[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proxy State and RFC 3576bis

To: aland@nitros9.org
Subject: Re: Proxy State and RFC 3576bis
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Thu, 12 Apr 2007 08:49:07 -0700
Bcc:
Cc: radiusext@ops.ietf.org
In-reply-to: <461DE425.8080704@nitros9.org>

Bernard Aboba wrote:

One of the deployment blockers with RFC 3576 is the need to modify
proxies to handle routing of RFC 3576 packets.  While proxies typically
keep tables for dowstream forwarding, they typically do not keep tables
Given this, I am wondering how RADIUS proxies should handle Proxy-State
for RFC 3576 packets:

a. Do they add Proxy-State attributes to a Disconnect/CoA-Request as
suggested in the current text (and as would be done for an Access-Request)?


[Alan DeKok] No.

b. Or can the RADIUS server include a Proxy-State attribute previously
obtained from an Access-Request used in the original authentication
within the Disconnect/CoA-Request to assist the proxy in routing the
request back to the NAS?  In this case, wouldn't the RADIUS proxy
*remove* Proxy-State attributes from the Disconnect/CoA-Request??


[Alan DeKok]  Yes.

[BA] This suggests that paragraphs 3 and 4 in the text below are not
correct. Any suggestions on how we can fix it?

---------------
    If there are any Proxy-State Attributes in a Disconnect-Request or
    CoA-Request received from the server, the forwarding proxy or NAS
    MUST include those Proxy-State Attributes in its response to the
    server.

    A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
    State, or Class Attributes present in the packet.  The forwarding
    proxy or NAS MUST treat any Proxy-State attributes already in the
    packet as opaque data.  Its operation MUST NOT depend on the
    content of Proxy-State attributes added by previous proxies.  The
    forwarding proxy MUST NOT modify any other Proxy-State Attributes
    that were in the packet; it may choose not to forward them, but it
    MUST NOT change their contents.  If the forwarding proxy omits the
    Proxy-State Attributes in the request, it MUST attach them to the
    response before sending it.

    When the proxy forwards a Disconnect or CoA-Request, it MAY add a
    Proxy-State Attribute, but it MUST NOT add more than one.  If a
    Proxy-State Attribute is added to a packet when forwarding the
    packet, the Proxy-State Attribute MUST be added after any existing
    Proxy-State attributes.  The forwarding proxy MUST NOT change the
    order of any attributes of the same type, including Proxy-State.
    Other Attributes can be placed before, after or even between the
    Proxy-State Attributes.

    When the proxy receives a response to a CoA-Request or Disconnect-
    Request, it MUST remove its own Proxy-State (the last Proxy- State
    in the packet) before forwarding the response.  Since Disconnect
    and CoA responses are authenticated on the entire packet contents,
    the stripping of the Proxy-State Attribute invalidates the
    integrity check - so the proxy needs to recompute it.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Proxy State and RFC 3576bis
  - From: Alan DeKok <aland@nitros9.org>

References:
- Re: Proxy State and RFC 3576bis
  - From: Alan DeKok <aland@nitros9.org>

Prev by Date: Re: Guidelines Document Discussion
Next by Date: RE: Proxies and retransmissions?
Previous by thread: Re: Proxy State and RFC 3576bis
Next by thread: Re: Proxy State and RFC 3576bis
Index(es):
- Date
- Thread