[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Proxies and dead home servers

To: "Alan DeKok" <aland@nitros9.org>, "Bernard Aboba" <bernard_aboba@hotmail.com>
Subject: RE: Proxies and dead home servers
From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
Date: Mon, 11 Jun 2007 11:25:08 -0700
Cc: <radiusext@ops.ietf.org>
In-reply-to: <466D67ED.9070005@nitros9.org>
References: <BAY117-W276A45843D653D8B93A3D931A0@phx.gbl> <466D67ED.9070005@nitros9.org>

Alan DeKok <> allegedly scribbled on Monday, June 11, 2007 8:19 AM:

> Bernard Aboba wrote:
>> If the home server does not respond to the proxy server, then the
>> proxy server should fail over if it has an alternative home server
>> configured.
> 
>   When the proxy server doesn't have an alternative home server, then
> what does it do?  If it doesn't respond to the NAS, the NAS may
> erroneously believe it is dead, and reject the session.  If it does
> respond with an Access-Reject, then the NAS will believe that the
> server is still alive, and reject the session.    
> 
>   I think that the second alternative is preferable to the first one.

Why?

...

>   There are corner cases where the NAS may not be able to distinguish
> the proxy being down from the home server being down.  e.g. The NAS
> sends requests through a proxy for "users@example.com" for some time
> while the "example.com" home server is down.  Then, the NAS sends a
> request through a proxy for "user@example.net", while the
> "example.net"     
> home server is up.
> 
>   If the proxy doesn't respond to the requests for "example.com",
> then the NAS may erroneously perform failover, and send the
> "example.net"  
> requests to a secondary proxy server.  If there's no secondary proxy
> server, the NAS may decide that the proxy is down, and erroneously
> reject the "example.net" request.  This will cause spurious network
> outages for users trying to log in.   

I don't really understand your example but be that as it may, in a
proxied system, neither proxies nor servers can be marked "dead" by a
client for the reason that (using RADIUS alone) it is not possible for
the client to know the state of another box on the network.  There are
at least half a dozen things that could keep a response from arriving
that have nothing at all to do with the health of any of the RADIUS
entities.  What is down or up is a route to a realm; given that, it's
not possible for a route to be erroneously marked as dead.  Note that
routes to different realms are different routes, regardless of whether
the first hop is the same or not.

...

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Proxies and dead home servers
  - From: Alan DeKok <aland@nitros9.org>

References:
- RE: Proxies and dead home servers
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: Proxies and dead home servers
  - From: Alan DeKok <aland@nitros9.org>

Prev by Date: RE: Proxies and dead home servers
Next by Date: Re: Proxies and dead home servers
Previous by thread: Re: Proxies and dead home servers
Next by thread: Re: Proxies and dead home servers
Index(es):
- Date
- Thread