[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proxies and dead home servers

To: "Glen Zorn (gwz)" <gwz@cisco.com>
Subject: Re: Proxies and dead home servers
From: Alan DeKok <aland@nitros9.org>
Date: Tue, 12 Jun 2007 10:16:56 +0200
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, radiusext@ops.ietf.org
In-reply-to: <4C0FAAC489C8B74F96BEAD85EAEB26250421AC00@xmb-sjc-215.amer.cisco.com>
References: <BAY117-W276A45843D653D8B93A3D931A0@phx.gbl> <466D67ED.9070005@nitros9.org> <4C0FAAC489C8B74F96BEAD85EAEB26250421AC00@xmb-sjc-215.amer.cisco.com>
User-agent: Thunderbird 1.5.0.12 (X11/20070604)

Glen Zorn (gwz) wrote:
>>   I think that the second alternative is preferable to the first one.
> 
> Why?

  For reasons outlined elsewhere.  In short, failures in home server A
should not affect requests destined to home server B.

> I don't really understand your example but be that as it may, in a
> proxied system, neither proxies nor servers can be marked "dead" by a
> client for the reason that (using RADIUS alone) it is not possible for
> the client to know the state of another box on the network.

  I agree it's not possible to know with confidence the state of another
box on the network in RADIUS.  However, the state of the other box
doesn't really matter.  What is at issue is the proxies perception of
that state.

  If, as you say, the proxy can't tell the state of another box, then it
can't implement primary/secondary fail-over.  Since almost all RADIUS
clients and servers implement that, I suspect the covert admission is
that proxies *can* make decisions about the state of another box on the
network.

>  There are
> at least half a dozen things that could keep a response from arriving
> that have nothing at all to do with the health of any of the RADIUS
> entities.  What is down or up is a route to a realm; given that, it's
> not possible for a route to be erroneously marked as dead.  Note that
> routes to different realms are different routes, regardless of whether
> the first hop is the same or not.

  If the first hop is unresponsive to *any* request for extended
periods, then the issue of multiple realms is irrelevant.  That hop is
dead for all practical purposes.

  On top of that, there are no routes in RADIUS.  Requests get sent to
servers based on the key of (dst ip, dst port).  Individual servers may
forward requests based on internal decisions.  Network administrators
may have diagrams which describe hoe packets are routed.  But no machine
inside of the RADIUS "routing" cloud has access to that global routing
information.  In contrast, IP routers have that information available
through BGP/OSPF/whatever.

  I am very leery of talking about "routes" in a protocol which has
"routes" statically configured, and which has no way for "routers" to
exchange "routing" information.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: Proxies and dead home servers
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: Proxies and dead home servers
  - From: Alan DeKok <aland@nitros9.org>
- RE: Proxies and dead home servers
  - From: "Glen Zorn \(gwz\)" <gwz@cisco.com>

Prev by Date: RE: Proxies and dead home servers
Next by Date: Re: Proxies and dead home servers
Previous by thread: RE: Proxies and dead home servers
Next by thread: RE: Proxies and dead home servers
Index(es):
- Date
- Thread