[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Inclusion of Filter-Id and NAS-Filter-Rule AVPs

To: mauricio.sanchez@hp.com, radiusext@ops.ietf.org
Subject: RE: Inclusion of Filter-Id and NAS-Filter-Rule AVPs
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Mon, 04 Dec 2006 15:35:13 -0800
Bcc:
In-reply-to: <2F2D38A4B8346F48A683750A46BAB211AAE4A0@G3W0072.americas.hpqcorp.net>

What happens in the instance that a diameter->radius gateway can'ttranslate a packet?

RFC 4005 Section 9 describes two situations in which translation may not bepossible:


"  Although the Diameter protocol is in many ways a superset of RADIUS
  functions, a number of RADIUS representations are not allowed, so
  that new capabilities can be used without the old problems.

  There are primarily two different situations that must be handled:
  one in which a RADIUS request is received that must be forwarded as a
  Diameter request, and another in which the inverse is true.  RADIUS
  does not support a peer-to-peer architecture, and server-initiated
  operations are generally not supported.  See [RADDynAuth] for an
  alternative.

  Some RADIUS attributes are encrypted.  RADIUS security and encryption
  techniques are applied on a hop-per-hop basis.  A Diameter agent will
  have to decrypt RADIUS attribute data entering the Diameter system,
  and if that information is forwarded, the agent MUST secure it by
  using Diameter specific techniques."

There must be some exception path, right?

My reading of RFC 4005 is that other than these situations, that RADIUSpackets are expected to be translatable to Diameter. RADIUS does not have amechanism to enable a NAS to indicate an error in response to anAccess-Accept, so that if RADIUS packets are not translatable it woulddifficult to communicate this to a RADIUS server. If the NAS does a silentdiscard, then no Accounting-Request is generated. That's the onlyindication that a RADIUS server will have that the attributes sent wereunacceptable.

If so, why couldn't we leave in the MUST NOT for mixture of filter-id andnas-filter-ruleattributes and have the gateway generate an error to avoid wedging bothattributes into a radius >packet?

On the Diameter side, behavior will depend on whether the gateway silentlydiscards the RADIUS packet (in which case no error would be sent to theDiameter NAS) or whether it acts as though an Access-Reject were received(in which case the Diameter equivalent of the Reject would be sent to theNAS).


BTW, here is what RFC 2119, Section 6 says about MUST and MUST NOT:

"   Imperatives of the type defined in this memo must be used with care
   and sparingly.  In particular, they MUST only be used where it is
   actually required for interoperation or to limit behavior which has
   potential for causing harm (e.g., limiting retransmisssions)  For
   example, they must not be used to try to impose a particular method
   on implementors where the method is not required for
   interoperability."

In this particular case, there does not appear to be an interoperabilityissue (in fact, the MUST NOT might create an issue), so we are left withassessing the potential for causing harm.




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: Inclusion of Filter-Id and NAS-Filter-Rule AVPs
  - From: "Sanchez, Mauricio (ProCurve)" <mauricio.sanchez@hp.com>

Prev by Date: I-D ACTION:draft-ietf-radext-filter-06.txt
Next by Date: Status of draft-yan-radext-port-type-01.txt
Previous by thread: RE: Inclusion of Filter-Id and NAS-Filter-Rule AVPs
Next by thread: Comments on draft-ietf-radext-filter-05
Index(es):
- Date
- Thread