Re: Issue 38: Ordering of filter attributes

["Alan DeKok" <aland@ox.org>]

Bernard Aboba <aboba@internaut.com> wrote:
> Rationale/Explanation of issue:
> Section 2.7 does not state that NAS-Filter-Rule attributes shouldn't
> be reordered by RADIUS proxies. Since reordering can change the
> meaning of filter lists, reordering cannot be allowed.

  RFC 2865, Section 2.3 "Proxy", page 10:

---
   We now examine each step in more detail.
   ...
      ...                                             The forwarding
      server MUST NOT change the order of any attributes of the same
      type, including Proxy-State.
---

  Is this not already covered in the base RADIUS spec?

  I'm not opposing the idea that the text be included, though.  Maybe
a re-emphasis of RFC 2865 would be useful:

  "As per the requirements of RFC 2865, Section 2.3, if multiple
   NAS-Filter-Rule attributes are contained within an Access-Request
   or Access-Accept packet, they MUST be maintained in order.  The
   attributes MUST be consecutive attributes in the packet. RADIUS
   proxies MUST NOT reorder NAS-Filter-Rule attributes."

  The requirement that the attributes must be consecutive is not
covered by the general comments on attributes in RFC 2865, and should
be in a separate sentence from the ordering requirement.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>