[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue 37: Merging of Filter Attributes



Nelson, David <> supposedly scribbled:

> Bernard Aboba writes...
> 
>> RFC 2865 doesn't have much to say on this subject, other than
that
>> zero or more instances of Filter-Id can be included in an
>> Access-Accept.
> 
> That is why this subject might be fodder for the Issues and Fixes
> document.  To clarify, or at least highlight, an inadequate
> specification in RFC 2865 of what to do with multiple instances of
> Filter-ID.   

I think that inadequacy is in the eye of the beholder: as with
"terrorists" and "freedom-fighters", one man's inadequacy is
another's flexibility...

> 
>> In my experience, implementations merge the filters in the order
they
>> are specified.  But perhaps there are implementations that do not
do
>> this?
> 
> We have implementations that treat multiple instances as Filter-ID
as
> alternative filters, rather than cumulative filters.  The first
> Filter-ID attribute having a name matching a locally defined
filter
> is used.  The remaining ones are ignored.   

Seems perfectly reasonable to me, and much simpler than the merging
approach.  For example, suppose that 2 Filter-ID attributes identify
actual filters which are self-contradictory?  This might not be a
matter of misconfiguration, just of a Filter-ID having different
meanings on different devices (switch vs. AP, for example.

> 
> In the absence of guidance to the contrary, this is a permissible
> interpretation, and I presume there might be others. 

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by
simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>