[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table

To: radiusext@ops.ietf.org
Subject: Re: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
From: Alan DeKok <aland@deployingradius.com>
Date: Mon, 21 Feb 2011 10:32:52 +0100
Cc: peterd@iea-software.com
In-reply-to: <064.279847c62a5711a6d450bc8cf8eaf8ff@tools.ietf.org>
References: <064.279847c62a5711a6d450bc8cf8eaf8ff@tools.ietf.org>
User-agent: Thunderbird 2.0.0.24 (Macintosh/20100228)

radext issue tracker wrote:
>  Throughout the document it is recommended clients use connected socket
>  options... Now what happens when a client tries to send a new Access-
>  Request message using a different source port over a DTLS session that was
>  already established?

  Then the packet is discarded.  The DTLS sessions are keyed by (src
ip/port, dst ip/port).  It is by definition impossible to send packets
for one DTLS session from two different source ports.

>  If this is the intention it should be made clear clients can't switch
>  their source ports unless they also open a new DTLS session.  Client
>  implementors (most of us:) tend to gloss over server specific areas and
>  may not realize the implication.

  Hmm... OK.

>  If true and this is really the intention what stops clients from
>  originating packets from different processes per sec 3 above?

  Nothing.

>  My recommendation is to remove the source port from the tracking table key
>  and just allow DTLS session to be client specific so any source port can
>  be used as we do traditionally to get around the ID limit mess.

  IMHO, that is a very bad idea, and quite likely impossible to
implement in practice.  If you have two DTLS sessions from a client, and
packets from more than two different source ports, you'll need to
somehow inspect the traffic to determine which packet belongs to which
session.

>  This approach will cut down on the number of DTLS sessions in a busy
>  environment and simplify implementations. If you want to support NATs and
>  the like you still can by broadcasting the packet to all matching DTLS
>  sessions.

  Ouch.  With 100 sessions, that means every packet results in 99 failures.

  I don't think that's a good idea at all.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
  - From: Peter Deacon <peterd@iea-software.com>

References:
- [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
  - From: "radext issue tracker" <trac@tools.ietf.org>

Prev by Date: [radext] RDTLS #67 (new): RADIUS vs RDTLS disambiguation (TLS Alert)
Next by Date: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Previous by thread: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
Next by thread: Re: [radext] RDTLS #64 (new): 4.1 source port inclusion in the tracking table
Index(es):
- Date
- Thread