[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Proposed Resolution to Issue 202: Diameter-RADIUS gateway behavior not spec'd

To: bernard_aboba@hotmail.com, radiusext@ops.ietf.org
Subject: RE: Proposed Resolution to Issue 202: Diameter-RADIUS gateway behavior not spec'd
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Fri, 29 Sep 2006 00:09:19 -0700
Bcc:
In-reply-to: <BAY106-F5E276ED90AFE95B63EBB493180@phx.gbl>

The complete text of Section 4 now reads as follows:

"4.  Diameter Considerations

  [RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the
  same functionality as the RADIUS NAS-Filter-Rule attribute.  In order
  to support interoperability, Diameter/RADIUS gateways will need to be
  configured to translate RADIUS attribute TBD to Diameter AVP 400 and
  vice-versa.  Where a Diameter NAS-Filter-Rule AVP contains a filter
  rule larger than 253 octets, Diameter/RADIUS gateways translate the
  AVP to multiple RADIUS NAS-Filter-Rule attributes, each with the same
  Tag field value not equal to '0' (0x30).  Similarly, when multiple
  RADIUS NAS-Filter-Rule attributes are received with the same Tag
  field value not equal to '0' (0x30), the String fields of the
  attributes are concatenated together and encoded as the value in a
  single Diameter NAS-Filter-Rule AVP.  RADIUS NAS-Filter-Rule
  attributes with a Tag field of '0' (0x30) are encoded as distinct
  Diameter NAS-Filter-Rule AVPs.

  Note that a translated Diameter message can be larger than the
  maximum RADIUS packet size (4096).  Where a Diameter/RADIUS gateway
  receives a Diameter message containing a NAS-Filter-Rule AVP that is
  too large to fit into a RADIUS packet, the Diameter/RADIUS gateway
  will respond to the originating Diameter peer with the
  DIAMETER_INVALID_AVP_LENGTH error (5014), and with a Failed-AVP AVP
  containing the NAS-Filter-Rule AVP.  Since repairing the error will
  probably require re-working the filter rules, the originating peer
  should treat the combination of a DIAMETER_INVALID_AVP_LENGTH error
  and a Failed-AVP AVP containing a NAS-Filter-Rule AVP as a terminal
  error."

From: "Bernard Aboba" <bernard_aboba@hotmail.com>
To: radiusext@ops.ietf.org

Subject: Proposed Resolution to Issue 202: Diameter-RADIUS gatewaybehavior not spec'd

Date: Thu, 28 Sep 2006 23:48:12 -0700

The text of Issue 202 is enclosed below.

The proposed resolution is as follows:

In Section 4, Change:

"Note that since a Diameter AVP can be larger than the maximum RADIUS
  packet size (4096), translation from Diameter to RADIUS may not be
  possible in all cases."

To:

"Note that a translated Diameter message can be larger than
the maximum RADIUS packet size (4096).  Where a Diameter/RADIUS
gateway receives a Diameter message containing a NAS-Filter-Rule
AVP that is too large to fit into a RADIUS packet, the
Diameter/RADIUS gateway will respond to the originating
Diameter peer with the DIAMETER_INVALID_AVP_LENGTH error (5014),
and with a Failed-AVP AVP containing the NAS-Filter-Rule AVP.
Since repairing the error will probably require re-working
the filter rules, the originating peer should treat the
combination of a DIAMETER_INVALID_AVP_LENGTH error and
a Failed-AVP AVP containing a NAS-Filter-Rule AVP as a
terminal error."


------------------------
Description of issue: Diameter-RADIUS gateway behavior not completely
specified
Submitter name: Glen Zorn
Submitter email address: gwz@cisco.com
Date first submitted: 26 Aug 06
Document: draft-ietf-radext-filter-01.txt
Comment type: T
Priority: 1
Section: 4
Rationale/Explanation of issue:

The last sentence of section 4 says
"Note that since a Diameter AVP can be larger than the maximum RADIUS
packet size (4096), translation from Diameter to RADIUS may not be
possible in all cases."  While this is true, the behavior of the
Diameter-RADIUS gateway in this case is left unspecified.  Is the
response forwarded back toward the requests' originator without the
untranslatable AVPs?  In the case of an Access-Accept message, Section
1.2 says "If a NAS conforming to this specification receives an
Access-Accept packet containing a NAS-Filter-Rule attribute which it
cannot apply, it MUST act as though it had received an Access-Reject.",
it might be reasonable for the gateway to translate the Access-Accept
into an Access-Reject, since an attribute that is missing because
untranslatable can obviously not be applied.  In the case of a CoA
message with an untranslatable attribute, should the message be
translated into a Disconnect-Request or just discarded?  Or in both
cases, should the gateway respond to the originating/responding Diameter
peer with an appropriate error (e.g., DIAMETER_INVALID_AVP_LENGTH) and
let it figure out the next step?  If so, it still seems that the peers
behavior must be specified.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Proposed Resolution to Issue 202: Diameter-RADIUS gateway behavior not spec'd
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>

Prev by Date: RADIUS attribute extension formats: Do we understand the proposals?
Next by Date: RE: Proposed Resolution to Issue 198: Attribute Concatenation/Splitting
Previous by thread: Proposed Resolution to Issue 202: Diameter-RADIUS gateway behavior not spec'd
Next by thread: RE: Proposed Resolution to Issue 202: Diameter-RADIUS gateway behavior not spec'd
Index(es):
- Date
- Thread