[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue 239: VSAs in Session Identication

To: <radiusext@ops.ietf.org>
Subject: Issue 239: VSAs in Session Identication
From: Bernard Aboba <bernard_aboba@hotmail.com>
Date: Sun, 3 Jun 2007 20:25:36 -0700

Issue 239: VSAs in Session Identification
Submitter name: Bernard Aboba
Submitter email address: aboba@internaut.com
Date first submitted: June 3, 2007
Reference:
Document: RFC3576bis-07
Comment type: Technical
Priority: S
Section: 3
Rationale/Explanation of issue:

The question has arisen as to whether VSAs are be allowed for use in session identification.   In looking at RFC 3576 (and 3576bis) the documents appear to contain contradictory information on whether this is permitted or not.

RFC 3576 Section 3 (or RFC 3576bis) does not include VSAs for the purpose of session identification.   However, in RFC 3576bis Section 3.6 VSAs are allowed in CoA-Request and Disconnect-Request packets. This was also true in RFC 3576. This is somewhat of a contradiction, because the inclusion of a VSA in a Disconnect-Request can have no purpose other than session identification.

We can resolve this contradiction in one of the following ways:

1. Prohibit inclusion of VSAs within a Disconnect-Request OR
2. Include VSAs in the list of Session Identification attributes.

Opinions on these options are solicited.

If we take option 2, the question arises as to the expected behavior of a NAS receiving a VSA it does not support.   RFC 3576bis Section 2.3 says:

      In Disconnect and CoA-Request packets, all attributes are treated
      as mandatory.

This suggests that if a VSA is included, then if the NAS does not understand it,
it MUST send a Disconnect-NAK/CoA-NAK.

This does create a potential interoperability issue if a VSA is sent to a NAS that
does not support it.  However, it is not clear to me that an alternative exists. 
In a Disconnect-Request, then NAS can assume that the attribute is included
for the purpose of session identification, but if it does not support the
attribute it will not be able to determine which sessions (if any) are to
be disconnected, since in Issue 238 we suggested that *all* session identification
attributes MUST match (that would include VSAs, too). 


In a CoA-Request, VSAs could be session identification or authorization change
attributes.  Unless the NAS supports the VSA it will not know which use is
intended.  Therefore it seems like it also must reply with a CoA-NAK if a 
VSA is unsupported.

Prev by Date: Issue 238: Identification of multiple sessions
Next by Date: RE: Issue 226: RFC 3576bis and Renumbering
Previous by thread: Issue 238: Identification of multiple sessions
Next by thread: RFC 3576bis and Renumbering: Some thoughts
Index(es):
- Date
- Thread