[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue: RPF Check

To: Bernard Aboba <bernard_aboba@hotmail.com>
Subject: Re: Issue: RPF Check
From: Alan DeKok <aland@nitros9.org>
Date: Sun, 27 May 2007 09:39:39 +0100
Cc: radiusext@ops.ietf.org
In-reply-to: <BAY117-W111933D4E575A06964D88932A0@phx.gbl>
References: <BAY117-W111933D4E575A06964D88932A0@phx.gbl>
User-agent: Thunderbird 1.5.0.10 (Macintosh/20070221)

Bernard Aboba wrote:

It has been pointed out that the Dynamic Authorization Client (theentity originating the CoA or Disconnect-Request) need not beco-resident with a RADIUS authentication or accounting server.However, Section 6.1 seems to assume that this is the case. In caseswhere the Dynamic Authorization Client is not co-resident with theRADIUS authentication or authorization server, the RPF check cannot beapplied. I would therefore question whether it is appropriate torecommend use of the RPF check by default.

I agree. However, the RPF check was an attempt to preventunauthorized servers from performing CoA requests. We should make anote of that problem, and potential methods for addressing it. See below.

Note that this is not the only place where the distinction between aRADIUS server and a Dynamic Authorization Client needs to be made.
The proposed resolution is as follows:

...

  I agree.

2. Add the following terms to the terminology section:

...

  I agree.

We may also want to note that a proxying server acts as a NAS to theDynamic Authorization Client, and as a Dynamic Authorization Client tothe NAS. We should probably use new terminology for such a server,rather than calling it a RADIUS server. Maybe a "Dynamic AuthorizationServer".

3. Change Section 6.1 to the following, downgrading the RPF check to aMAY and clarifying that it is only applicable when the RADIUS server andDynamic Authorization Client are co-resident.

OK.

6.1.  Authorization Issues

   Where a NAS is shared by multiple providers, it is undesirable for
   one provider to be able to send Disconnect-Request or CoA-Requests
   affecting the sessions of another provider.

...

   Typically the proxy will extract the realm from the Network Access
   Identifier [RFC4282] included within the User-Name Attribute, and
   determine the corresponding RADIUS servers in the proxy routing
   tables.  The RADIUS servers for that realm are then compared against

the source address of the packet.

Do we want to add "or the CUI", since the NAI may be anonymized?Also, the proxying decision may be based on other attributes, such asclient source IP, or calling station Id.


  I would then add:

If the RADIUS server maintains long-term session state, it MAYperform the authorization checks based on the session identificationattributes in the CoA request. The session identification attributescan be used to tie a session to a particular forwarding server or set ofservers, as with the NAI and realm, above.


> Where no proxy is present, the RPF
>    check will need to be performed by the NAS itself.

Only if the NAS performs policy-based routing on the RADIUS requests.If the NAS selects servers by live/dead status, or by load-balancing,then the RPF checks do not need to be performed.


  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Issue: RPF Check
  - From: Bernard Aboba <bernard_aboba@hotmail.com>

Prev by Date: RE: RFC3576bis and Session State
Next by Date: Re: RFC3576bis and Session State
Previous by thread: Issue: RPF Check
Next by thread: RE: Issue: RPF Check
Index(es):
- Date
- Thread