[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue 226: RFC 3576bis and Renumbering





> Date: Sat, 26 May 2007 15:46:46 +0100
> From: aland@nitros9.org
> To: avi@bridgewatersystems.com
> CC: dnelson@elbrysnetworks.com; radiusext@ops.ietf.org; bernarda@windows.microsoft.com
> Subject: Re: Issue 226: RFC 3576bis and Renumbering
>
> Avi Lior wrote:
> > Accounting Session ID only identifies an accounting session Start/Stop
> > and its interims, if any. A given "session" (IP Session or
> > Access-Session) may contain a number of parallel accounting sessions, or
> > a sequence of accounting sessions.
>
> I see what you're saying, but I'm not sure I agree. The
> Acct-Session-Id defines a session that the Acct-Session-Id refers to.
> It's a circular reference, but not much else is true.
>
> The problem at hand, I think, is less Acct-Session-Id than in
> figuring out what the CoA packet refers to. My proposal is to key the
> CoA to a session Id (whatever it's called), which now allows the CoA to
> request changes to other portions of the session.
>
> If we key off of IP/port, then as Bernard pointed out, we can't send
> Framed-IP-Address as both a session key and as an indication to "use
> this new value".
>
> > When it comes to 3576 and DM or even COA:
> >
> > We need to be able to terminate or modify the Session WRT to A. That
> > is, sending a DM with an NAI or some other user identification, we
> > terminate all of the users IP sessions.
> >
> > We need to be able to terminate or modify any of the users IP sessions.
> > Therefore sending a DM which includes a user identification and an IP
> > address will only terminate that users IP session.
>
> Using IP's as a key to terminate a session is fine. Using them as a
> key *and* as a "new value" in a change request is not.

[BA] It would be somewhat complicated to define a different set of session identification attributes for CoA and Disconnect-Requests.  Also, unless the NAS previously received Framed-IP-Address or Framed-IPv6-Prefix/Framed-Interface-Id attributes in an Access-Accept it typically will not know the user's IP address.  This is the situation with most NAS-Port-Type values, with the exception of PPP or protocols depending on PPP (e.g. PPPOE, PPPOA, L2TP, PPTP, etc.)

Where an Access-Request was received with an Acct-Session-Id or an Accounting-Request is received, the Acct-Session-Id can be used as the session identifier.

Where only an Access-Request is available, with no Acct-Session-Id, other session identification attributes can be used (NAS-Port/NAS-Port-Id, User-Name). 

So it's hard to imagine a case where the IP address is *required* as a session identifier.   And there are quite a few situations in which the NAS will be unable to identify the session by IP address.   Given this, encouraging the use of the IP address as a session identifier seems like a bad idea.


>
> Alan DeKok.
>
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>