[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Location draft issues raised today



I agree that it would support the packing as it is, but I think the
overriding criterium is whether or not the server wants access to
individual members in order to apply administrator defined policy.

In this particular case, the question is whether the RADIUS server would need to define policy based on the individual geospatial and civil location elements.

For geospatial location, this would be equivalent to asking whether the RADIUS server would need to parse the geospatial data, or would just pass it to a location module for the authorization decision. If we are talking about determining whether the geospatial location is within a well defined boundary (e.g. a manufacturing plant), then I suspect that a special module would make that determination, not a standard RADIUS server policy engine. While it is possible that the RADIUS server would want to ask questions like "Is the client above or below the equator?" I suspect that this will be relatively rare. So there seems to be a plausible argument that Geospatial location need not be parsed by the RADIUS server.

However, I do not think that this argument is as convincing for civil location. For example, could RADIUS server policy depend on the country or state that the user is accessing the network from? This seems somewhat likely.

I am hesitant to make gratuitous changes to existing location data
structures just to satisfy RADIUS historical practices.  Doing so
would affect interoperability and implementation.  It would make
location-based systems harder to implement, because of the pointless
translation from location structures to RADIUS-friendly structures.

The location structures used in this document are largely derived from RFC 3825 (Geospatial) and draft-ietf-geopriv-dhcp-civil-09.txt. However, in those documents, the DHCP server is providing data to the client, and therefore the policy issues discussed above did not come up. Rather the issue was only the creation of UI for the administrator to enter the data.

However, there are substantial issues with attempting to allocate a single RADIUS attribute for each Civil Address type (CAtype) described in draft-ietf-geopriv-dhcp-civil-09.txt:

a. It is possible for the attribute to refer to the NAS or user location, and therefore it is possible for both locations to be communicated in the same message. This implies that separating the elements would require a tagging format to be used.

b. There are a considerable number of CAtype values. Aside from Country Code, there are 39 values allocated, with allocation of up to 254 value possible (the value 255 is reserved). Therefore allocating CAtype values out of the standard RADIUS attribute space would in practice be difficult, because separate CAtype and RADIUS type allocations would be needed for each new value. Also, the CAtype allocation collides with existing RADIUS type allocations defined in RFC 3575. Therefore it is not clear to me that mapping the CAtype into the RADIUS type space is a good idea.

Given this, my conclusions are as follows:

a. Civil and Geospatial location should *not* be encoded in the same attribute. b. Civil location should not be encoded as separate standard RADIUS attributes; it is not even clear to me that a Diameter-compatible format (with grouping) would work well for this.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>