[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue 238: Identification of multiple sessions



Issue 238: Identification of Multiple Sessions
Submitter name: Bernard Aboba
Submitter email address: aboba@internaut.com
Date first submitted: June 3, 2007
Reference:
Document: RFC3576bis-07
Comment type: Technical
Priority: S
Section: 3
Rationale/Explanation of issue:

It has been pointed out that the desired effect of including Session Identification attributes is to affect *all* sessions matching the attributes that are supplied.  For example, including a User-Name/CUI Attribute and nothing else in a Disconnect-Request should cause all sessions with that username to be terminated.  However, currently Section 3 appears to make the behavior undefined where more than one session can match the session identification attributes.  Rather than being "out of scope" it would seem that RFC 3576bis should define the expected behavior.

The proposed resolution is as follows:

Change the following text in Section 2.3 from:

"
      State changes resulting from a CoA-Request MUST be atomic: if the
CoA-Request is successful, the Dynamic Authorization Server MUST
send a CoA-ACK in reply, and all requested authorization changes
MUST be made. If the CoA-Request is unsuccessful, a CoA-NAK MUST
be sent in reply, and the requested authorization changes MUST NOT
be made. Similarly, a state change MUST NOT occur as a result of
an unsuccessful Disconnect-Request; the Dynamic Authorization
Server MUST send a Disconnect-NAK in reply.
"

to:

"
      State changes resulting from a CoA-Request MUST be atomic: if the
CoA-Request is successful for all matching sessions, the Dynamic
Authorization Server MUST send a CoA-ACK in reply, and all
requested authorization changes MUST be made. If the CoA-Request
is unsuccessful for any matching sessions, a CoA-NAK MUST
be sent in reply, and the requested authorization changes MUST NOT
be made for any of the matching sessions. Similarly, a state change
MUST NOT occur as a result of a Disconnect-Request that is unsuccessful
with respect to any of the matching sessions; a Dynamic Authorization
Server MUST send a Disconnect-NAK in reply if any of the matching
sessions cannot be successfully terminated.
"

Change the following text in Section 3 from:

"
   In Disconnect-Request and CoA-Request packets, certain attributes are
used to uniquely identify the NAS as well as a user session on the
NAS. All NAS identification attributes included in a Request packet
MUST match in order for a Disconnect-Request or CoA-Request to be
successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent.
For session identification attributes, the User-Name and Acct-
Session-Id Attributes, if included, MUST match in order for a
Disconnect-Request or CoA-Request to be successful; other session
identification attributes SHOULD match. Where a mismatch of session
identification attributes is detected, a Disconnect-NAK or CoA-NAK
SHOULD be sent.

The ability to use NAS or session identification attributes to map to
unique/multiple sessions is beyond the scope of this document.
Identification attributes include NAS and session identification
attributes, as described below."

To:


"
   In Disconnect-Request and CoA-Request packets, certain attributes are
used to uniquely identify the NAS as well as user session(s) on the
NAS. All NAS and session identification identification attributes
included in a CoA-Request or Disconnect-Request packet MUST match
at least one session in order for a Request to be successful; otherwise
a Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification
attributes match and more than one session matches all of the
session identification attributes, then a CoA-Request or Disconnect-Request
MUST apply to all matching sessions.

Identification attributes include NAS and session identification
attributes, as described below."