[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table

To: peterd@iea-software.com
Subject: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
From: "radext issue tracker" <trac@tools.ietf.org>
Date: Mon, 21 Feb 2011 08:22:21 -0000
Auto-submitted: auto-generated
Cc: radiusext@ops.ietf.org
Reply-to: radiusext@ops.ietf.org

#64: 4.1 source port inclusion in the tracking table

 ''4.1. "An RADIUS/DTLS server MUST maintain a table that tracks ongoing
 DTLS sessions based on a key composed of the following 4-tuple:''

       * source IP address
       * source port
       * destination IP address
       * destination port"

 ''3.
 "Clients can no longer have multiple independent RADIUS implementations or
 processes that originate packets.  We RECOMMEND that RADIUS/DTLS clients
 implement a local RADIUS proxy that arbitrates all RADIUS traffic."''

 I am confused with how this tracking is supposed to work.

 Throughout the document it is recommended clients use connected socket
 options... Now what happens when a client tries to send a new Access-
 Request message using a different source port over a DTLS session that was
 already established?

 Judging by keys of the table such a request would be discarded since there
 is no known session in the table matching key.

 If this is the intention it should be made clear clients can't switch
 their source ports unless they also open a new DTLS session.  Client
 implementors (most of us:) tend to gloss over server specific areas and
 may not realize the implication.

 If true and this is really the intention what stops clients from
 originating packets from different processes per sec 3 above?

 My recommendation is to remove the source port from the tracking table key
 and just allow DTLS session to be client specific so any source port can
 be used as we do traditionally to get around the ID limit mess.

 This approach will cut down on the number of DTLS sessions in a busy
 environment and simplify implementations. If you want to support NATs and
 the like you still can by broadcasting the packet to all matching DTLS
 sessions.

-- 
-------------------------------------+--------------------------------------
 Reporter:  peterd@â                 |       Owner:            
     Type:  defect                   |      Status:  new       
 Priority:  minor                    |   Milestone:  milestone1
Component:  RDTLS                    |     Version:  1.0       
 Severity:  Active WG Document       |    Keywords:            
-------------------------------------+--------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/64>
radext <http://tools.ietf.org/radext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
  - From: "radext issue tracker" <trac@tools.ietf.org>
- Re: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
  - From: Alan DeKok <aland@deployingradius.com>

Prev by Date: [radext] RDTLS #63 (new): 4.1 session inactivity management
Next by Date: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Previous by thread: [radext] RDTLS #63 (new): 4.1 session inactivity management
Next by thread: Re: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
Index(es):
- Date
- Thread