[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Subtypes

To: radiusext@ops.ietf.org
Subject: Re: Subtypes
From: "Alan DeKok" <aland@ox.org>
Date: Wed, 26 Nov 2003 17:10:01 -0500
In-reply-to: Your message of "Wed, 26 Nov 2003 16:04:28 EST." <F17FB067A86B2D488382C923C532EAA793F5FB@exch01.bridgewatersys.com>

Avi Lior <avi@bridgewatersystems.com> wrote:
> Okay so are you (David Nelson) going to ask the Sterman draft to flatten
> their attribute?

  As an implementor, my response is "Yes, please."

  Having packed attributes is irritating.  VSA's are packed solely for
namespace considerations.  They are logically in the same "flat"
attribute space as all other RADIUS attributes.

  Having "grouped" attributes (other than tags) significantly changes
the RADIUS model, in my opinion.  Even the RFC 2867/2868 tagged
attributes are a pain.  (See recent posts to full-disclosure for an
example.)

> RADIUS already has the machinery for coding/decoding subtypes.  What is the
> problem? 

  It's specific to VSA's, and therefore magic.  If the group decides
to have multiple "sub-type" attributes, then the implementations can
be updated to generalize the processing of those attributes.  Right
now, I can say from experience that implementing the Sterman draft was
minorly annoying, because of the "magic" nature of the sub-types.  I
was unwilling to re-architect the server in order to support sub-types
for one special attribute.

> We use the scheme that the top level attribute is a string that contains
> subTLVs.  A RADIUS server that is not interested in that attribute will see
> a string.  This is exactly what sterman does.

  The same argument can be applied to any unknown attribute, tagged,
sub-typed, or other.

  The benefit with re-using the existing attribute structure is that
intermediate RADIUS servers can filter new attributes through simple
dictionary updates.  They may not be able to *process* such a request,
but that can *catch* it.

  With new attributes having sub-types, it's often impossible for any
intermediate server to do *anything* with the attribute, other than
blindly forward it.  This can significantly increase the cost of
adoption.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: Subtypes
  - From: Avi Lior <avi@bridgewatersystems.com>

Prev by Date: RE: Subtypes
Next by Date: RE: Subtypes
Previous by thread: RE: Subtypes
Next by thread: RE: Subtypes
Index(es):
- Date
- Thread