[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Proxy State and RFC 3576bis

To: radiusext@ops.ietf.org
Subject: Proxy State and RFC 3576bis
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Wed, 11 Apr 2007 17:38:40 -0700
Bcc:

One of the deployment blockers with RFC 3576 is the need to modify proxiesto handle routing of RFC 3576 packets. While proxies typically keep tablesfor dowstream forwarding, they typically do not keep tables for upstreamforwarding. Rather, they typically rely on the Proxy-State attribute toenable forwarding of an Access-Response back to the originating NAS.

Given this, I am wondering how RADIUS proxies should handle Proxy-State forRFC 3576 packets:

a. Do they add Proxy-State attributes to a Disconnect/CoA-Request assuggested in the current text (and as would be done for an Access-Request)?

b. Or can the RADIUS server include a Proxy-State attribute previouslyobtained from an Access-Request used in the original authentication withinthe Disconnect/CoA-Request to assist the proxy in routing the request backto the NAS? In this case, wouldn't the RADIUS proxy *remove* Proxy-Stateattributes from the Disconnect/CoA-Request??


FYI, here is the current text on Proxy-State in -04:

     If there are any Proxy-State Attributes in a Disconnect-Request or
     CoA-Request received from the server, the forwarding proxy or NAS
     MUST include those Proxy-State Attributes in its response to the
     server.

     A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
     State, or Class Attributes present in the packet.  The forwarding
     proxy or NAS MUST treat any Proxy-State attributes already in the
     packet as opaque data.  Its operation MUST NOT depend on the
     content of Proxy-State attributes added by previous proxies.  The
     forwarding proxy MUST NOT modify any other Proxy-State Attributes
     that were in the packet; it may choose not to forward them, but it
     MUST NOT change their contents.  If the forwarding proxy omits the
     Proxy-State Attributes in the request, it MUST attach them to the
     response before sending it.

     When the proxy forwards a Disconnect or CoA-Request, it MAY add a
     Proxy-State Attribute, but it MUST NOT add more than one.  If a
     Proxy-State Attribute is added to a packet when forwarding the
     packet, the Proxy-State Attribute MUST be added after any existing
     Proxy-State attributes.  The forwarding proxy MUST NOT change the
     order of any attributes of the same type, including Proxy-State.
     Other Attributes can be placed before, after or even between the
     Proxy-State Attributes.

     When the proxy receives a response to a CoA-Request or Disconnect-
     Request, it MUST remove its own Proxy-State (the last Proxy- State
     in the packet) before forwarding the response.  Since Disconnect
     and CoA responses are authenticated on the entire packet contents,
     the stripping of the Proxy-State Attribute invalidates the
     integrity check - so the proxy needs to recompute it.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Proxy State and RFC 3576bis
  - From: Alan DeKok <aland@nitros9.org>

Prev by Date: RE: Guidelines Document Discussion
Next by Date: RFC 4818 on RADIUS Delegated-IPv6-Prefix Attribute
Previous by thread: I-D ACTION:draft-ietf-radext-rfc3576bis-04.txt
Next by thread: Re: Proxy State and RFC 3576bis
Index(es):
- Date
- Thread