have comments to provide or = not. In your=20 email, please state whether you

believe that the document is ready = for=20 publication.

If you have comments to provide, = please send them=20 to the

RADEXT WG mailing list (radiusext@ops.ietf.org),

using the format described in the = RADEXT Issues=20 tracker:
http://www.drizzle.com/~aboba/RADEXT/

------=_NextPart_000_00CC_01C847A5.1CCD6D60-- -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 12:59:44 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7aXg-0007DL-IJ for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 12:59:44 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7aXe-0004q7-Af for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 12:59:44 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7aRk-000J3C-R9 for radiusext-data@psg.com; Wed, 26 Dec 2007 17:53:36 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.62.17] (helo=QMTA10.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7aRZ-000J2H-L3 for radiusext@ops.ietf.org; Wed, 26 Dec 2007 17:53:27 +0000 Received: from OMTA11.westchester.pa.mail.comcast.net ([76.96.62.36]) by QMTA10.westchester.pa.mail.comcast.net with comcast id VSFn1Y00K0mv7h05A0EP00; Wed, 26 Dec 2007 17:53:24 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA11.westchester.pa.mail.comcast.net with comcast id VVtP1Y00A53lGY33X00000; Wed, 26 Dec 2007 17:53:24 +0000 X-Authority-Analysis: v=1.0 c=1 a=Gn-g1Pkd9IgA:10 a=zz3dB5q32WxJMubKTZMA:9 a=o38THE0GYv1231c4rLAikQABfSIA:4 a=tqucuuI3bnEA:10 From: "Glen Zorn" To: "'Alan DeKok'" Cc: References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> In-Reply-To: <47729084.8060206@nitros9.org> Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 09:52:47 -0800 Message-ID: <005d01c847e8$20c81f30$62585d90$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchH5bdl4qB55+LFT+K87w6d0sThIwAAHOvg Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 7baded97d9887f7a0c7e8a33c2e3ea1b Glen Zorn wrote: > During the meeting last week, I thought that there were a couple of > questions/comments on Jabber regarding the changes that I proposed to > the extended attribute format (adding a bit to distinguish between new > TLVs and legacy RADIUS attributes in extended attributes) but I didn't > quite catch them. Would those who presented those remarks mind > repeating them in email? TIA. WiMAX uses the same attribute format as proposed here. Changes that are incompatible with WiMAX should be discouraged. [gwz] I'm not at all sure why that would be the case; I don't recall the IETF bending over backwards to be compatible w/anyone else's VSAs... [/gwz] If it's just stealing a bit (which WiMAX doesn't use), that sounds fine. The ability to group legacy RADIUS attributes via a method other than tags would be good. [gwz] Actually, I've convinced myself that a) this idea was not quite baked & b) I was wrong about making the Ext-Type field just one octet. If we make the Ext-Type field 16 bits in length _and_ start numbering the new attributes at 0x100, that would seem to solve a couple of problems nicely. [/gwz] One question: If we DO permit this for legacy RADIUS attributes, what does the "C" bit mean? Do we use the WiMAX method for splitting attributes encrypted with the "Tunnel-Password" method? [gwz] I don't know what method that is, but I'm not sure why those attributes would be treated differently than others. [/gwz] Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 13:03:25 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7abF-0002dD-C5 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:03:25 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7abE-0004uT-DT for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:03:24 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7aYS-000Ja1-IW for radiusext-data@psg.com; Wed, 26 Dec 2007 18:00:32 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.62.48] (helo=QMTA05.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7aY0-000JXu-7V for radiusext@ops.ietf.org; Wed, 26 Dec 2007 18:00:19 +0000 Received: from OMTA09.westchester.pa.mail.comcast.net ([76.96.62.20]) by QMTA05.westchester.pa.mail.comcast.net with comcast id VUxT1Y00A0SCNGk0505R00; Wed, 26 Dec 2007 18:00:02 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA09.westchester.pa.mail.comcast.net with comcast id VW001Y00153lGY33V00000; Wed, 26 Dec 2007 18:00:02 +0000 X-Authority-Analysis: v=1.0 c=1 a=HnDihN7l37cA:10 a=No5EcEP4AAAA:8 a=lHIK1t_c1lC-7DL5jYkA:9 a=UIe76RprqC-e4kpik9AA:7 a=KuLx1bp-CeaukJ0WFJvUHD3_6bMA:4 a=_3nJN2eeWHAA:10 From: "Glen Zorn" To: "'Alan DeKok'" Cc: References:

<47729414.9070608@nitros9.org> In-Reply-To: <47729414.9070608@nitros9.org> Subject: RE: [ Comments on automated key management and crypto agility Date: Wed, 26 Dec 2007 09:59:23 -0800 Message-ID: <005e01c847e9$0dcbc7f0$296357d0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchH6I1hz+I309tPQD+urxR21Ysz4AAAC18g Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906 ... redirects have problems in practical deployments. Intermediate nodes often exist for commercial reasons, both for business relationships and for application of intermediary policies. [gwz] And, unfortunately, that's just scratching the surface; how that lame scheme got into an RFC I'll never know... [/gwz] Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 13:04:25 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7acD-0003ys-Ig for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:04:25 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7acD-0004vn-6F for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:04:25 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7aZO-000Jf2-6R for radiusext-data@psg.com; Wed, 26 Dec 2007 18:01:30 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,RDNS_NONE, STOX_REPLY_TYPE autolearn=no version=3.2.3 Received: from [65.54.246.158] (helo=bay0-omc2-s22.bay0.hotmail.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7aZL-000JeM-Np for radiusext@ops.ietf.org; Wed, 26 Dec 2007 18:01:28 +0000 Received: from BAY117-DS1 ([207.46.8.28]) by bay0-omc2-s22.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 26 Dec 2007 10:01:23 -0800 X-Originating-IP: [67.183.152.50] X-Originating-Email: [bernard_aboba@hotmail.com] Message-ID: From: In-Reply-To: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> To: "Alan DeKok" , "Glen Zorn" Cc: References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> X-Unsent: 1 Subject: Re: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 10:01:26 -0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 12.0.1606 X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606 X-OriginalArrivalTime: 26 Dec 2007 18:01:23.0542 (UTC) FILETIME=[53970F60:01C847E9] Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -2.3 (--) X-Scan-Signature: 2409bba43e9c8d580670fda8b695204a > WiMAX uses the same attribute format as proposed here. Changes that > are incompatible with WiMAX should be discouraged. I would agree. If the extensions remain compatible with WiMAX then the amount of code duplication will be minimized. > If it's just stealing a bit (which WiMAX doesn't use), that sounds > fine. The ability to group legacy RADIUS attributes via a method other > than tags would be good. > > One question: If we DO permit this for legacy RADIUS attributes, what > does the "C" bit mean? Do we use the WiMAX method for splitting > attributes encrypted with the "Tunnel-Password" method? We need to be careful about feature creep here. The original purpose of the Extended Attributes document was to extend the RADIUS attribute space. If the document is now taking on new problems (extending capabilities of the RADIUS protocol or changing the semantics of existing attributes) then that problem needs to be clearly stated, and justification needs to be provided. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 13:21:07 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7asN-0008FG-Dv for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:21:07 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7asL-0005FW-7J for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:21:07 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7aoX-000L6y-Hf for radiusext-data@psg.com; Wed, 26 Dec 2007 18:17:09 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.30.56] (helo=QMTA06.emeryville.ca.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7aoU-000L6c-RJ for radiusext@ops.ietf.org; Wed, 26 Dec 2007 18:17:08 +0000 Received: from OMTA06.emeryville.ca.mail.comcast.net ([76.96.30.51]) by QMTA06.emeryville.ca.mail.comcast.net with comcast id VRLf1Y00C16AWCU0A0Lu00; Wed, 26 Dec 2007 18:17:06 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA06.emeryville.ca.mail.comcast.net with comcast id VWH41Y00353lGY38S00000; Wed, 26 Dec 2007 18:17:06 +0000 X-Authority-Analysis: v=1.0 c=1 a=Gn-g1Pkd9IgA:10 a=KyU8gm_5oIyxiH_ZlMUA:9 a=pzxYAvxED1nxWDAwYLQA:7 a=t-OMm-fGHK-DBl3VacWkXzZdn2wA:4 a=MxZ3bB5I4kYA:10 From: "Glen Zorn" To: , "'Alan DeKok'" Cc: References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> In-Reply-To: Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 10:16:28 -0800 Message-ID: <006b01c847eb$70096650$501c32f0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchH6VnSyItJtpl6RvSUZWLy43jIIwAAIzhw Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d > WiMAX uses the same attribute format as proposed here. Changes that > are incompatible with WiMAX should be discouraged. I would agree. If the extensions remain compatible with WiMAX then the amount of code duplication will be minimized. [gwz] If we're suddenly worried about the size of code for processing VSAs, it would seem to make much more sense to be compatible with cisco's VSAs since they are far more widely deployed than WiMax's (and probably always will be). [/gwz] > If it's just stealing a bit (which WiMAX doesn't use), that sounds > fine. The ability to group legacy RADIUS attributes via a method other > than tags would be good. > > One question: If we DO permit this for legacy RADIUS attributes, what > does the "C" bit mean? Do we use the WiMAX method for splitting > attributes encrypted with the "Tunnel-Password" method? We need to be careful about feature creep here. The original purpose of the Extended Attributes document was to extend the RADIUS attribute space. If the document is now taking on new problems (extending capabilities of the RADIUS protocol or changing the semantics of existing attributes) then that problem needs to be clearly stated, and justification needs to be provided. [gwz] I'm not suggesting anything of the sort: the capabilities for sending large attributes & grouping them already exist (although in limited ways); I'm talking about standardizing these existing capabilies, not adding new ones. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 13:49:49 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7bK9-00078Z-VQ for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:49:49 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7bK8-0005o1-84 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:49:49 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7bDc-000NXx-6s for radiusext-data@psg.com; Wed, 26 Dec 2007 18:43:04 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,RDNS_NONE, STOX_REPLY_TYPE autolearn=no version=3.2.3 Received: from [65.54.246.156] (helo=bay0-omc2-s20.bay0.hotmail.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7bCt-000NSX-Ey for radiusext@ops.ietf.org; Wed, 26 Dec 2007 18:42:33 +0000 Received: from BAY117-DS1 ([207.46.8.28]) by bay0-omc2-s20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 26 Dec 2007 10:42:16 -0800 X-Originating-IP: [67.183.152.50] X-Originating-Email: [bernard_aboba@hotmail.com] Message-ID: From: In-Reply-To:

<47729414.9070608@nitros9.org> To: "Alan DeKok" , References:

<47729414.9070608@nitros9.org> Subject: Re: E2E and crypto-agility X-Unsent: 1 Date: Wed, 26 Dec 2007 10:42:20 -0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 12.0.1606 X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606 X-OriginalArrivalTime: 26 Dec 2007 18:42:16.0635 (UTC) FILETIME=[09BF58B0:01C847EF] Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -2.3 (--) X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a > What is "end to end" ? I think it means something like "protection of RADIUS attributes from disclosure to parties other than the NAS and home server". > I don't see how we could do NAS to home server key transport in > RADIUS. So the answer is (I think) "No". In the AAA WG there were a number of mechanisms investigated by which a NAS and home server could derive a key that could be used to protect attributes from disclosure to proxies. These methods included Kerberos and CMS. For example, see: http://www.watersprings.org/pub/id/draft-kaushik-radius-sec-ext-06.txt So I think the question is not "can it be done?" but rather "how does this relate to RADIUS crypto-agility?" and "should solving this problem be a requirement?" -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 13:56:35 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7bQh-0000u0-58 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:56:35 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7bQg-0005x1-Oe for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 13:56:35 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7bMl-000OQ0-Vf for radiusext-data@psg.com; Wed, 26 Dec 2007 18:52:31 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,RDNS_NONE, STOX_REPLY_TYPE autolearn=no version=3.2.3 Received: from [65.54.246.173] (helo=bay0-omc2-s37.bay0.hotmail.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7bMi-000OPa-Vx for radiusext@ops.ietf.org; Wed, 26 Dec 2007 18:52:30 +0000 Received: from BAY117-DS2 ([207.46.8.29]) by bay0-omc2-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 26 Dec 2007 10:52:28 -0800 X-Originating-IP: [67.183.152.50] X-Originating-Email: [bernard_aboba@hotmail.com] Message-ID: From: In-Reply-To:

<47729414.9070608@nitros9.org> To: "Alan DeKok" , References:

<47729414.9070608@nitros9.org> Subject: Re: Comments on "practical deployments" X-Unsent: 1 Date: Wed, 26 Dec 2007 10:52:31 -0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 12.0.1606 X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606 X-OriginalArrivalTime: 26 Dec 2007 18:52:28.0997 (UTC) FILETIME=[76BE5F50:01C847F0] Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -2.3 (--) X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a > problems in practical deployments. Which "practical deployments" are we talking about? While proxies are widely used today to facilitate inter-domain roaming, as far as I know, the combination of inter-domain roaming and EAP is very rare. While EAP-based technologies such as WiMAX may change the situation, as I understand it, the use of EAP today is largely confined to enterprise scenarios. For example, the vast majority of all IEEE 802.11 hotspot deployments use Web-based access (e.g. UAM), not EAP. In terms of major EAP deployments that support inter-domain roaming with substantial usage, one deployment (EDUROAM) is several orders of magnitude larger than any other that I am aware of. As far as I know, EDUROAM does not use Diameter nor are there any major deployments of Diameter EAP. Am I missing something, or are there really any "practical experience" here? -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 14:17:30 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7bkw-00040E-KO for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 14:17:30 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7bkv-0006Oi-6Z for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 14:17:30 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7bgO-00008f-LR for radiusext-data@psg.com; Wed, 26 Dec 2007 19:12:48 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7bgK-00007n-10 for radiusext@ops.ietf.org; Wed, 26 Dec 2007 19:12:47 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id DC41BA704E; Wed, 26 Dec 2007 11:12:33 -0800 (PST) Message-ID: <4772A741.40303@nitros9.org> Date: Wed, 26 Dec 2007 20:10:57 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Glen Zorn CC: radiusext@ops.ietf.org Subject: Re: Questions on modified Extended Attribute format? References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> In-Reply-To: <005d01c847e8$20c81f30$62585d90$@net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d Glen Zorn wrote: > I'm not at all sure why that would be the case; I don't recall the IETF > bending over backwards to be compatible w/anyone else's VSAs... The last thing I need right now is yet another incompatible VSA format. > Actually, I've convinced myself that a) this idea was not quite baked & b) I > was wrong about making the Ext-Type field just one octet. If we make the > Ext-Type field 16 bits in length _and_ start numbering the new attributes at > 0x100, that would seem to solve a couple of problems nicely. I understand... I'm not sure I completely agree. > One question: If we DO permit this for legacy RADIUS attributes, what > does the "C" bit mean? Do we use the WiMAX method for splitting > attributes encrypted with the "Tunnel-Password" method? > [gwz] > I don't know what method that is, but I'm not sure why those attributes > would be treated differently than others. > [/gwz] Neither am I. But they are. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 14:20:34 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7bnu-0007tC-P5 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 14:20:34 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7bnu-0006V0-Ec for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 14:20:34 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7bkX-0000Ut-9L for radiusext-data@psg.com; Wed, 26 Dec 2007 19:17:05 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7bkS-0000UO-7W for radiusext@ops.ietf.org; Wed, 26 Dec 2007 19:17:04 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 3EB39A704E; Wed, 26 Dec 2007 11:16:53 -0800 (PST) Message-ID: <4772A842.8090308@nitros9.org> Date: Wed, 26 Dec 2007 20:15:14 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Glen Zorn CC: Bernard_Aboba@hotmail.com, radiusext@ops.ietf.org Subject: Re: Questions on modified Extended Attribute format? References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <006b01c847eb$70096650$501c32f0$@net> In-Reply-To: <006b01c847eb$70096650$501c32f0$@net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d Glen Zorn wrote: > If we're suddenly worried about the size of code for processing VSAs, it > would seem to make much more sense to be compatible with cisco's VSAs since > they are far more widely deployed than WiMax's (and probably always will > be). Yes... but strings? Really? > I'm not suggesting anything of the sort: the capabilities for sending large > attributes & grouping them already exist (although in limited ways); I'm > talking about standardizing these existing capabilies, not adding new ones. If we can get the functionality of the new extended attributes applied to legacy RADIUS, I'm all for it. But I don't want it to be a lot of work... that causes bugs and interoperability issues. My preferences are to leave the extended attributes defined the way they are right now. Anything else starts to cause issues. e.g. legacy attributes encapsulated in a VSA.... what happens with legacy implementations? The only image that comes to mind is a cloud going *boom*. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 14:37:35 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7c4N-00058A-DA for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 14:37:35 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7c4K-0006su-W7 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 14:37:35 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7c0c-0001er-2d for radiusext-data@psg.com; Wed, 26 Dec 2007 19:33:42 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7c0Y-0001ds-Vg for radiusext@ops.ietf.org; Wed, 26 Dec 2007 19:33:40 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 8AB3CA704E; Wed, 26 Dec 2007 11:33:17 -0800 (PST) Message-ID: <4772AC0D.1000401@nitros9.org> Date: Wed, 26 Dec 2007 20:31:25 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard_Aboba@hotmail.com CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" References:

<47729414.9070608@nitros9.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002 Bernard_Aboba@hotmail.com wrote: >> problems in practical deployments. > > Which "practical deployments" are we talking about? RADIUS proxies. There are multiple inter-telco && inter-country deployments using RADIUS. I'm not aware of any similar large-scale deployment of Diameter. (i.e. everyone I've talked to says "perhaps one day we'll move to Diameter".) > While proxies are widely used today to facilitate inter-domain > roaming, as far as I know, the combination of inter-domain roaming > and EAP is very rare. The FMCA is trialling exactly this. > While EAP-based technologies such as WiMAX may change the > situation, as I understand it, the use of EAP today is largely confined > to enterprise scenarios. For example, the vast majority of all > IEEE 802.11 hotspot deployments use Web-based access (e.g. UAM), not EAP. Yes. In fact, the use of EAP *prevents* a large number of business models for network access. > In terms of major EAP deployments that support inter-domain roaming > with substantial usage, one deployment (EDUROAM) is several orders of > magnitude larger than any other that I am aware of. UMA leverages EAP and RADIUS, but it's buried deep in the network. > As far as I know, EDUROAM does not use Diameter nor are there any > major deployments of Diameter EAP. Yes. > Am I missing something, or are there really any "practical experience" > here? Practical experience with existing AAA servers, proxies, and business models. The current technology is RADIUS. I'm trying to figure out how AAA redirection (and avoiding the intermediary proxies) helps anyone. I don't think it does. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 14:58:38 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7cOk-0005Px-2h for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 14:58:38 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7cOj-0007V7-A0 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 14:58:38 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cK1-00039b-Mr for radiusext-data@psg.com; Wed, 26 Dec 2007 19:53:45 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE, RDNS_NONE autolearn=no version=3.2.3 Received: from [65.54.246.152] (helo=bay0-omc2-s16.bay0.hotmail.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cJY-00037M-WF for radiusext@ops.ietf.org; Wed, 26 Dec 2007 19:53:31 +0000 Received: from BAY117-W31 ([207.46.8.66]) by bay0-omc2-s16.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 26 Dec 2007 11:53:16 -0800 Message-ID: Content-Type: multipart/alternative; boundary="_52ab49c8-2d30-4f2d-a476-48f4b20945a4_" X-Originating-IP: [67.183.152.50] From: Bernard Aboba To: Subject: RADEXT WG last call on RADIUS Attributes for Filtering and Redirection Date: Wed, 26 Dec 2007 11:53:16 -0800 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 26 Dec 2007 19:53:16.0586 (UTC) FILETIME=[F4E048A0:01C847F8] Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 6e922792024732fb1bb6f346e63517e4 --_52ab49c8-2d30-4f2d-a476-48f4b20945a4_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On July 5, 2007 the RADEXT WG first began WG last call on "RADIUS Attribute= s for=20 Filtering and Redirection": http://ops.ietf.org/lists/radiusext/2007/msg00494.html http://ops.ietf.org/lists/radiusext/2007/msg00541.html This WG last call was to last until Monday, July 23, 2007. During the WG last call, only a single comment was received, from Hannes=20 Tschofenig: http://ops.ietf.org/lists/radiusext/2007/msg00496.html No other messages were posted to the RADEXT WG mailing list indicating that= =20 WG participants had read the document. Given the light level of participation, the WG last=20 call was extended for 10 more days (until August 28, 2007): http://ops.ietf.org/lists/radiusext/2007/msg00633.html No comments were received during that WG last call either. Given that no comments have been received during the last two RADEXT WG las= t calls, we are going to bring the document to RADEXT WG call again. This = RADEXT WG last call will last until January 15, 2008.=20 If you have read the=20 document and approve of its publication as a Proposed Standard, please post= =20 your approval to the list, even if you have no comments to provide. If you have comments, please provide them in the format described on the=20 RADEXT WG Issues page: http://www.drizzle.com/~aboba/RADEXT/ --_52ab49c8-2d30-4f2d-a476-48f4b20945a4_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On July 5, 2007 the RADEXT WG first began WG last call on "RADIUS Attri= butes for=20Filtering and Redirection":

http://ops.ietf.org/lists/radiuse=
xt/2007/msg00494.html
http://ops.ietf.org/lists/radiusext/2=
007/msg00541.html

This WG last call was to last until Monday, Ju=
ly 23, 2007.

During the WG last call, only a single comment wa= s received, from Hannes=20Tschofenig:

http://ops.ietf.org/lists/radiuse=
xt/2007/msg00496.html

No other messages were posted to the R=
ADEXT WG mailing list indicating that=20
WG participants had read the document.

Given the light level of participation, the WG l= ast=20call was extended for 10 more days (until August 28, 2007): htt= p://ops.ietf.org/lists/radiusext/2007/msg00633.html No comments were= received during that WG last call either. Given that no comments ha= ve been received during the last two RADEXT WG last calls, we are going to = bring the document to RADEXT WG call again. This RADEXT WG last call = will last until January 15, 2008. If you have read the=20document and approve of its publication as a Proposed Standard, pl= ease post=20your approval to the list, even if you have no comments to provide= .If you have comments, please provide them in the format described = on the=20RADEXT WG Issues page:

http://www.drizzle.com/~aboba/RADEXT/

= --_52ab49c8-2d30-4f2d-a476-48f4b20945a4_-- -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 15:08:17 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7cY5-0001Rr-67 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:08:17 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7cY4-0007fv-PF for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:08:17 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cVH-000441-2M for radiusext-data@psg.com; Wed, 26 Dec 2007 20:05:23 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE, RDNS_NONE autolearn=no version=3.2.3 Received: from [65.54.246.146] (helo=bay0-omc2-s10.bay0.hotmail.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cVE-00043d-MK for radiusext@ops.ietf.org; Wed, 26 Dec 2007 20:05:21 +0000 Received: from BAY117-W34 ([207.46.8.69]) by bay0-omc2-s10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 26 Dec 2007 12:05:16 -0800 Message-ID: Content-Type: multipart/alternative; boundary="_79d372da-1d12-4de7-b820-a264809dd28f_" X-Originating-IP: [67.183.152.50] From: Bernard Aboba To: Alan DeKok CC: Subject: RE: Comments on "practical deployments" Date: Wed, 26 Dec 2007 12:05:16 -0800 Importance: Normal In-Reply-To: <4772AC0D.1000401@nitros9.org> References:

<47729414.9070608@nitros9.org> <4772AC0D.1000401@nitros9.org> MIME-Version: 1.0 X-OriginalArrivalTime: 26 Dec 2007 20:05:16.0979 (UTC) FILETIME=[A2438830:01C847FA] Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 00e94c813bef7832af255170dca19e36 --_79d372da-1d12-4de7-b820-a264809dd28f_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > > While proxies are widely used today to facilitate inter-domain > > roaming, as far as I know, the combination of inter-domain roaming > > and EAP is very rare. >=20 > The FMCA is trialling exactly this. Is this the Fixed Mobile Covergence Alliance? =20 (This seemed the most likely of the expansions provided by Google, the othe= rs being: Family Motor Coach Association Florida Mosquito Control Association Florida Marine Contractors Association Friends of Montgomery County Animals) >> For example, the vast majority of all >> IEEE 802.11 hotspot deployments use Web-based access (e.g. UAM), not EAP= . >=20 > Yes. In fact, the use of EAP *prevents* a large number of business > models for network access. Could you expand on the problems? > UMA leverages EAP and RADIUS, but it's buried deep in the network. Yup. Doesn't seem like this would require inter-domain proxies. --_79d372da-1d12-4de7-b820-a264809dd28f_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > > While proxies are widely used today to facilitate inter-domain> > roaming, as far as I know, the combination of inter-domain roami= ng
> > and EAP is very rare.
>
> The FMCA is triall= ing exactly this.

Is this the Fixed Mobile Covergence Alliance? = ;

(This seemed the most likely of the expansions provided by Google= , the others being:

Family Motor Coach Association
Florida Mosqui= to Control Association
Florida Marine Contractors Association
Friends= of Montgomery County Animals)

>> For example, the vast majori= ty of all
>> IEEE 802.11 hotspot deployments use Web-based access = (e.g. UAM), not EAP.
>
> Yes. In fact, the use of EAP *prev= ents* a large number of business
> models for network access.

= Could you expand on the problems?

> UMA leverages EAP and RADIU= S, but it's buried deep in the network.

Yup. Doesn't seem like= this would require inter-domain proxies.
= --_79d372da-1d12-4de7-b820-a264809dd28f_-- -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 15:10:25 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7ca9-0005LH-EP for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:10:25 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7ca9-0007hi-1O for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:10:25 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cWw-0004DJ-IJ for radiusext-data@psg.com; Wed, 26 Dec 2007 20:07:06 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.62.48] (helo=QMTA05.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cWt-0004Ct-Sv for radiusext@ops.ietf.org; Wed, 26 Dec 2007 20:07:05 +0000 Received: from OMTA06.westchester.pa.mail.comcast.net ([76.96.62.51]) by QMTA05.westchester.pa.mail.comcast.net with comcast id VXRV1Y00E16LCl00503r00; Wed, 26 Dec 2007 20:07:03 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA06.westchester.pa.mail.comcast.net with comcast id VY721Y00453lGY33S00000; Wed, 26 Dec 2007 20:07:03 +0000 X-Authority-Analysis: v=1.0 c=1 a=Gn-g1Pkd9IgA:10 a=Kyim4CSX5NKUdEtlMBUA:9 a=cbHjhmENCSqF-5k9zT-pJ86qD7YA:4 a=MxZ3bB5I4kYA:10 From: "Glen Zorn" To: "'Alan DeKok'" Cc: References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> <4772A741.40303@nitros9.org> In-Reply-To: <4772A741.40303@nitros9.org> Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 12:06:25 -0800 Message-ID: <007e01c847fa$cbae1a00$630a4e00$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchH8+QgyomKZ9OBSR2hHFBZMYNg5QABjGnQ Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 79899194edc4f33a41f49410777972f8 > I'm not at all sure why that would be the case; I don't recall the IETF > bending over backwards to be compatible w/anyone else's VSAs... The last thing I need right now is yet another incompatible VSA format. [gwz] I understand, & sympathize; I think that it's important to remember that a major reason that we ended up in the position of having multiple external SDOs defining their own mutually incompatible VSAs is that we (the IETF) refused to address RADIUS' problems in a useful and meaningful way. We have an opportunity now to ameliorate if not solve that problem; I don't think that we should pass it up. [/gwz] ... -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 15:14:30 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7ce6-0007qi-NZ for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:14:30 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7ce6-0007la-AR for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:14:30 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7caz-0004sS-R6 for radiusext-data@psg.com; Wed, 26 Dec 2007 20:11:17 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.30.64] (helo=QMTA07.emeryville.ca.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cat-0004rW-J2 for radiusext@ops.ietf.org; Wed, 26 Dec 2007 20:11:16 +0000 Received: from OMTA07.emeryville.ca.mail.comcast.net ([76.96.30.59]) by QMTA07.emeryville.ca.mail.comcast.net with comcast id VUGt1Y0091GXsuc0A0PJ00; Wed, 26 Dec 2007 20:11:11 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA07.emeryville.ca.mail.comcast.net with comcast id VYB91Y00E53lGY38T00000; Wed, 26 Dec 2007 20:11:11 +0000 X-Authority-Analysis: v=1.0 c=1 a=Gn-g1Pkd9IgA:10 a=2gqz4AnwQuraWKzKRoMA:9 a=0hdpQYvahjb6NZPfw4AA:7 a=vtWjhCY1dna__f4cXPx49tN_ulMA:4 a=MxZ3bB5I4kYA:10 From: "Glen Zorn" To: "'Alan DeKok'" Cc: , References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <006b01c847eb$70096650$501c32f0$@net> <4772A842.8090308@nitros9.org> In-Reply-To: <4772A842.8090308@nitros9.org> Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 12:10:32 -0800 Message-ID: <008801c847fb$5f8d0560$1ea71020$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchH8+quH1rguFTjRHKfwlnn7KP5TwABuaYQ Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4 > If we're suddenly worried about the size of code for processing VSAs, it > would seem to make much more sense to be compatible with cisco's VSAs since > they are far more widely deployed than WiMax's (and probably always will > be). Yes... but strings? Really? [gwz] I know, but the point stands, no? [/gwz] > I'm not suggesting anything of the sort: the capabilities for sending large > attributes & grouping them already exist (although in limited ways); I'm > talking about standardizing these existing capabilies, not adding new ones. If we can get the functionality of the new extended attributes applied to legacy RADIUS, I'm all for it. But I don't want it to be a lot of work... that causes bugs and interoperability issues. My preferences are to leave the extended attributes defined the way they are right now. Anything else starts to cause issues. e.g. legacy attributes encapsulated in a VSA.... what happens with legacy implementations? The only image that comes to mind is a cloud going *boom*. [gwz] ;-) Not sure why, though -- they would be easily identified & it seems like the code we're talking about should already exist (that's why we chose these rather modest techniques in the first place, right?). [/gwz] Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 15:22:55 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7cmF-0002wC-IP for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:22:55 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7cmD-0007v0-8W for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:22:55 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7chm-0005T5-Te for radiusext-data@psg.com; Wed, 26 Dec 2007 20:18:18 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE, RDNS_NONE autolearn=no version=3.2.3 Received: from [65.54.246.149] (helo=bay0-omc2-s13.bay0.hotmail.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7chk-0005Sj-B7 for radiusext@ops.ietf.org; Wed, 26 Dec 2007 20:18:17 +0000 Received: from BAY117-W37 ([207.46.8.72]) by bay0-omc2-s13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 26 Dec 2007 12:18:16 -0800 Message-ID: Content-Type: multipart/alternative; boundary="_6dd47e72-f355-459e-9cd1-8663ebd42293_" X-Originating-IP: [67.183.152.50] From: Bernard Aboba To: Alan DeKok CC: Subject: RE: Comments on "practical deployments" Date: Wed, 26 Dec 2007 12:18:16 -0800 Importance: Normal In-Reply-To: References:

<47729414.9070608@nitros9.org> <4772AC0D.1000401@nitros9.org> MIME-Version: 1.0 X-OriginalArrivalTime: 26 Dec 2007 20:18:16.0155 (UTC) FILETIME=[72B05AB0:01C847FC] Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8 --_6dd47e72-f355-459e-9cd1-8663ebd42293_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > The FMCA is trialling exactly this.=20 It will be interesting to see how well it works. I have previously been in= volved in a number of=20 inter-domain roaming trials. When the RADIUS traffic was routed through an= exchange point, the results were not very promising. With packet loss rates of 1-5%, RADIU= S retransmissions were pretty common and this would often lead to EAP retransmissions. The o= verall authentication times could get pretty long and sometimes authentication wou= ldn't complete at all. Most of the carriers we worked with ended up deploying web portals= instead :( --_6dd47e72-f355-459e-9cd1-8663ebd42293_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > The FMCA is trialling exactly this.

It will be interesting to = see how well it works. I have previously been involved in a number of=
inter-domain roaming trials. When the RADIUS traffic was routed = through an exchange point,
the results were not very promising. Wi= th packet loss rates of 1-5%, RADIUS retransmissions
were pretty common = and this would often lead to EAP retransmissions. The overall
auth= entication times could get pretty long and sometimes authentication wouldn'= t complete
at all. Most of the carriers we worked with ended up de= ploying web portals instead :(
= --_6dd47e72-f355-459e-9cd1-8663ebd42293_-- -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 15:40:40 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7d3Q-0000dc-47 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:40:40 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7d3O-0008JB-Gv for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:40:40 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cxg-0006gr-6S for radiusext-data@psg.com; Wed, 26 Dec 2007 20:34:44 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [131.115.18.152] (helo=sehan001bb.han.telia.se) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7cxa-0006g9-JT for radiusext@ops.ietf.org; Wed, 26 Dec 2007 20:34:39 +0000 Received: from SEHAN021MB.tcad.telia.se ([131.115.18.160]) by sehan001bb.han.telia.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 26 Dec 2007 21:34:30 +0100 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: Comments on "practical deployments" Date: Wed, 26 Dec 2007 21:34:24 +0100 Message-ID: <59D7431DE2527D4CB0F1EFEDA5683ED3024F9F17@SEHAN021MB.tcad.telia.se> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Comments on "practical deployments" Thread-Index: AchH+sS7oemdAUhtTMa/Bsc3AOaVBwAAgeqg From: To: , Cc: X-OriginalArrivalTime: 26 Dec 2007 20:34:30.0286 (UTC) FILETIME=[B750F2E0:01C847FE] Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465 Hi, > > > While proxies are widely used today to facilitate inter-domain=20 > > > roaming, as far as I know, the combination of=20 > inter-domain roaming=20 > > > and EAP is very rare. GSMA trialed (with a number of hotspot & GSM operators mainly in Europe & Asia) EAP-based 802.11 roaming few years ago. This concentrated mainly on EAP-SIM and EAP-AKA. > > The FMCA is trialling exactly this. >=20 > Is this the Fixed Mobile Covergence Alliance? =20 Yes. [snip] > >> For example, the vast majority of all IEEE 802.11 hotspot=20 > deployments=20 > >> use Web-based access (e.g. UAM), not EAP. > >=20 > > Yes. In fact, the use of EAP *prevents* a large number of business=20 > > models for network access. >=20 > Could you expand on the problems? >=20 > > UMA leverages EAP and RADIUS, but it's buried deep in the network. >=20 > Yup. Doesn't seem like this would require inter-domain proxies. In the existing specs for 3GPP GAN (i.e. the current UMA) inter-operator roaming is defined and reuses in a carbon-copy fashion 3GPP Interworking WLAN EAP-based RADIUS roaming interface. However, operator business models typically do not favor deployments where GAN would need inter-operator RADIUS interface.. at least I am not aware of any such deployments. Jouni >=20 >=20 -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 15:55:42 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7dHy-00037X-KA for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:55:42 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7dHy-000076-5Q for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 15:55:42 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7dDw-0007sh-PW for radiusext-data@psg.com; Wed, 26 Dec 2007 20:51:32 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [208.179.69.44] (helo=WV-MAILSRV2.strixsystems.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7dDu-0007sL-AQ for radiusext@ops.ietf.org; Wed, 26 Dec 2007 20:51:31 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 12:51:25 -0800 Message-ID: In-Reply-To: <007e01c847fa$cbae1a00$630a4e00$@net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Questions on modified Extended Attribute format? Thread-Index: AchH8+QgyomKZ9OBSR2hHFBZMYNg5QABjGnQAAGsRgA= References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> <4772A741.40303@nitros9.org> <007e01c847fa$cbae1a00$630a4e00$@net> From: "Matt Holdrege" To: "Glen Zorn" , "Alan DeKok" Cc: Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 97adf591118a232206bdb5a27b217034 Glen, Didn't you say this same exact thing here a year or two ago? Or am I stuck in a time warp? Or is this group stuck in a time warp? -Matt (I'll go back into my hole now) -----Original Message----- From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Glen Zorn Sent: Wednesday, December 26, 2007 9:06 PM To: 'Alan DeKok' Cc: radiusext@ops.ietf.org Subject: RE: Questions on modified Extended Attribute format? [gwz]=20 I understand, & sympathize; I think that it's important to remember that a major reason that we ended up in the position of having multiple external SDOs defining their own mutually incompatible VSAs is that we (the IETF) refused to address RADIUS' problems in a useful and meaningful way. We have an opportunity now to ameliorate if not solve that problem; I don't think that we should pass it up. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 17:18:43 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7eaJ-00058z-Hd for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 17:18:43 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7eaH-000228-Mr for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 17:18:43 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7eUg-000DU2-58 for radiusext-data@psg.com; Wed, 26 Dec 2007 22:12:54 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.30.24] (helo=QMTA02.emeryville.ca.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7eUc-000DTP-5G for radiusext@ops.ietf.org; Wed, 26 Dec 2007 22:12:52 +0000 Received: from OMTA07.emeryville.ca.mail.comcast.net ([76.96.30.59]) by QMTA02.emeryville.ca.mail.comcast.net with comcast id Va8T1Y0081GXsuc0A00Q00; Wed, 26 Dec 2007 22:12:49 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA07.emeryville.ca.mail.comcast.net with comcast id VaCo1Y00C53lGY38T00000; Wed, 26 Dec 2007 22:12:49 +0000 X-Authority-Analysis: v=1.0 c=1 a=Gn-g1Pkd9IgA:10 a=ADibbwqiEUIBRv5OvloA:9 a=zddfWqKmWRMfovMHnHtPSau2CNgA:4 a=tqucuuI3bnEA:10 From: "Glen Zorn" To: "'Matt Holdrege'" Cc: , "'Alan DeKok'" References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> <4772A741.40303@nitros9.org> <007e01c847fa$cbae1a00$630a4e00$@net> In-Reply-To: Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 14:12:11 -0800 Message-ID: <00af01c8480c$5d526ef0$17f74cd0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchH8+QgyomKZ9OBSR2hHFBZMYNg5QABjGnQAAGsRgAAAt9pkA== Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 52e1467c2184c31006318542db5614d5 Glen, Didn't you say this same exact thing here a year or two ago? Or am I stuck in a time warp? Or is this group stuck in a time warp? [gwz] Plus =E7a change, plus c'est la m=EAme chose... [/gwz] -Matt (I'll go back into my hole now) -----Original Message----- From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Glen Zorn Sent: Wednesday, December 26, 2007 9:06 PM To: 'Alan DeKok' Cc: radiusext@ops.ietf.org Subject: RE: Questions on modified Extended Attribute format? [gwz]=20 I understand, & sympathize; I think that it's important to remember that a major reason that we ended up in the position of having multiple external SDOs defining their own mutually incompatible VSAs is that we (the IETF) refused to address RADIUS' problems in a useful and meaningful way. We have an opportunity now to ameliorate if not solve that problem; I don't think that we should pass it up. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 22:03:57 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7j2L-0003hc-UX for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 22:03:57 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7j2K-0006Tu-Dj for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 22:03:57 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7ixs-0004gW-HR for radiusext-data@psg.com; Thu, 27 Dec 2007 02:59:20 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.62.56] (helo=QMTA06.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7ixq-0004fV-50 for radiusext@ops.ietf.org; Thu, 27 Dec 2007 02:59:19 +0000 Received: from OMTA02.westchester.pa.mail.comcast.net ([76.96.62.19]) by QMTA06.westchester.pa.mail.comcast.net with comcast id VchK1Y0040QuhwU050Bp00; Thu, 27 Dec 2007 02:58:57 +0000 Received: from NEWTON603 ([24.61.11.96]) by OMTA02.westchester.pa.mail.comcast.net with comcast id Veyt1Y00324Kx1C3N00000; Thu, 27 Dec 2007 02:58:57 +0000 X-Authority-Analysis: v=1.0 c=1 a=Gn-g1Pkd9IgA:10 a=tm4dRX4hCESgZWtCz7gA:9 a=9zLGdUSSZW4Jmfgw5rny5cSfqmMA:4 a=zoKOyUDlhksA:10 From: "David B. Nelson" To: References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 21:58:54 -0500 Message-ID: <047101c84834$6add33c0$031716ac@NEWTON603> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Thread-index: AchH6bKi6mr7v9FDS/emyMiHMVqnKAASb4ug Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: de4f315c9369b71d7dd5909b42224370 Bernard Aboba writes... > > WiMAX uses the same attribute format as proposed here. Changes that > > are incompatible with WiMAX should be discouraged. > > I would agree. If the extensions remain compatible with WiMAX then > the amount of code duplication will be minimized. I'm not so sure that I agree. We should do what's right for the RADIUS community. If that happens to be compatible with WiMAX, then great. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 23:49:37 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7kgb-0004H1-CD for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 23:49:37 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7kga-00086N-S0 for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 23:49:37 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7kcd-000B09-Fx for radiusext-data@psg.com; Thu, 27 Dec 2007 04:45:31 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7kca-000Azn-JT for radiusext@ops.ietf.org; Thu, 27 Dec 2007 04:45:30 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 03E97A704E; Wed, 26 Dec 2007 20:45:15 -0800 (PST) Message-ID: <47732D87.5030501@nitros9.org> Date: Thu, 27 Dec 2007 05:43:51 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard Aboba CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" References:

<47729414.9070608@nitros9.org> <4772AC0D.1000401@nitros9.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22 Bernard Aboba wrote: > Is this the Fixed Mobile Covergence Alliance? Yes. I've been advising on the interconnect. >> Yes. In fact, the use of EAP *prevents* a large number of business >> models for network access. > > Could you expand on the problems? A customer wants to buy access. Right now in WiFi hotspots, they connect to a walled garden, and type in credit card details. Once payment has been processed, they obtain network access. If the only way to obtain network access is via EAP, then you have a bootstrapping problem. Once the users have signed up, everything is great. The users who *haven't* signed up are shut out. Permanently. The issue is less EAP than EAPoL. Without a real network connection, it's impossible for a client machine to do much of anything. EAP could be used in a walled garden if PANA was widely deployed, for example. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 23:54:01 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7kkr-00039T-Ll for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 23:54:01 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7kkr-00089s-AO for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 23:54:01 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7kh2-000BH5-59 for radiusext-data@psg.com; Thu, 27 Dec 2007 04:50:04 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7kgx-000BFy-BH for radiusext@ops.ietf.org; Thu, 27 Dec 2007 04:50:02 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 79B5EA704E; Wed, 26 Dec 2007 20:49:52 -0800 (PST) Message-ID: <47732E9D.4030803@nitros9.org> Date: Thu, 27 Dec 2007 05:48:29 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Glen Zorn CC: radiusext@ops.ietf.org Subject: Re: Questions on modified Extended Attribute format? References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> <4772A741.40303@nitros9.org> <007e01c847fa$cbae1a00$630a4e00$@net> In-Reply-To: <007e01c847fa$cbae1a00$630a4e00$@net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d Glen Zorn wrote: > I understand, & sympathize; I think that it's important to remember that a > major reason that we ended up in the position of having multiple external > SDOs defining their own mutually incompatible VSAs is that we (the IETF) > refused to address RADIUS' problems in a useful and meaningful way. We have > an opportunity now to ameliorate if not solve that problem; I don't think > that we should pass it up. If we're going to re-design the attribute format from scratch again, I'd like to know what we've accomplished in the past year. There were proposals that were ugly, but solved almost all of the concerns that were raised. This includes the ability to group legacy RADIUS attributes in a "new" format. The one show-stopper I see is putting standard RADIUS attributes into a VSA. If this has *zero* impact on implementations that don't understand the new format, then it would be acceptable. Otherwise, it's an incompatible change to RADIUS. If we can't put standard attributes into the new format, then we should just pick a better format, and ideally one that's been deployed. The WiMAX format (plus grouping) seems to fit that definition fairly well. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Wed Dec 26 23:56:55 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7knf-0000eI-9F for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 23:56:55 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7knd-0008CS-UX for radext-archive-IeZ9sae2@lists.ietf.org; Wed, 26 Dec 2007 23:56:55 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7kkZ-000Bc8-Jr for radiusext-data@psg.com; Thu, 27 Dec 2007 04:53:43 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7kkW-000Bbr-P6 for radiusext@ops.ietf.org; Thu, 27 Dec 2007 04:53:41 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 449D2A704E; Wed, 26 Dec 2007 20:53:33 -0800 (PST) Message-ID: <47732F83.1000907@nitros9.org> Date: Thu, 27 Dec 2007 05:52:19 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard Aboba CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" References:

<47729414.9070608@nitros9.org> <4772AC0D.1000401@nitros9.org>

In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2 Bernard Aboba wrote: > It will be interesting to see how well it works. I have previously been > involved in a number of > inter-domain roaming trials. When the RADIUS traffic was routed through > an exchange point, > the results were not very promising. With packet loss rates of 1-5%, I'll track the tests, and see if we can do some measurements under load. For existing (non-EAP) proxies, I don't recall seeing loss rates that high. I'll go check, but I think latencies and loss have decreased, while bandwidth has increased in the net. Plus, most RADIUS interconnects are now done over Ipsec, which helps with the underlying reliability. > RADIUS retransmissions > were pretty common and this would often lead to EAP retransmissions. > The overall > authentication times could get pretty long and sometimes authentication > wouldn't complete > at all. Most of the carriers we worked with ended up deploying web > portals instead :( WiMAX is standardizing on EAP for authentication. Discussions are underway to design a standard interconnect architecture. So this appears to be less of a problem now. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 00:52:22 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7lfJ-0005yr-4E for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 00:52:22 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7lfG-0000ZO-Sq for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 00:52:21 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7lbL-000EsC-8d for radiusext-data@psg.com; Thu, 27 Dec 2007 05:48:15 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [208.179.69.44] (helo=WV-MAILSRV2.strixsystems.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7lal-000Eoy-9W for radiusext@ops.ietf.org; Thu, 27 Dec 2007 05:47:59 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 21:47:35 -0800 Message-ID: In-Reply-To: <00af01c8480c$5d526ef0$17f74cd0$@net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Questions on modified Extended Attribute format? Thread-Index: AchH8+QgyomKZ9OBSR2hHFBZMYNg5QABjGnQAAGsRgAAAt9pkAAPrF/w References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> <4772A741.40303@nitros9.org> <007e01c847fa$cbae1a00$630a4e00$@net> <00af01c8480c$5d526ef0$17f74cd0$@net> From: "Matt Holdrege" To: "Glen Zorn" Cc: , "Alan DeKok" Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793 No kidding. I think my first RADIUS WG meeting was almost 12 years ago = at IETF 35. Take a look at = http://www3.ietf.org/proceedings/96mar/area.and.wg.reports/ops/radius/rad= ius.html and read the minutes. You might laugh at the irony, or more likely cry. Are the current AD's = aware of the history here? -Matt -----Original Message----- From: Glen Zorn [mailto:glenzorn@comcast.net]=20 Sent: Wednesday, December 26, 2007 11:12 PM To: Matt Holdrege Cc: radiusext@ops.ietf.org; 'Alan DeKok' Subject: RE: Questions on modified Extended Attribute format? Glen, Didn't you say this same exact thing here a year or two ago? Or am I stuck in a time warp? Or is this group stuck in a time warp? [gwz] Plus =E7a change, plus c'est la m=EAme chose... [/gwz] -Matt (I'll go back into my hole now) -----Original Message----- From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Glen Zorn Sent: Wednesday, December 26, 2007 9:06 PM To: 'Alan DeKok' Cc: radiusext@ops.ietf.org Subject: RE: Questions on modified Extended Attribute format? [gwz]=20 I understand, & sympathize; I think that it's important to remember that a major reason that we ended up in the position of having multiple external SDOs defining their own mutually incompatible VSAs is that we (the IETF) refused to address RADIUS' problems in a useful and meaningful way. We have an opportunity now to ameliorate if not solve that problem; I don't think that we should pass it up. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 05:31:03 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7q11-0007WA-3t for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 05:31:03 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7q0z-0005It-FW for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 05:31:03 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7pvP-0004Gk-LC for radiusext-data@psg.com; Thu, 27 Dec 2007 10:25:15 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7puz-0004El-Du for radiusext@ops.ietf.org; Thu, 27 Dec 2007 10:25:01 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 845C9A704E; Thu, 27 Dec 2007 02:24:37 -0800 (PST) Message-ID: <47737D1C.5050208@nitros9.org> Date: Thu, 27 Dec 2007 11:23:24 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard_Aboba@hotmail.com CC: radiusext@ops.ietf.org Subject: Re: E2E and crypto-agility References:

<47729414.9070608@nitros9.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81 Bernard_Aboba@hotmail.com wrote: >> What is "end to end" ? > > I think it means something like "protection of RADIUS attributes from > disclosure to parties other than the NAS and home server". OK. I just wanted to be sure. > In the AAA WG there were a number of mechanisms investigated by > which a NAS and home server could derive a key that could be > used to protect attributes from disclosure to proxies. These methods > included Kerberos and CMS. For example, see: > http://www.watersprings.org/pub/id/draft-kaushik-radius-sec-ext-06.txt i.e. The NAS somehow knows a realm, knows how to talk to a server for that realm, and can obtain a secret key for that realm. > So I think the question is not "can it be done?" but rather "how does > this relate to RADIUS crypto-agility?" and > "should solving this problem be a requirement?" I would say that it is a problem we should try to solve. I'm not sure how much it affects crypto-agility. Back to my earlier question about "end to end", I think the only ends that matter are the end user and home server. The NAS is in contact with both, and can leverage it's relationship with the end user to do things that are normally impossible in RADIUS. If we assume that the end user and home RADIUS server can independently derive keying material, then the server can supply keying material to the NAS, and the end user can do the same. The NAS can then derive keying material, without it being exposed to anyone else. e.g. RADIUS, end-user: derive K', K'' RADIUS -> NAS: E = ENC(K') (using key K'') end-user -> NAS: K'' If we assume that each RADIUS hop also encrypts E using the Tunnel-Password method: T = tunnel_encrypt(per-hop-secret, E) Then we have the following properties: - no RADIUS proxy knows K' (they only know E) - The NAS can derive K' from E and K'' - an attacker watching RADIUS only knows T - an attacker watching the end-user traffic only knows K'' - an attacker watching *both* RADIUS and supplicant traffic knows T and K'', which is insufficient to derive K' - any intermediary RADIUS proxy that handles tunnel-password encryption can transport E. For EAP-TLS based methods, the TLS master session key can be used to derive keying material. We would need to define one new RADIUS attribute to transport the keying material E, and update EAPoL to transport K''. This capability could be negotiated between the NAS and supplicant, and advertised to the home RADIUS server by the supplicant, inside of the TLS tunnel. So far as crypto-agility goes, this method needs to be extensible to multiple key sizes, encryption methods, authentication hashes, etc. But it's independent of transport proposals such as DTLS or TLS. (insert standard disclaimer here: this proposal has not been vetted by a crypto expert) Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 11:27:23 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7vZr-0005gK-8M for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 11:27:23 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7vZp-0003Ua-OA for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 11:27:23 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7vTR-0007OB-Ux for radiusext-data@psg.com; Thu, 27 Dec 2007 16:20:45 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [64.140.243.164] (helo=gumby.elbrysnetworks.com) by psg.com with smtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7vTP-0007NV-5L for radiusext@ops.ietf.org; Thu, 27 Dec 2007 16:20:44 +0000 Received: (qmail 4525 invoked from network); 27 Dec 2007 11:20:41 -0500 Received: from unknown (HELO xpsuperdvd2) (172.22.18.93) by gumby.elbrysnetworks.com with SMTP; 27 Dec 2007 11:20:41 -0500 From: "David B. Nelson" To: References:

<47729414.9070608@nitros9.org> <4772AC0D.1000401@nitros9.org> <47732D87.5030501@nitros9.org> Subject: RE: Comments on "practical deployments" Date: Thu, 27 Dec 2007 11:18:10 -0500 Organization: Elbrys Networks, Inc. Message-ID: <002c01c848a4$12f10180$5d1216ac@xpsuperdvd2> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AchIQ9X6kcwWfPT/QyOn0U83uBGF3AAYA2KA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 In-Reply-To: <47732D87.5030501@nitros9.org> Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 856eb5f76e7a34990d1d457d8e8e5b7f Alan DeKok writes... > A customer wants to buy access. Right now in WiFi hotspots, they > connect to a walled garden, and type in credit card details. Once > payment has been processed, they obtain network access. > > If the only way to obtain network access is via EAP, then you have a > bootstrapping problem. Once the users have signed up, everything is > great. The users who *haven't* signed up are shut out. Permanently. So, this is really an enrollment issue, not an authentication issue? -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 11:32:10 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7veU-0007KL-2o for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 11:32:10 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7veT-0003ab-QN for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 11:32:10 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7vXY-0007gD-16 for radiusext-data@psg.com; Thu, 27 Dec 2007 16:25:00 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [64.140.243.164] (helo=gumby.elbrysnetworks.com) by psg.com with smtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7vXV-0007ff-8C for radiusext@ops.ietf.org; Thu, 27 Dec 2007 16:24:58 +0000 Received: (qmail 4597 invoked from network); 27 Dec 2007 11:24:56 -0500 Received: from unknown (HELO xpsuperdvd2) (172.22.18.93) by gumby.elbrysnetworks.com with SMTP; 27 Dec 2007 11:24:56 -0500 From: "David B. Nelson" To: References:

<47729414.9070608@nitros9.org> <4772AC0D.1000401@nitros9.org>

<47732F83.1000907@nitros9.org> Subject: RE: Comments on "practical deployments" Date: Thu, 27 Dec 2007 11:22:25 -0500 Organization: Elbrys Networks, Inc. Message-ID: <002d01c848a4$aae0ba30$5d1216ac@xpsuperdvd2> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AchIRN4GACFo3G70QmeG9a8ddUK70wAX1arg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 In-Reply-To: <47732F83.1000907@nitros9.org> Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: cf4fa59384e76e63313391b70cd0dd25 Alan DeKok writes... > Plus, most RADIUS interconnects are now done over Ipsec, which helps > with the underlying reliability. I'm surprised to hear that (IPsec usage). Is this in selected topologies or deployment scenarios? If IPsec were really used for most RADIUS transmissions, wouldn't we have already solved the Crypto-Agility problem? :-) -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 13:44:01 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7xi5-0004oO-AF for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 13:44:01 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7xi4-0006Mh-3W for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 13:44:00 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7xat-000G2t-Gf for radiusext-data@psg.com; Thu, 27 Dec 2007 18:36:35 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7xag-000G1B-Cb for radiusext@ops.ietf.org; Thu, 27 Dec 2007 18:36:33 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id C08FEA704E; Thu, 27 Dec 2007 10:36:15 -0800 (PST) Message-ID: <4773F056.6070102@nitros9.org> Date: Thu, 27 Dec 2007 19:35:02 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: "David B. Nelson" CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" References:

<47729414.9070608@nitros9.org> <4772AC0D.1000401@nitros9.org> <47732D87.5030501@nitros9.org> <002c01c848a4$12f10180$5d1216ac@xpsuperdvd2> In-Reply-To: <002c01c848a4$12f10180$5d1216ac@xpsuperdvd2> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 2409bba43e9c8d580670fda8b695204a David B. Nelson wrote: >> If the only way to obtain network access is via EAP, then you have a >> bootstrapping problem. Once the users have signed up, everything is >> great. The users who *haven't* signed up are shut out. Permanently. > > So, this is really an enrollment issue, not an authentication issue? No. Think of roaming, which I've been spending a lot of time on lately. If authentication is required for any IP-based network access, then how do roaming users know that they can authenticate using the local network? Pre-provisioning devices with roaming knowledge doesn't scale, and it doesn't handle dynamic networks. 802.11af doesn't scale either, and isn't designed to scale. When the user doesn't have any network access, they can't determine whether or not authentication is possible. They can't determine which authentication credentials to use. So requiring authentication means *forbidding* network access to a large class of users who could *potentially* obtain network access. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 13:44:11 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7xiF-0006Rc-9T for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 13:44:11 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7xiC-0006My-VW for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 13:44:11 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7xda-000GGI-07 for radiusext-data@psg.com; Thu, 27 Dec 2007 18:39:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7xdX-000GFo-4N for radiusext@ops.ietf.org; Thu, 27 Dec 2007 18:39:20 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 53B85A704E; Thu, 27 Dec 2007 10:39:15 -0800 (PST) Message-ID: <4773F108.6060300@nitros9.org> Date: Thu, 27 Dec 2007 19:38:00 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: "David B. Nelson" CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" References:

<47729414.9070608@nitros9.org> <4772AC0D.1000401@nitros9.org>

<47732F83.1000907@nitros9.org> <002d01c848a4$aae0ba30$5d1216ac@xpsuperdvd2> In-Reply-To: <002d01c848a4$aae0ba30$5d1216ac@xpsuperdvd2> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: d6b246023072368de71562c0ab503126 David B. Nelson wrote: > I'm surprised to hear that (IPsec usage). Is this in selected topologies or > deployment scenarios? If IPsec were really used for most RADIUS > transmissions, wouldn't we have already solved the Crypto-Agility problem? Most roaming providers and large companies do AAA interchange via IPSec. IPSec doesn't solve Crypto-Agility because there's no way for the RADIUS server to discover, or enforce, authentication and encryption policies. The only security relationships between the two are maintained in administrators heads, or in scripts tying the two systems together. Neither method is scalable, maintainable, or standardizable. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 13:46:23 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7xkN-0001QD-48 for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 13:46:23 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7xkK-0006QZ-OY for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 13:46:23 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7xg5-000GUh-IL for radiusext-data@psg.com; Thu, 27 Dec 2007 18:41:57 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,HTML_MESSAGE, RDNS_NONE autolearn=no version=3.2.3 Received: from [209.85.146.178] (helo=wa-out-1112.google.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7xfT-000GRC-W9 for radiusext@ops.ietf.org; Thu, 27 Dec 2007 18:41:40 +0000 Received: by wa-out-1112.google.com with SMTP id v27so5008212wah.23 for ; Thu, 27 Dec 2007 10:41:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=XvmfpDNS2jdgiEl0iD96rNO2/Tj3A6TdDXjX5MTYj44=; b=fJK7kfcbentwZffvq16d32H5uxzlJiLG3KcGRPff2whheEhYzA3sFDVz5VZcaQXvbf9bocKoLmLHNf+Lrz8Q7r0MCgZjwbvu2pxLEXnFUq79/BAR8HCCcVTKATNKxmvDsB0QoXIPp+v45GtTRQeZPOtJM0VD3WUCKTnNLhyU/5k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=R5btNTC06IBswOjAFFVyTu1w+CCeYYrahWMHpp/BO7X25Th3A1fANnGVOlSDM//dn/qetJjJzSvvbn5QLLVRjiUonq9bbTxyKTO+R25IByRPQ++Mtbhh3gjIeoDg3lN2rPSPMPzqkGsNeF3Twdf1dyMB1gy9d4qLpy18wh1HysE= Received: by 10.115.77.1 with SMTP id e1mr6800137wal.103.1198780877402; Thu, 27 Dec 2007 10:41:17 -0800 (PST) Received: by 10.115.60.12 with HTTP; Thu, 27 Dec 2007 10:41:17 -0800 (PST) Message-ID: Date: Thu, 27 Dec 2007 13:41:17 -0500 From: "Greg Weber" To: Bernard_Aboba@hotmail.com Subject: Re: RADEXT WG last call on RADIUS Design Guidelines Document Cc: radiusext@ops.ietf.org In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_17060_15529360.1198780877398" References: Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: a8a20a483a84f747e56475e290ee868e ------=_Part_17060_15529360.1198780877398 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I went through the current RADIUS Guidelines doc and do not have anytechnical comments -one question and a couple minor editorial comments below. I think the doc can be passed to IESG. Question: In the description of polymorphic attributes (sec 3.2), what does this mean: "...the meaning of an attribute may depend on earlier packets in a sequence." ? Is that referring to a request/challenge sequence? Minor Editorial changes: Sec 1.1: "it's usage" -> "its usage" Sec 2.1.3: "to introduced" -> "to be introduced" Sec 2.1.3: "This issues" -> "These issues" Sec 2.1.3: "attributes involve authentication" -> "attributes involving authentication" Sec 2.1.3: I'd remove the "(e.g., IPv6 address)" from the last paragraph. That's not a good example anymore as we've earlier called IPv6 a basic data type in Sec 2.1.1. Sec 2.2: Last paragraph has the wrong indentation Sec 3.1.1: "vendors and SDOs they SHOULD" -> "vendors and SDOs SHOULD" Sec 3.1.3: Expand PEC acronym at first use? Sec A.1.2: "not included nested groups" -> "not include nested groups" Greg On Dec 26, 2007 12:53 PM, wrote: > This is an announcement of RADEXT WG last call on the > "RADIUS Design Guidelines" document, prior to sending > it to the IESG for publication as a Proposed > Standard. The document is available for inspection here: > http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.txt > > RADEXT WG last call will complete on January 15, 2008. Please respond > to this solicitation if you have read the document, regardless of whether > you > have comments to provide or not. In your email, please state whether you > believe that the document is ready for publication. > > If you have comments to provide, please send them to the > RADEXT WG mailing list (radiusext@ops.ietf.org), > using the format described in the RADEXT Issues tracker: > http://www.drizzle.com/~aboba/RADEXT/ > ------=_Part_17060_15529360.1198780877398 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline

I went through the current RADIUS Guidelines doc and do not have any

technical comments -one question and a couple minor editorial comments

below. I think the doc can be passed to IESG.

Question: In the description of polymorphic attributes (sec 3.2), what

does this mean: "...the meaning of an attribute may depend on earlier

packets in a sequence." ? Is that referring to a request/challenge sequence?

Minor Editorial changes:

Sec 1.1: "it's usage" -> "its usage"

Sec 2.1.3: "to introduced" -> "to be introduced"

Sec 2.1.3: "This issues" -> "These issues"

Sec 2.1.3: "attributes involve authentication" -> "attributes involving authentication"

Sec 2.1.3: I'd remove the "(e.g., IPv6 address)" from the last paragraph. That's not

a good example anymore as we've earlier called IPv6 a basic data type in Sec 2.1.1.

Sec 2.2: Last paragraph has the wrong indentation

Sec 3.1.1: "vendors and SDOs they SHOULD" -> "vendors and SDOs SHOULD"

Sec 3.1.3: Expand PEC acronym at first use?

Sec A.1.2: "not included nested groups" -> "not include nested groups"

Greg

On Dec 26, 2007 12:53 PM, < Bernard_Aboba@hotmail.com> wrote:

This is an announcement of RADEXT WG last call on the

"RADIUS Design Guidelines" document, prior to sending

it to the IESG for publication as a Proposed

Standard. The document is available for inspection here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.txt

RADEXT WG last call will complete on January 15, 2008. Please respond

to this solicitation if you have read the document, regardless of whether you

have comments to provide or not. In your email, please state whether you

believe that the document is ready for publication.

If you have comments to provide, please send them to the

RADEXT WG mailing list (radiusext@ops.ietf.org),

using the format described in the RADEXT Issues tracker:
http://www.drizzle.com/~aboba/RADEXT/

------=_Part_17060_15529360.1198780877398-- -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 14:03:44 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J7y1A-0002MU-CC for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 14:03:44 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J7y19-0006os-TE for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 14:03:44 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7xyO-000Hwt-CN for radiusext-data@psg.com; Thu, 27 Dec 2007 19:00:52 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J7xyI-000Hw2-8q for radiusext@ops.ietf.org; Thu, 27 Dec 2007 19:00:48 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 3F7E2A704E; Thu, 27 Dec 2007 11:00:41 -0800 (PST) Message-ID: <4773F60E.70001@nitros9.org> Date: Thu, 27 Dec 2007 19:59:26 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Greg Weber CC: Bernard_Aboba@hotmail.com, radiusext@ops.ietf.org Subject: Re: RADEXT WG last call on RADIUS Design Guidelines Document References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352 Greg Weber wrote: > I went through the current RADIUS Guidelines doc and do not have any > technical comments -one question and a couple minor editorial comments > below. I think the doc can be passed to IESG. Great! > Question: In the description of polymorphic attributes (sec 3.2), what > does this mean: "...the meaning of an attribute may depend on earlier > packets in a sequence." ? Is that referring to a request/challenge > sequence? Yes. Or, a series of otherwise unrelated Accounting-Requests. It's targeted at un-named SDO's and/or vendors who have horrid practices for dealing with attributes. Not just polymorphic attributes in one packet (if A then it's type B, otherwise it's type C), but across packets for *unrelated* sessions. > Minor Editorial changes: > Sec 1.1: "it's usage" -> "its usage" > Sec 2.1.3: "to introduced" -> "to be introduced" > Sec 2.1.3: "This issues" -> "These issues" > Sec 2.1.3: "attributes involve authentication" -> "attributes involving > authentication" > Sec 2.1.3: I'd remove the "(e.g., IPv6 address)" from the last > paragraph. That's not > a good example anymore as we've earlier called IPv6 a basic data type > in Sec 2.1.1. > Sec 2.2: Last paragraph has the wrong indentation > Sec 3.1.1: "vendors and SDOs they SHOULD" -> "vendors and SDOs SHOULD" > Sec 3.1.3: Expand PEC acronym at first use? Already done in Section 2.2. > Sec A.1.2: "not included nested groups" -> "not include nested groups" All other changes are good, thanks. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Thu Dec 27 18:35:21 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J82G1-0006wW-BU for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 18:35:21 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J82Fz-0003g0-OB for radext-archive-IeZ9sae2@lists.ietf.org; Thu, 27 Dec 2007 18:35:21 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J82AT-000Fq0-C9 for radiusext-data@psg.com; Thu, 27 Dec 2007 23:29:37 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.30.24] (helo=QMTA02.emeryville.ca.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J82A1-000Fnq-Te for radiusext@ops.ietf.org; Thu, 27 Dec 2007 23:29:23 +0000 Received: from OMTA06.emeryville.ca.mail.comcast.net ([76.96.30.51]) by QMTA02.emeryville.ca.mail.comcast.net with comcast id VyqN1Y00816AWCU0A02d00; Thu, 27 Dec 2007 23:29:09 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA06.emeryville.ca.mail.comcast.net with comcast id VzV81Y00653lGY38S00000; Thu, 27 Dec 2007 23:29:09 +0000 X-Authority-Analysis: v=1.0 c=1 a=Gn-g1Pkd9IgA:10 a=48vgC7mUAAAA:8 a=No5EcEP4AAAA:8 a=ECnOX4djFyjpVVWMxboA:9 a=UWfgv0dW2oblu7RHuf8A:7 a=_wMaV0gE8aUV72-Uf9d3EpytRIYA:4 a=tqucuuI3bnEA:10 From: "Glen Zorn" To: "'Alan DeKok'" Cc: References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> <4772A741.40303@nitros9.org> <007e01c847fa$cbae1a00$630a4e00$@net> <47732E9D.4030803@nitros9.org> In-Reply-To: <47732E9D.4030803@nitros9.org> Subject: RE: Questions on modified Extended Attribute format? Date: Thu, 27 Dec 2007 15:28:26 -0800 Message-ID: <00b401c848e0$2f0e9c60$8d2bd520$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchIRFH0Fy3x6ehPQu6lbVwDQtyEOQACiamA Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44 Glen Zorn wrote: > I understand, & sympathize; I think that it's important to remember that a > major reason that we ended up in the position of having multiple external > SDOs defining their own mutually incompatible VSAs is that we (the IETF) > refused to address RADIUS' problems in a useful and meaningful way. We have > an opportunity now to ameliorate if not solve that problem; I don't think > that we should pass it up. If we're going to re-design the attribute format from scratch again, I'd like to know what we've accomplished in the past year. [gwz] I don't know where the "from scratch" comes from; there is a format defined in http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-00 .txt. I am suggesting adding a single octet to the format which A) would considerably enlarge the new type space and B) _could_ be used to standardize functionality that has been added to RADIUS over the years in an ad hoc fashion. [/gwz] There were proposals that were ugly, but solved almost all of the concerns that were raised. This includes the ability to group legacy RADIUS attributes in a "new" format. The one show-stopper I see is putting standard RADIUS attributes into a VSA. If this has *zero* impact on implementations that don't understand the new format, then it would be acceptable. Otherwise, it's an incompatible change to RADIUS. [gwz] Interesting definition of "incompatible". If that is in fact the standard to be met we may as well just fold up our tents and go home since there is _no_ change that could be made which would have "*zero* impact on implementations that don't understand". [/gwz] If we can't put standard attributes into the new format, then we should just pick a better format, and ideally one that's been deployed. The WiMAX format (plus grouping) seems to fit that definition fairly well. [gwz] Can you tell us what it looks like? [/gwz] Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Fri Dec 28 03:49:00 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J8Atn-0003n9-Kq for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 03:48:59 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J8Atn-0005XK-1U for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 03:48:59 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8Anc-000MKM-BS for radiusext-data@psg.com; Fri, 28 Dec 2007 08:42:36 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8An6-000MIR-SZ for radiusext@ops.ietf.org; Fri, 28 Dec 2007 08:42:21 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 063F2A704E; Fri, 28 Dec 2007 00:41:55 -0800 (PST) Message-ID: <4774B67D.7040603@nitros9.org> Date: Fri, 28 Dec 2007 09:40:29 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Glen Zorn CC: radiusext@ops.ietf.org Subject: Re: Questions on modified Extended Attribute format? References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> <4772A741.40303@nitros9.org> <007e01c847fa$cbae1a00$630a4e00$@net> <47732E9D.4030803@nitros9.org> <00b401c848e0$2f0e9c60$8d2bd520$@net> In-Reply-To: <00b401c848e0$2f0e9c60$8d2bd520$@net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9 Glen Zorn wrote: > [gwz] I don't know where the "from scratch" comes from; there is a format > defined in > http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-00 > .txt. I am suggesting adding a single octet to the format which Opens it up for change again, after a long discussion, where everyone had agreed that the format in -00 was acceptable. > Interesting definition of "incompatible". If that is in fact the standard > to be met we may as well just fold up our tents and go home since there is > _no_ change that could be made which would have "*zero* impact on > implementations that don't understand". It's not about changes, it's about *compatible* changes to the *standard* attributes. Let me re-phrase: - standard RADIUS attributes in a VSA MUST be compatible with existing implementations that only understand standard RADIUS attributes Put that way, it's obviously impossible. Since RADIUS has no capability negotiation, there's no way for the NAS to tell the server it is capable of that new functionality. Therefore, the proposed change is incompatible with existing deployments. > If we can't put standard attributes into the new format, then we > should just pick a better format, and ideally one that's been deployed. > The WiMAX format (plus grouping) seems to fit that definition fairly well. > > [gwz] > Can you tell us what it looks like? > [/gwz] The format in -00, which achieved WG consensus after long and protracted discussion. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Fri Dec 28 06:20:13 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J8DG9-00031C-EB for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 06:20:13 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J8DG8-0001tn-UV for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 06:20:13 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8DAt-0005ns-70 for radiusext-data@psg.com; Fri, 28 Dec 2007 11:14:47 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [216.240.42.17] (helo=deployingradius.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8DAp-0005nW-TM for radiusext@ops.ietf.org; Fri, 28 Dec 2007 11:14:45 +0000 Received: from [192.168.0.14] (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by deployingradius.com (Postfix) with ESMTP id 62A68A704E; Fri, 28 Dec 2007 03:14:34 -0800 (PST) Message-ID: <4774DA45.4040106@nitros9.org> Date: Fri, 28 Dec 2007 12:13:09 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard Aboba CC: radiusext@ops.ietf.org Subject: Re: RADEXT WG last call on RADIUS Attributes for Filtering and Redirection References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8 Bernard Aboba wrote: > Given that no comments have been received during the last two RADEXT WG > last calls, we are going to bring the document to RADEXT WG call again. > This RADEXT WG last call will last until January 15, 2008. Some comments: 1.4: It may be useful to note that an Accounting-Request packet MAY be generated when the NAS cannot apply an attribute in the Access-Accept. The Accounting Request MAY contain Error-Cause, with value "Unsupported Attribute" (401), and Acct-Status-Type = Stop, Acct-Terminate-Cause = NAS-Error. This serves as limited capability feedback. Page 12: "any" Keyword for 0.0.0.0/0 or the IPv6 equivalent. The IPv6 equivalent is...? It could be specified here. "ipoptions" Match if the IP header contains the comma separated list of options specified in spec. The supported Can we allow hexadecimal specifications of options, too? This would be useful, and would match the rest of the document (e.g. IP proto as a number, icmptypes, ...) A similar comment applies for tcpoptions. 3.1: Acct-NAS-Traffic-Rule is a complex attribute not meeting the suggestions in the guidelines document. Is there another way to achieve the same end? Since the extended attributes draft is still pending, I think the answer is "no". 1.3: Capability advertisement could be done in a limited way by permitting NAS-Traffic-Rule in an Access-Request. Allowing this has practical uses, too. e.g. a WiFi hotspot (walled garden) could advertise upstream that it is *currently* blocking traffic, by sending it's filter rule: NAS-Traffic-Rule = "v1 redirect http://....local-login/" Similarly, a NAS requiring 802.1x could send: NAS-Traffic-Rule = "v1 permit inout l2:ether2:0x888e from any to NAS-MAC-address" i.e. EAPoL is permitted, everything else is discarded. This information is useful for upstream servers, and can help them make better policy decisions. It solves a serious problem in many current deployments, where you have no idea what the NAS is currently doing... Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Fri Dec 28 11:41:49 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J8IHN-00004r-BF for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 11:41:49 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J8IHL-0008Je-N9 for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 11:41:49 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8IC7-0003no-36 for radiusext-data@psg.com; Fri, 28 Dec 2007 16:36:23 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.30.40] (helo=QMTA04.emeryville.ca.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8IBh-0003ld-Pc for radiusext@ops.ietf.org; Fri, 28 Dec 2007 16:36:06 +0000 Received: from OMTA14.emeryville.ca.mail.comcast.net ([76.96.30.60]) by QMTA04.emeryville.ca.mail.comcast.net with comcast id WGHL1Y0041HpZEs0A01700; Fri, 28 Dec 2007 16:35:57 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA14.emeryville.ca.mail.comcast.net with comcast id WGbw1Y00853lGY38a00000; Fri, 28 Dec 2007 16:35:57 +0000 X-Authority-Analysis: v=1.0 c=1 a=Gn-g1Pkd9IgA:10 a=48vgC7mUAAAA:8 a=Blv05YPQ_f2cQ_di2GEA:9 a=zPp6G401ZRb-dlDJdAEVKiws7pMA:4 a=_3nJN2eeWHAA:10 From: "Glen Zorn" To: "'Alan DeKok'" Cc: References: <003401c83a92$db6ed850$924c88f0$@net> <47729084.8060206@nitros9.org> <005d01c847e8$20c81f30$62585d90$@net> <4772A741.40303@nitros9.org> <007e01c847fa$cbae1a00$630a4e00$@net> <47732E9D.4030803@nitros9.org> <00b401c848e0$2f0e9c60$8d2bd520$@net> <4774B67D.7040603@nitros9.org> In-Reply-To: <4774B67D.7040603@nitros9.org> Subject: RE: Questions on modified Extended Attribute format? Date: Fri, 28 Dec 2007 08:35:11 -0800 Message-ID: <005601c8496f$9e430910$dac91b30$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchJLY23MN1TT6VZTlKErx/oS6i0uwAQHKnw Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15 ... > [gwz] I don't know where the "from scratch" comes from; there is a format > defined in > http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-00 > .txt. I am suggesting adding a single octet to the format which Opens it up for change again, after a long discussion, where everyone had agreed that the format in -00 was acceptable. > Interesting definition of "incompatible". If that is in fact the standard > to be met we may as well just fold up our tents and go home since there is > _no_ change that could be made which would have "*zero* impact on > implementations that don't understand". It's not about changes, it's about *compatible* changes to the *standard* attributes. Let me re-phrase: - standard RADIUS attributes in a VSA MUST be compatible with existing implementations that only understand standard RADIUS attributes Put that way, it's obviously impossible. Since RADIUS has no capability negotiation, there's no way for the NAS to tell the server it is capable of that new functionality. Therefore, the proposed change is incompatible with existing deployments. [gwz] As I said, put that way or any other way you like, ANY change is incompatible with existing deployments. If one were to add a new "standard" attribute (in the old format or the proposed VSA-like format or any other) it would be incompatible with existing deployments. The whole idea of extended attributes REQUIRES that existing deployment be updated, no matter how they are formatted. [/gwz] > If we can't put standard attributes into the new format, then we > should just pick a better format, and ideally one that's been deployed. > The WiMAX format (plus grouping) seems to fit that definition fairly well. > > [gwz] > Can you tell us what it looks like? > [/gwz] The format in -00, which achieved WG consensus after long and protracted discussion. [gwz] Actually, while the timeframe was long, the discussion wasn't: I've only received a couple of comments on it in the last months. It _did_ take an inordinate amount of time to reject the 'Diameterization' of RADIUS, though... [/gwz] Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Fri Dec 28 16:28:45 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J8Ml3-0005gy-6W for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 16:28:45 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J8Ml1-0006C9-Kn for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 16:28:45 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8MgK-0000oF-Df for radiusext-data@psg.com; Fri, 28 Dec 2007 21:23:52 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [65.54.246.175] (helo=bay0-omc2-s39.bay0.hotmail.com) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8MgH-0000nn-VJ for radiusext@ops.ietf.org; Fri, 28 Dec 2007 21:23:51 +0000 Received: from BAY117-W16 ([207.46.8.51]) by bay0-omc2-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 28 Dec 2007 13:23:49 -0800 Message-ID: X-Originating-IP: [67.183.152.50] From: Bernard Aboba To: Subject: Re: new format Date: Fri, 28 Dec 2007 13:23:49 -0800 Importance: Normal Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 28 Dec 2007 21:23:49.0771 (UTC) FILETIME=[F02205B0:01C84997] Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: cf4fa59384e76e63313391b70cd0dd25 [gwz]=20 Actually, I've convinced myself that a) this idea was not quite baked & b) = I was wrong about making the Ext-Type field just one octet. If we make the Ext-Type field 16 bits in length _and_ start numbering the new attributes a= t 0x100, that would seem to solve a couple of problems nicely. [BA] Could you elaborate on the new design and the issues this would solve= ? = -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-radiusext@ops.ietf.org Fri Dec 28 17:57:30 2007 Return-path: Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J8O8w-0002ad-DG for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 17:57:30 -0500 Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J8O8v-0001iq-Vx for radext-archive-IeZ9sae2@lists.ietf.org; Fri, 28 Dec 2007 17:57:30 -0500 Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8O5J-0007Qb-QH for radiusext-data@psg.com; Fri, 28 Dec 2007 22:53:45 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from [76.96.30.17] (helo=QMTA10.emeryville.ca.mail.comcast.net) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1J8O5H-0007QG-2S for radiusext@ops.ietf.org; Fri, 28 Dec 2007 22:53:44 +0000 Received: from OMTA12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by QMTA10.emeryville.ca.mail.comcast.net with comcast id WDwW1Y00T0x6nqcAA0iF00; Fri, 28 Dec 2007 22:53:41 +0000 Received: from gwzPC ([67.168.164.234]) by OMTA12.emeryville.ca.mail.comcast.net with comcast id WNtg1Y00753lGY38Y00000; Fri, 28 Dec 2007 22:53:41 +0000 X-Authority-Analysis: v=1.0 c=1 a=zz3dB5q32WxJMubKTZMA:9 a=o3soeppdtKtru9tUsjeJ8RAn-s4A:4 a=4qiyTvuS2hIA:10 From: "Glen Zorn" To: "'Bernard Aboba'" Cc: References: In-Reply-To: Subject: RE: new format Date: Fri, 28 Dec 2007 14:52:53 -0800 Message-ID: <00b201c849a4$61fdb420$25f91c60$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchJmI0HHakdGdEEQNqLn3Xy23n13wACcYBg Content-Language: en-us Sender: owner-radiusext@ops.ietf.org Precedence: bulk X-Spam-Score: -4.0 (----) X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228 [gwz] Actually, I've convinced myself that a) this idea was not quite baked & b) I was wrong about making the Ext-Type field just one octet. If we make the Ext-Type field 16 bits in length _and_ start numbering the new attributes at 0x100, that would seem to solve a couple of problems nicely. [BA] Could you elaborate on the new design and the issues this would solve? [gwz] Making the Ext-Type field 16 bits instead of 8 basically eliminates the prospect of running out of attribute numbers. Starting the Ext-Type numbering at 0x100 instead of 1 eliminates any conflict between the extended attribute types and existing standard attributes; because the type spaces do not conflict and it's easy to differentiate between extended and standard attributes encapsulated in the new format (the most significant octet is always zero for standard attributes & never zero for extended types), this open the possibility of including standard attributes in the new format & getting the benefits of grouping, etc. for them as well as newly defined attributes. My motivation for suggesting this change is that it just occurred to me that all these groovy new capabilities defined for the extended attributes are nice but not especially useful (how many new standard attributes will we define? 5? 10? 20?) unless they could be applied to existing attributes, too. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Fri, 28 Dec 2007 22:54:15 +0000 From: "Glen Zorn" To: "'Bernard Aboba'" Cc: Subject: RE: new format Date: Fri, 28 Dec 2007 14:52:53 -0800 Message-ID: <00b201c849a4$61fdb420$25f91c60$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thread-Index: AchJmI0HHakdGdEEQNqLn3Xy23n13wACcYBg Content-Language: en-us [gwz] Actually, I've convinced myself that a) this idea was not quite baked & b) I was wrong about making the Ext-Type field just one octet. If we make the Ext-Type field 16 bits in length _and_ start numbering the new attributes at 0x100, that would seem to solve a couple of problems nicely. [BA] Could you elaborate on the new design and the issues this would solve? [gwz] Making the Ext-Type field 16 bits instead of 8 basically eliminates the prospect of running out of attribute numbers. Starting the Ext-Type numbering at 0x100 instead of 1 eliminates any conflict between the extended attribute types and existing standard attributes; because the type spaces do not conflict and it's easy to differentiate between extended and standard attributes encapsulated in the new format (the most significant octet is always zero for standard attributes & never zero for extended types), this open the possibility of including standard attributes in the new format & getting the benefits of grouping, etc. for them as well as newly defined attributes. My motivation for suggesting this change is that it just occurred to me that all these groovy new capabilities defined for the extended attributes are nice but not especially useful (how many new standard attributes will we define? 5? 10? 20?) unless they could be applied to existing attributes, too. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Fri, 28 Dec 2007 21:25:02 +0000 Message-ID: From: Bernard Aboba To: Subject: Re: new format Date: Fri, 28 Dec 2007 13:23:49 -0800 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 [gwz]=20 Actually, I've convinced myself that a) this idea was not quite baked & b) = I was wrong about making the Ext-Type field just one octet. If we make the Ext-Type field 16 bits in length _and_ start numbering the new attributes a= t 0x100, that would seem to solve a couple of problems nicely. [BA] Could you elaborate on the new design and the issues this would solve= ? = -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Fri, 28 Dec 2007 16:37:22 +0000 From: "Glen Zorn" To: "'Alan DeKok'" Cc: Subject: RE: Questions on modified Extended Attribute format? Date: Fri, 28 Dec 2007 08:35:11 -0800 Message-ID: <005601c8496f$9e430910$dac91b30$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thread-Index: AchJLY23MN1TT6VZTlKErx/oS6i0uwAQHKnw Content-Language: en-us ... > [gwz] I don't know where the "from scratch" comes from; there is a format > defined in > http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-00 > .txt. I am suggesting adding a single octet to the format which Opens it up for change again, after a long discussion, where everyone had agreed that the format in -00 was acceptable. > Interesting definition of "incompatible". If that is in fact the standard > to be met we may as well just fold up our tents and go home since there is > _no_ change that could be made which would have "*zero* impact on > implementations that don't understand". It's not about changes, it's about *compatible* changes to the *standard* attributes. Let me re-phrase: - standard RADIUS attributes in a VSA MUST be compatible with existing implementations that only understand standard RADIUS attributes Put that way, it's obviously impossible. Since RADIUS has no capability negotiation, there's no way for the NAS to tell the server it is capable of that new functionality. Therefore, the proposed change is incompatible with existing deployments. [gwz] As I said, put that way or any other way you like, ANY change is incompatible with existing deployments. If one were to add a new "standard" attribute (in the old format or the proposed VSA-like format or any other) it would be incompatible with existing deployments. The whole idea of extended attributes REQUIRES that existing deployment be updated, no matter how they are formatted. [/gwz] > If we can't put standard attributes into the new format, then we > should just pick a better format, and ideally one that's been deployed. > The WiMAX format (plus grouping) seems to fit that definition fairly well. > > [gwz] > Can you tell us what it looks like? > [/gwz] The format in -00, which achieved WG consensus after long and protracted discussion. [gwz] Actually, while the timeframe was long, the discussion wasn't: I've only received a couple of comments on it in the last months. It _did_ take an inordinate amount of time to reject the 'Diameterization' of RADIUS, though... [/gwz] Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Fri, 28 Dec 2007 11:15:40 +0000 Message-ID: <4774DA45.4040106@nitros9.org> Date: Fri, 28 Dec 2007 12:13:09 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard Aboba CC: radiusext@ops.ietf.org Subject: Re: RADEXT WG last call on RADIUS Attributes for Filtering and Redirection Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Bernard Aboba wrote: > Given that no comments have been received during the last two RADEXT WG > last calls, we are going to bring the document to RADEXT WG call again. > This RADEXT WG last call will last until January 15, 2008. Some comments: 1.4: It may be useful to note that an Accounting-Request packet MAY be generated when the NAS cannot apply an attribute in the Access-Accept. The Accounting Request MAY contain Error-Cause, with value "Unsupported Attribute" (401), and Acct-Status-Type = Stop, Acct-Terminate-Cause = NAS-Error. This serves as limited capability feedback. Page 12: "any" Keyword for 0.0.0.0/0 or the IPv6 equivalent. The IPv6 equivalent is...? It could be specified here. "ipoptions" Match if the IP header contains the comma separated list of options specified in spec. The supported Can we allow hexadecimal specifications of options, too? This would be useful, and would match the rest of the document (e.g. IP proto as a number, icmptypes, ...) A similar comment applies for tcpoptions. 3.1: Acct-NAS-Traffic-Rule is a complex attribute not meeting the suggestions in the guidelines document. Is there another way to achieve the same end? Since the extended attributes draft is still pending, I think the answer is "no". 1.3: Capability advertisement could be done in a limited way by permitting NAS-Traffic-Rule in an Access-Request. Allowing this has practical uses, too. e.g. a WiFi hotspot (walled garden) could advertise upstream that it is *currently* blocking traffic, by sending it's filter rule: NAS-Traffic-Rule = "v1 redirect http://....local-login/" Similarly, a NAS requiring 802.1x could send: NAS-Traffic-Rule = "v1 permit inout l2:ether2:0x888e from any to NAS-MAC-address" i.e. EAPoL is permitted, everything else is discarded. This information is useful for upstream servers, and can help them make better policy decisions. It solves a serious problem in many current deployments, where you have no idea what the NAS is currently doing... Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Fri, 28 Dec 2007 08:43:35 +0000 Message-ID: <4774B67D.7040603@nitros9.org> Date: Fri, 28 Dec 2007 09:40:29 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Glen Zorn CC: radiusext@ops.ietf.org Subject: Re: Questions on modified Extended Attribute format? Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Glen Zorn wrote: > [gwz] I don't know where the "from scratch" comes from; there is a format > defined in > http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-00 > .txt. I am suggesting adding a single octet to the format which Opens it up for change again, after a long discussion, where everyone had agreed that the format in -00 was acceptable. > Interesting definition of "incompatible". If that is in fact the standard > to be met we may as well just fold up our tents and go home since there is > _no_ change that could be made which would have "*zero* impact on > implementations that don't understand". It's not about changes, it's about *compatible* changes to the *standard* attributes. Let me re-phrase: - standard RADIUS attributes in a VSA MUST be compatible with existing implementations that only understand standard RADIUS attributes Put that way, it's obviously impossible. Since RADIUS has no capability negotiation, there's no way for the NAS to tell the server it is capable of that new functionality. Therefore, the proposed change is incompatible with existing deployments. > If we can't put standard attributes into the new format, then we > should just pick a better format, and ideally one that's been deployed. > The WiMAX format (plus grouping) seems to fit that definition fairly well. > > [gwz] > Can you tell us what it looks like? > [/gwz] The format in -00, which achieved WG consensus after long and protracted discussion. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 23:30:30 +0000 From: "Glen Zorn" To: "'Alan DeKok'" Cc: Subject: RE: Questions on modified Extended Attribute format? Date: Thu, 27 Dec 2007 15:28:26 -0800 Message-ID: <00b401c848e0$2f0e9c60$8d2bd520$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thread-Index: AchIRFH0Fy3x6ehPQu6lbVwDQtyEOQACiamA Content-Language: en-us Glen Zorn wrote: > I understand, & sympathize; I think that it's important to remember that a > major reason that we ended up in the position of having multiple external > SDOs defining their own mutually incompatible VSAs is that we (the IETF) > refused to address RADIUS' problems in a useful and meaningful way. We have > an opportunity now to ameliorate if not solve that problem; I don't think > that we should pass it up. If we're going to re-design the attribute format from scratch again, I'd like to know what we've accomplished in the past year. [gwz] I don't know where the "from scratch" comes from; there is a format defined in http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-00 .txt. I am suggesting adding a single octet to the format which A) would considerably enlarge the new type space and B) _could_ be used to standardize functionality that has been added to RADIUS over the years in an ad hoc fashion. [/gwz] There were proposals that were ugly, but solved almost all of the concerns that were raised. This includes the ability to group legacy RADIUS attributes in a "new" format. The one show-stopper I see is putting standard RADIUS attributes into a VSA. If this has *zero* impact on implementations that don't understand the new format, then it would be acceptable. Otherwise, it's an incompatible change to RADIUS. [gwz] Interesting definition of "incompatible". If that is in fact the standard to be met we may as well just fold up our tents and go home since there is _no_ change that could be made which would have "*zero* impact on implementations that don't understand". [/gwz] If we can't put standard attributes into the new format, then we should just pick a better format, and ideally one that's been deployed. The WiMAX format (plus grouping) seems to fit that definition fairly well. [gwz] Can you tell us what it looks like? [/gwz] Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 19:01:14 +0000 Message-ID: <4773F60E.70001@nitros9.org> Date: Thu, 27 Dec 2007 19:59:26 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Greg Weber CC: Bernard_Aboba@hotmail.com, radiusext@ops.ietf.org Subject: Re: RADEXT WG last call on RADIUS Design Guidelines Document Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Greg Weber wrote: > I went through the current RADIUS Guidelines doc and do not have any > technical comments -one question and a couple minor editorial comments > below. I think the doc can be passed to IESG. Great! > Question: In the description of polymorphic attributes (sec 3.2), what > does this mean: "...the meaning of an attribute may depend on earlier > packets in a sequence." ? Is that referring to a request/challenge > sequence? Yes. Or, a series of otherwise unrelated Accounting-Requests. It's targeted at un-named SDO's and/or vendors who have horrid practices for dealing with attributes. Not just polymorphic attributes in one packet (if A then it's type B, otherwise it's type C), but across packets for *unrelated* sessions. > Minor Editorial changes: > Sec 1.1: "it's usage" -> "its usage" > Sec 2.1.3: "to introduced" -> "to be introduced" > Sec 2.1.3: "This issues" -> "These issues" > Sec 2.1.3: "attributes involve authentication" -> "attributes involving > authentication" > Sec 2.1.3: I'd remove the "(e.g., IPv6 address)" from the last > paragraph. That's not > a good example anymore as we've earlier called IPv6 a basic data type > in Sec 2.1.1. > Sec 2.2: Last paragraph has the wrong indentation > Sec 3.1.1: "vendors and SDOs they SHOULD" -> "vendors and SDOs SHOULD" > Sec 3.1.3: Expand PEC acronym at first use? Already done in Section 2.2. > Sec A.1.2: "not included nested groups" -> "not include nested groups" All other changes are good, thanks. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 18:42:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=XvmfpDNS2jdgiEl0iD96rNO2/Tj3A6TdDXjX5MTYj44=; b=fJK7kfcbentwZffvq16d32H5uxzlJiLG3KcGRPff2whheEhYzA3sFDVz5VZcaQXvbf9bocKoLmLHNf+Lrz8Q7r0MCgZjwbvu2pxLEXnFUq79/BAR8HCCcVTKATNKxmvDsB0QoXIPp+v45GtTRQeZPOtJM0VD3WUCKTnNLhyU/5k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=R5btNTC06IBswOjAFFVyTu1w+CCeYYrahWMHpp/BO7X25Th3A1fANnGVOlSDM//dn/qetJjJzSvvbn5QLLVRjiUonq9bbTxyKTO+R25IByRPQ++Mtbhh3gjIeoDg3lN2rPSPMPzqkGsNeF3Twdf1dyMB1gy9d4qLpy18wh1HysE= Message-ID: Date: Thu, 27 Dec 2007 13:41:17 -0500 From: "Greg Weber" To: Bernard_Aboba@hotmail.com Subject: Re: RADEXT WG last call on RADIUS Design Guidelines Document Cc: radiusext@ops.ietf.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_17060_15529360.1198780877398" ------=_Part_17060_15529360.1198780877398 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I went through the current RADIUS Guidelines doc and do not have anytechnical comments -one question and a couple minor editorial comments below. I think the doc can be passed to IESG. Question: In the description of polymorphic attributes (sec 3.2), what does this mean: "...the meaning of an attribute may depend on earlier packets in a sequence." ? Is that referring to a request/challenge sequence? Minor Editorial changes: Sec 1.1: "it's usage" -> "its usage" Sec 2.1.3: "to introduced" -> "to be introduced" Sec 2.1.3: "This issues" -> "These issues" Sec 2.1.3: "attributes involve authentication" -> "attributes involving authentication" Sec 2.1.3: I'd remove the "(e.g., IPv6 address)" from the last paragraph. That's not a good example anymore as we've earlier called IPv6 a basic data type in Sec 2.1.1. Sec 2.2: Last paragraph has the wrong indentation Sec 3.1.1: "vendors and SDOs they SHOULD" -> "vendors and SDOs SHOULD" Sec 3.1.3: Expand PEC acronym at first use? Sec A.1.2: "not included nested groups" -> "not include nested groups" Greg On Dec 26, 2007 12:53 PM, wrote: > This is an announcement of RADEXT WG last call on the > "RADIUS Design Guidelines" document, prior to sending > it to the IESG for publication as a Proposed > Standard. The document is available for inspection here: > http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.txt > > RADEXT WG last call will complete on January 15, 2008. Please respond > to this solicitation if you have read the document, regardless of whether > you > have comments to provide or not. In your email, please state whether you > believe that the document is ready for publication. > > If you have comments to provide, please send them to the > RADEXT WG mailing list (radiusext@ops.ietf.org), > using the format described in the RADEXT Issues tracker: > http://www.drizzle.com/~aboba/RADEXT/ > ------=_Part_17060_15529360.1198780877398 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline

I went through the current RADIUS Guidelines doc and do not have any

technical comments -one question and a couple minor editorial comments

below. I think the doc can be passed to IESG.

Question: In the description of polymorphic attributes (sec 3.2), what

does this mean: "...the meaning of an attribute may depend on earlier

packets in a sequence." ? Is that referring to a request/challenge sequence?

Minor Editorial changes:

Sec 1.1: "it's usage" -> "its usage"

Sec 2.1.3: "to introduced" -> "to be introduced"

Sec 2.1.3: "This issues" -> "These issues"

Sec 2.1.3: "attributes involve authentication" -> "attributes involving authentication"

Sec 2.1.3: I'd remove the "(e.g., IPv6 address)" from the last paragraph. That's not

a good example anymore as we've earlier called IPv6 a basic data type in Sec 2.1.1.

Sec 2.2: Last paragraph has the wrong indentation

Sec 3.1.1: "vendors and SDOs they SHOULD" -> "vendors and SDOs SHOULD"

Sec 3.1.3: Expand PEC acronym at first use?

Sec A.1.2: "not included nested groups" -> "not include nested groups"

Greg

On Dec 26, 2007 12:53 PM, < Bernard_Aboba@hotmail.com> wrote:

This is an announcement of RADEXT WG last call on the

"RADIUS Design Guidelines" document, prior to sending

it to the IESG for publication as a Proposed

Standard. The document is available for inspection here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.txt

RADEXT WG last call will complete on January 15, 2008. Please respond

to this solicitation if you have read the document, regardless of whether you

have comments to provide or not. In your email, please state whether you

believe that the document is ready for publication.

If you have comments to provide, please send them to the

RADEXT WG mailing list (radiusext@ops.ietf.org),

using the format described in the RADEXT Issues tracker:
http://www.drizzle.com/~aboba/RADEXT/

------=_Part_17060_15529360.1198780877398-- -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 18:39:38 +0000 Message-ID: <4773F108.6060300@nitros9.org> Date: Thu, 27 Dec 2007 19:38:00 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: "David B. Nelson" CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit David B. Nelson wrote: > I'm surprised to hear that (IPsec usage). Is this in selected topologies or > deployment scenarios? If IPsec were really used for most RADIUS > transmissions, wouldn't we have already solved the Crypto-Agility problem? Most roaming providers and large companies do AAA interchange via IPSec. IPSec doesn't solve Crypto-Agility because there's no way for the RADIUS server to discover, or enforce, authentication and encryption policies. The only security relationships between the two are maintained in administrators heads, or in scripts tying the two systems together. Neither method is scalable, maintainable, or standardizable. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 18:37:53 +0000 Message-ID: <4773F056.6070102@nitros9.org> Date: Thu, 27 Dec 2007 19:35:02 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: "David B. Nelson" CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit David B. Nelson wrote: >> If the only way to obtain network access is via EAP, then you have a >> bootstrapping problem. Once the users have signed up, everything is >> great. The users who *haven't* signed up are shut out. Permanently. > > So, this is really an enrollment issue, not an authentication issue? No. Think of roaming, which I've been spending a lot of time on lately. If authentication is required for any IP-based network access, then how do roaming users know that they can authenticate using the local network? Pre-provisioning devices with roaming knowledge doesn't scale, and it doesn't handle dynamic networks. 802.11af doesn't scale either, and isn't designed to scale. When the user doesn't have any network access, they can't determine whether or not authentication is possible. They can't determine which authentication credentials to use. So requiring authentication means *forbidding* network access to a large class of users who could *potentially* obtain network access. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 16:25:17 +0000 From: "David B. Nelson" To: Subject: RE: Comments on "practical deployments" Date: Thu, 27 Dec 2007 11:22:25 -0500 Organization: Elbrys Networks, Inc. Message-ID: <002d01c848a4$aae0ba30$5d1216ac@xpsuperdvd2> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thread-Index: AchIRN4GACFo3G70QmeG9a8ddUK70wAX1arg Alan DeKok writes... > Plus, most RADIUS interconnects are now done over Ipsec, which helps > with the underlying reliability. I'm surprised to hear that (IPsec usage). Is this in selected topologies or deployment scenarios? If IPsec were really used for most RADIUS transmissions, wouldn't we have already solved the Crypto-Agility problem? :-) -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 16:21:46 +0000 From: "David B. Nelson" To: Subject: RE: Comments on "practical deployments" Date: Thu, 27 Dec 2007 11:18:10 -0500 Organization: Elbrys Networks, Inc. Message-ID: <002c01c848a4$12f10180$5d1216ac@xpsuperdvd2> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thread-Index: AchIQ9X6kcwWfPT/QyOn0U83uBGF3AAYA2KA Alan DeKok writes... > A customer wants to buy access. Right now in WiFi hotspots, they > connect to a walled garden, and type in credit card details. Once > payment has been processed, they obtain network access. > > If the only way to obtain network access is via EAP, then you have a > bootstrapping problem. Once the users have signed up, everything is > great. The users who *haven't* signed up are shut out. Permanently. So, this is really an enrollment issue, not an authentication issue? -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 10:26:17 +0000 Message-ID: <47737D1C.5050208@nitros9.org> Date: Thu, 27 Dec 2007 11:23:24 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard_Aboba@hotmail.com CC: radiusext@ops.ietf.org Subject: Re: E2E and crypto-agility Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Bernard_Aboba@hotmail.com wrote: >> What is "end to end" ? > > I think it means something like "protection of RADIUS attributes from > disclosure to parties other than the NAS and home server". OK. I just wanted to be sure. > In the AAA WG there were a number of mechanisms investigated by > which a NAS and home server could derive a key that could be > used to protect attributes from disclosure to proxies. These methods > included Kerberos and CMS. For example, see: > http://www.watersprings.org/pub/id/draft-kaushik-radius-sec-ext-06.txt i.e. The NAS somehow knows a realm, knows how to talk to a server for that realm, and can obtain a secret key for that realm. > So I think the question is not "can it be done?" but rather "how does > this relate to RADIUS crypto-agility?" and > "should solving this problem be a requirement?" I would say that it is a problem we should try to solve. I'm not sure how much it affects crypto-agility. Back to my earlier question about "end to end", I think the only ends that matter are the end user and home server. The NAS is in contact with both, and can leverage it's relationship with the end user to do things that are normally impossible in RADIUS. If we assume that the end user and home RADIUS server can independently derive keying material, then the server can supply keying material to the NAS, and the end user can do the same. The NAS can then derive keying material, without it being exposed to anyone else. e.g. RADIUS, end-user: derive K', K'' RADIUS -> NAS: E = ENC(K') (using key K'') end-user -> NAS: K'' If we assume that each RADIUS hop also encrypts E using the Tunnel-Password method: T = tunnel_encrypt(per-hop-secret, E) Then we have the following properties: - no RADIUS proxy knows K' (they only know E) - The NAS can derive K' from E and K'' - an attacker watching RADIUS only knows T - an attacker watching the end-user traffic only knows K'' - an attacker watching *both* RADIUS and supplicant traffic knows T and K'', which is insufficient to derive K' - any intermediary RADIUS proxy that handles tunnel-password encryption can transport E. For EAP-TLS based methods, the TLS master session key can be used to derive keying material. We would need to define one new RADIUS attribute to transport the keying material E, and update EAPoL to transport K''. This capability could be negotiated between the NAS and supplicant, and advertised to the home RADIUS server by the supplicant, inside of the TLS tunnel. So far as crypto-agility goes, this method needs to be extensible to multiple key sizes, encryption methods, authentication hashes, etc. But it's independent of transport proposals such as DTLS or TLS. (insert standard disclaimer here: this proposal has not been vetted by a crypto expert) Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 05:49:09 +0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 21:47:35 -0800 Message-ID: Thread-Topic: Questions on modified Extended Attribute format? Thread-Index: AchH8+QgyomKZ9OBSR2hHFBZMYNg5QABjGnQAAGsRgAAAt9pkAAPrF/w From: "Matt Holdrege" To: "Glen Zorn" Cc: , "Alan DeKok" No kidding. I think my first RADIUS WG meeting was almost 12 years ago = at IETF 35. Take a look at = http://www3.ietf.org/proceedings/96mar/area.and.wg.reports/ops/radius/rad= ius.html and read the minutes. You might laugh at the irony, or more likely cry. Are the current AD's = aware of the history here? -Matt -----Original Message----- From: Glen Zorn [mailto:glenzorn@comcast.net]=20 Sent: Wednesday, December 26, 2007 11:12 PM To: Matt Holdrege Cc: radiusext@ops.ietf.org; 'Alan DeKok' Subject: RE: Questions on modified Extended Attribute format? Glen, Didn't you say this same exact thing here a year or two ago? Or am I stuck in a time warp? Or is this group stuck in a time warp? [gwz] Plus =E7a change, plus c'est la m=EAme chose... [/gwz] -Matt (I'll go back into my hole now) -----Original Message----- From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Glen Zorn Sent: Wednesday, December 26, 2007 9:06 PM To: 'Alan DeKok' Cc: radiusext@ops.ietf.org Subject: RE: Questions on modified Extended Attribute format? [gwz]=20 I understand, & sympathize; I think that it's important to remember that a major reason that we ended up in the position of having multiple external SDOs defining their own mutually incompatible VSAs is that we (the IETF) refused to address RADIUS' problems in a useful and meaningful way. We have an opportunity now to ameliorate if not solve that problem; I don't think that we should pass it up. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 04:54:03 +0000 Message-ID: <47732F83.1000907@nitros9.org> Date: Thu, 27 Dec 2007 05:52:19 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard Aboba CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Bernard Aboba wrote: > It will be interesting to see how well it works. I have previously been > involved in a number of > inter-domain roaming trials. When the RADIUS traffic was routed through > an exchange point, > the results were not very promising. With packet loss rates of 1-5%, I'll track the tests, and see if we can do some measurements under load. For existing (non-EAP) proxies, I don't recall seeing loss rates that high. I'll go check, but I think latencies and loss have decreased, while bandwidth has increased in the net. Plus, most RADIUS interconnects are now done over Ipsec, which helps with the underlying reliability. > RADIUS retransmissions > were pretty common and this would often lead to EAP retransmissions. > The overall > authentication times could get pretty long and sometimes authentication > wouldn't complete > at all. Most of the carriers we worked with ended up deploying web > portals instead :( WiMAX is standardizing on EAP for authentication. Discussions are underway to design a standard interconnect architecture. So this appears to be less of a problem now. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 04:50:23 +0000 Message-ID: <47732E9D.4030803@nitros9.org> Date: Thu, 27 Dec 2007 05:48:29 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Glen Zorn CC: radiusext@ops.ietf.org Subject: Re: Questions on modified Extended Attribute format? Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Glen Zorn wrote: > I understand, & sympathize; I think that it's important to remember that a > major reason that we ended up in the position of having multiple external > SDOs defining their own mutually incompatible VSAs is that we (the IETF) > refused to address RADIUS' problems in a useful and meaningful way. We have > an opportunity now to ameliorate if not solve that problem; I don't think > that we should pass it up. If we're going to re-design the attribute format from scratch again, I'd like to know what we've accomplished in the past year. There were proposals that were ugly, but solved almost all of the concerns that were raised. This includes the ability to group legacy RADIUS attributes in a "new" format. The one show-stopper I see is putting standard RADIUS attributes into a VSA. If this has *zero* impact on implementations that don't understand the new format, then it would be acceptable. Otherwise, it's an incompatible change to RADIUS. If we can't put standard attributes into the new format, then we should just pick a better format, and ideally one that's been deployed. The WiMAX format (plus grouping) seems to fit that definition fairly well. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 04:46:15 +0000 Message-ID: <47732D87.5030501@nitros9.org> Date: Thu, 27 Dec 2007 05:43:51 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: Bernard Aboba CC: radiusext@ops.ietf.org Subject: Re: Comments on "practical deployments" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Bernard Aboba wrote: > Is this the Fixed Mobile Covergence Alliance? Yes. I've been advising on the interconnect. >> Yes. In fact, the use of EAP *prevents* a large number of business >> models for network access. > > Could you expand on the problems? A customer wants to buy access. Right now in WiFi hotspots, they connect to a walled garden, and type in credit card details. Once payment has been processed, they obtain network access. If the only way to obtain network access is via EAP, then you have a bootstrapping problem. Once the users have signed up, everything is great. The users who *haven't* signed up are shut out. Permanently. The issue is less EAP than EAPoL. Without a real network connection, it's impossible for a client machine to do much of anything. EAP could be used in a walled garden if PANA was widely deployed, for example. Alan DeKok. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Thu, 27 Dec 2007 03:00:21 +0000 From: "David B. Nelson" To: Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 21:58:54 -0500 Message-ID: <047101c84834$6add33c0$031716ac@NEWTON603> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thread-index: AchH6bKi6mr7v9FDS/emyMiHMVqnKAASb4ug Bernard Aboba writes... > > WiMAX uses the same attribute format as proposed here. Changes that > > are incompatible with WiMAX should be discouraged. > > I would agree. If the extensions remain compatible with WiMAX then > the amount of code duplication will be minimized. I'm not so sure that I agree. We should do what's right for the RADIUS community. If that happens to be compatible with WiMAX, then great. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Wed, 26 Dec 2007 22:13:40 +0000 From: "Glen Zorn" To: "'Matt Holdrege'" Cc: , "'Alan DeKok'" Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 14:12:11 -0800 Message-ID: <00af01c8480c$5d526ef0$17f74cd0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thread-Index: AchH8+QgyomKZ9OBSR2hHFBZMYNg5QABjGnQAAGsRgAAAt9pkA== Content-Language: en-us Glen, Didn't you say this same exact thing here a year or two ago? Or am I stuck in a time warp? Or is this group stuck in a time warp? [gwz] Plus =E7a change, plus c'est la m=EAme chose... [/gwz] -Matt (I'll go back into my hole now) -----Original Message----- From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Glen Zorn Sent: Wednesday, December 26, 2007 9:06 PM To: 'Alan DeKok' Cc: radiusext@ops.ietf.org Subject: RE: Questions on modified Extended Attribute format? [gwz]=20 I understand, & sympathize; I think that it's important to remember that a major reason that we ended up in the position of having multiple external SDOs defining their own mutually incompatible VSAs is that we (the IETF) refused to address RADIUS' problems in a useful and meaningful way. We have an opportunity now to ameliorate if not solve that problem; I don't think that we should pass it up. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Wed, 26 Dec 2007 20:52:17 +0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: Questions on modified Extended Attribute format? Date: Wed, 26 Dec 2007 12:51:25 -0800 Message-ID: Thread-Topic: Questions on modified Extended Attribute format? Thread-Index: AchH8+QgyomKZ9OBSR2hHFBZMYNg5QABjGnQAAGsRgA= From: "Matt Holdrege" To: "Glen Zorn" , "Alan DeKok" Cc: Glen, Didn't you say this same exact thing here a year or two ago? Or am I stuck in a time warp? Or is this group stuck in a time warp? -Matt (I'll go back into my hole now) -----Original Message----- From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Glen Zorn Sent: Wednesday, December 26, 2007 9:06 PM To: 'Alan DeKok' Cc: radiusext@ops.ietf.org Subject: RE: Questions on modified Extended Attribute format? [gwz]=20 I understand, & sympathize; I think that it's important to remember that a major reason that we ended up in the position of having multiple external SDOs defining their own mutually incompatible VSAs is that we (the IETF) refused to address RADIUS' problems in a useful and meaningful way. We have an opportunity now to ameliorate if not solve that problem; I don't think that we should pass it up. [/gwz] -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Wed, 26 Dec 2007 20:35:34 +0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: Comments on "practical deployments" Date: Wed, 26 Dec 2007 21:34:24 +0100 Message-ID: <59D7431DE2527D4CB0F1EFEDA5683ED3024F9F17@SEHAN021MB.tcad.telia.se> Thread-Topic: Comments on "practical deployments" Thread-Index: AchH+sS7oemdAUhtTMa/Bsc3AOaVBwAAgeqg From: To: , Cc: Hi, > > > While proxies are widely used today to facilitate inter-domain=20 > > > roaming, as far as I know, the combination of=20 > inter-domain roaming=20 > > > and EAP is very rare. GSMA trialed (with a number of hotspot & GSM operators mainly in Europe & Asia) EAP-based 802.11 roaming few years ago. This concentrated mainly on EAP-SIM and EAP-AKA. > > The FMCA is trialling exactly this. >=20 > Is this the Fixed Mobile Covergence Alliance? =20 Yes. [snip] > >> For example, the vast majority of all IEEE 802.11 hotspot=20 > deployments=20 > >> use Web-based access (e.g. UAM), not EAP. > >=20 > > Yes. In fact, the use of EAP *prevents* a large number of business=20 > > models for network access. >=20 > Could you expand on the problems? >=20 > > UMA leverages EAP and RADIUS, but it's buried deep in the network. >=20 > Yup. Doesn't seem like this would require inter-domain proxies. In the existing specs for 3GPP GAN (i.e. the current UMA) inter-operator roaming is defined and reuses in a carbon-copy fashion 3GPP Interworking WLAN EAP-based RADIUS roaming interface. However, operator business models typically do not favor deployments where GAN would need inter-operator RADIUS interface.. at least I am not aware of any such deployments. Jouni >=20 >=20 -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: Envelope-to: radiusext-data@psg.com Delivery-date: Wed, 26 Dec 2007 20:18:32 +0000 Message-ID: Content-Type: multipart/alternative; boundary="_6dd47e72-f355-459e-9cd1-8663ebd42293_" From: Bernard Aboba