[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Comments on draft-carroll-dynmobileip-cdma-04.txt



Frank,

Good argument.  And thanx for bringing this out.  Not sure about the first
part that is finding an explicit statement about droping the connection.
However, your second point is pretty solid.

So the text proposed:
       This document specifies
       returning an attribute in an Access-Reject message. According to
       RFC 2865 an Access-Reject packet MAY only include Reply-Message
       and Proxy-State attributes.  Subsequent RFCs allow for other
       attributes to be included in an Access-Reject packet, but these
       are included to indicate the reason the authentication/authorization
       has failed.  It is a normative requirement of RFC 2865 that receipt
       of an Access-Reject at the NAS terminate the session of the attached
       network host.  

Is clearly wrong!!!


The conclusion I draw from that is that Access-Reject means that the NAS is
not authorized to give access to the interenet (the service requested in the
Access-Request).
It does NOT mean that the client cant continue talking with the NAS if the
NAS so chooses.  In other words, if for example there is a PPP session
between the client and the NAS, that PPP session is not dropped etc...

So perhaps rewording the IESG note to only indicate that the document is
including a VSA in an Access-Reject.  

A note to us in the IETF,  we need to allow VSA in an Access-Reject message.
There is no reason not to allow this attribute in an Access-Reject.
 
BTW in re-reading RFC 2869 I found a bug:

Section 2.3.2 states:

" This can be accomplished by inclusion of
   Session-Timeout and Password-Retry attributes within the Access-
   Challenge packet."
Yet in the table of attributes Password-Retry is listed as:

Request  Accept  Reject  Challenge   #    Attribute
0        0       0-1     0           75   Password-Retry 

> -----Original Message-----
> From: Frank Quick [mailto:fquick@qualcomm.com] 
> Sent: Monday, March 07, 2005 2:20 PM
> To: W. Mark Townsley; gwz@cisco.com
> Cc: 'Jari Arkko'; 'Nelson, David'; 'Barney Wolff'; 'Avi 
> Lior'; 'Thomas Narten'; 'Carroll, Christopher P.'; 
> gerry.flynn@verizonwireless.com; radiusext@ops.ietf.org
> Subject: Re: Comments on draft-carroll-dynmobileip-cdma-04.txt
> 
> 
> I expect many of the participants in this thread are busy at 
> IETF, but I 
> will continue it anyway, expecting delays in some responses.
> 
> Looking at 2865 and 2869 this weekend:  I could not find any explicit 
> statement in 2865 that says the client MUST drop the 
> connection when an 
> Access-Reject is received.  Perhaps this is something that 
> was articulated 
> later?
> 
> In 2869, furthermore, there is a Password-Retry attribute 
> whose purpose is:
> 
>        This attribute MAY be included in an Access-Reject to 
> indicate how
>        many authentication attempts a user may be allowed to attempt
>        before being disconnected.
> 
> I don't see how this is fundamentally different from what we 
> do in DMU.
> 
> If there is no explicit requirement in 2865, then the 
> proposed disclaimer 
> language would be in error, since the only 2865 noncompliance 
> would be with 
> the prohibition of VSA in Access-Reject.
> 
> 
> Frank Quick
> office   +1-858-658-3608 fax +1-858-651-1940
> portable +1-619-890-5749
> paging   fquick@pager.qualcomm.com
> RSA: 29EA D619 31F2 B4D3  8815 3D59 4340 FA43
> D-H: 2A24 131C D38F 12E6 4D6A  46EE 8BBF B50A 754E F63D
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>