[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RFC 3576bis and Renumbering: Some thoughts

To: <radiusext@ops.ietf.org>
Subject: RFC 3576bis and Renumbering: Some thoughts
From: Bernard Aboba <bernard_aboba@hotmail.com>
Date: Mon, 4 Jun 2007 09:10:05 -0700

In looking at the potential choices for resolution of this issue (see below), some thoughts come to mind:

a. Renumbering is a rare event. Therefore there is no requirement that we optimize for this case; instead we should focus on more common cases.

b. Session identification via Framed-IP-Address/Framed-IPv6-Prefix/Framed-Identifier was included in RFC 3576 and appears to have been implemented (at least by Dynamic Authorization Clients). Therefore an argument may be made for retaining backward compatibility.

c. A Disconnect-Request may only contain NAS and session identification attributes. Therefore IP address attributes included in a Disconnect-Request have an unambiguous meaning.

d. There seem to be valid scenarios where use of an IP address attribute for session identification can simply operation of a Dynamic Authorization Client. For example, an IDS system may know the source IP address of an offending packet, and the NASes from which it may have originated, but it may not have access to attributes sent in the Access-Request or Accounting-Request.

Based on a), objections to 1 relating to inefficiency can be dismissed, and option 4 can be precluded.

Based on b), options 3 and 5 would seem to be precluded.

Based on c), it would appear to be unnecessary to preclude IP address attributes in a Disconnect-Request as advocated in 5.

Based on d), option 2 appears to be precluded.

This would appear to leave us with option 1.

Does this logic make sense?

-------------------------------
1. Allow Framed-IP-Address/Framed-IPv6-Prefix/Framed-Identifier attributes
in Disconnect-Request & CoA-Request packets, only for identification.
Changing the address would require a Service-Type=Authorize Only. This
was what we had in -05.

2. Allow Framed-IP-Address/Framed-IPv6-Prefix/Framed-Identifier attributes
in Disconnect-Requests for identification. In CoA-Request packets allow
them only for address change.

3. Allow Framed-IP-Address/Framed-IPv6-Prefix/Framed-Identifier address
attributes in Disconnect-Request & CoA-Request packets only for address
change. Invent new attributes for identification. This was initially
proposed for -07.

4. Allow Framed-IP-Address/Framed-IPv6-Prefix/Framed-Identifier address
attributes in Disconnect-Request & CoA-Request packets only for
identification. Invent new attributes for address change.

5. Prohibit use of Framed-IP-Address/Framed-IPv6-Prefix/Framed-Identifier
attributes for session identification. Permit their use only in CoA-
Request packets, for use in address change. This is what we have in -07.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: Determining WG consensus on Issue 226: RFC 3576bis and Renumbering
Next by Date: RE: Issue 226: RFC 3576bis and Renumbering
Previous by thread: Issue 239: VSAs in Session Identication
Next by thread: Extensibility of draft-ietf-radext-filter-rules
Index(es):
- Date
- Thread