[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue 224: RFC 3576bis and Renumbering

To: avi@bridgewatersystems.com, radiusext@ops.ietf.org
Subject: RE: Issue 224: RFC 3576bis and Renumbering
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Sun, 25 Mar 2007 09:52:46 -0700
Bcc:
In-reply-to: <E7CCE8A83907104ABEE91AC3AE3709A011687E@exchange.bridgewatersys.com>

First in response to Framed-IP, Framed-IPv6 etc
Framed-IP-Address and the other attributes are very valid sessionidentifier and I dont think we should >remove from them sessionidentification.

Are you actually using Framed-IP-Address and/orFramed-IPv6-Prefix/Framed-Interface-Id this way?

The other attributes used for session identification are not as good. Forexample, if identity hiding is >used User-Name is not useable as a sessionidentifier.


Right.  There could be 10 "anonymous" users on the same NAS.

Accounting-Session ID is also poor because accounting session ids canchange without >reauthentication.


Can you explain this more?

NAS-Port ???  I am not sure if that is used.

It seems harmless though, since this is not an attribute that could bechanged in a CoA-Request.

Also Framed-IP is used to identify an IP-Session of the a user. A user canhave several IP sessions: >serveral IPv4 sessions and IPv6 sessions allassociated with the same authentication. We may want to >specificallytarget the COA to an IP session and thus we need the IP address attributesto achieve >that.

OK.

Therefore, I think there needs to be a scheme where we can use anattribute both for session >identification and also to change the value ofthat attribute. I can propose two approaches:
-Where we have a session identification attribute, if we want to modifythat session identification >attribute then we can send two values: thefirst value identifies the session and the next value will >change thevalue.
-A more explicit method is to introduce new attributes such asNew-Framed-IP-Address.

This seems like the kind of problem that Service-Type="Authorize-Only" ishelpful in solving. Just identify the session (you can useFramed-IPv6-Prefix/Framed-Interface-Id) and then send a newFramed-IPv6-Prefix attribute in response to the Access-Request.

The second point I want to make speaks to your statement that states thatonly attributes that appear >in the table can appear in a COA message.This is not good because as we see, everytime someone >creates a newattribute then we would have to bis 3576 again. Which is bad.


Right.

Perhaps we can put some text that says that future attributes may beallowed in COA messages. And >it would be up to those specific RFCs tospec. that their attributes can go into the COA message.


Yes, we should say that.

Delegated Prefix should have done that.

It did, actually. The document states that it is legal for inclusion in aCoA-Request.

My final point, as you are adding Delegated Prefix to 3576. We should alsoadd CUI to 3576. It can >be an excellent user identification attributeespecially when User-Name does not work.


Thanks.  I had forgotten about that.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Issue 224: RFC 3576bis and Renumbering
  - From: "Avi Lior" <avi@bridgewatersystems.com>

References:
- RE: Issue 224: RFC 3576bis and Renumbering
  - From: "Avi Lior" <avi@bridgewatersystems.com>

Prev by Date: RE: Issue 224: RFC 3576bis and Renumbering
Next by Date: RE: Issue 224: RFC 3576bis and Renumbering
Previous by thread: RE: Issue 224: RFC 3576bis and Renumbering
Next by thread: RE: Issue 224: RFC 3576bis and Renumbering
Index(es):
- Date
- Thread