Re: Issue: Attribute concatenation/splitting

["Alan DeKok" <aland@nitros9.org>]

Rajith R <rajithr@huawei.com> wrote:
> In a RADIUS packet, there are 2 successive NAS-Filter-Rule attributes of
> length 255 & 50 respectively. How do you determine they are 2 separate
> attributes or a single attribute split?

  If one rule can span multiple NAS-Filter-Rule attributes, then it
needs a "terminate this rule" that is independent "terminate this
attribute".  A CR, LF, or combination can do that, in which case the
problem of attributes of length 2 doesn't exist, because the packing
methods prohibit it.

  If one rule cannot span multiple NAS-Filter-Rule attributes, then
there is no problem, because an attribute of length 255 has no special
meaning.

  On the other hand, if one rule can span multiple NAS-Filter-Rule
attributes, then you might as well give up on trying to match rules to
attributes.  Pack all of the rules together in one long string, and
then chop the string every 253 bytes to encode it into NAS-Filter-Rule
attributes.  So there will be no special meaning for attributes of
length 255, so there will be no problem.

  With this last method, we would presume that any implementation that
needs to be able to add/delete rules would know about the packing
methods, and be able to unpack/add/pack the rules into attributes.
This would tend to break backwards compatibility with older RADIUS
servers, so they wouldn't be able to edit the rules, though.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>