[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Scope of applicability for CUI
> Alan DeKok wrote:
>
> > User-Name is a token by which the NAS which establishes the
> >"identity" of a user within a session.
> >
> > Class is one or more tokens by which each proxying RADIUS server
> >establishes it's own view of the "identity" of a session.
I beg to differ. Class is simply an octet string sent, via a meandering
route, from the sender of an Access-Accept to the receiver of an
Accounting-Request. Any interpretation of the octets is strictly up
to those two parties, and no other characterization of Class can be made.
> > CUI is proposed to be a token by which the home server establishes
> >it's own view of the "identity" of a session. (If I interpret the
> >proposal correctly.)
CUI is indeed assigned by the home server, but has nothing to do with
a specific session, but rather with the user of the session. CUI would
be useless if there were not a one-to-one relation between CUI and the
true user for some period of time. Indeed, I am still somewhat nervous
about the lack of definition of how long that period should be, since
a particular server may be dealing with requests from more than one
set of clients.
The home server should be protective of its users' privacy (else
why use a non-individual User-Name?) so should want the relation
to persist for the shortest possible time. The client networks
naturally want the CUI<->user relation to persist for as long as
possible, to ease detection of abuse. So there will always be
something of an adversarial relationship to the process. The current
draft leaves the negotiation of the durability of CUI to an out-of-band
process, presumably between humans. I wonder if instead of a NUL
CUI the device demanding CUI should insert the time until which it
demands that the CUI<->user relation be unique. That's a violation
of KISS but would make life much easier for a server dealing with
multiple client networks. A simpleminded server could ignore the
value and just note the presence of CUI in the request, if it has
to deal with only one value of durability.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>