[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?

To: Peter Deacon <peterd@iea-software.com>
Subject: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
From: Alan DeKok <aland@deployingradius.com>
Date: Wed, 23 Feb 2011 10:02:32 +0100
Cc: radiusext@ops.ietf.org
In-reply-to: <alpine.WNT.2.00.1102221050040.2280@SMURF>
References: <064.b5fbc75965f33629034d4be3708706fb@tools.ietf.org> <4D62317D.5090103@deployingradius.com> <alpine.WNT.2.00.1102210151240.2280@SMURF> <4D62396A.6070400@deployingradius.com> <alpine.WNT.2.00.1102210208590.2280@SMURF> <4D623F20.6040604@deployingradius.com> <alpine.WNT.2.00.1102210233070.2280@SMURF> <4D63C10C.7060205@deployingradius.com> <alpine.WNT.2.00.1102221050040.2280@SMURF>
User-agent: Thunderbird 2.0.0.24 (Macintosh/20100228)

Peter Deacon wrote:
> It seems possible one would have the freedom to implement a _server_
> with broadcasting to fill the potholes or even remove source port from
> the tuple while still maintaining 100% interoperability with clients and
> servers following this draft as currently written.  I agree it is not a
> particularly good idea but at least it is workable.

  Yes.

> 1. Stealing type codes is bad form even if we all think noone is using them

  Yes.  It's less bad because the type code being stolen is a *response*
code.  So it shouldn't be sent to servers.

> 2. Multiple DTLS sessions to the same server is an unnecessary waste of
> resources and may lead to unnecessary confusion regarding connection
> state should one but not all sessions under management be disconnected
> without the peers knowledge.

  Quite possibly, yes.  However, the limited ID space is an issue.

> 3. Client must implement strategies to maintain multiple connections if
> they need to effectively deal with the problem of insufficient ID space.

  Yes.  This is the same as today.

> 4. Expecting NATs to maintain long term stateful UDP mappings in sync
> with underlying DTLS session is not something I would want to bet on. 
> Mapping request and response is all RADIUS currently has to do.. It is
> much different than expecting the whole train of all subsequent requests
> to continue to use the same source port...

  If the client is continually sending traffic, it's OK.  The document
suggests a watchdog timer, which means at least one packet every few
tens of seconds.  That *may* be enough to keep the NAT state active.

> 5. Potholes.
> 
> 6. Depending on DTLS packet formatting and content type parameters to
> not change in the future for compatibility with the detection method is
> not ideal.

  Pretty much, yes.

> What I propose is allocating two type codes used for all RDTLS requests.
> 
> RDTLS-Request
> RDTLS-Response
>
> They will be used in a simple 4-byte prefix before the DTLS data by
> RADIUS clients and servers.

  If we're doing that, we might as well solve the ID limitation at the
same time.  Add a 64-bit unique "packet identifier", so that one DTLS
session can transport more than 256 RADIUS packets at the same time.

  This worries me a little, though.  It involves the creation of a new
protocol, which is neither RADIUS nor DTLS.  I'm not sure it solves
enough problems to warrant the extra complexity.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>

References:
- [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: "radext issue tracker" <trac@tools.ietf.org>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>

Prev by Date: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Next by Date: Re: [radext] RDTLS #67 (new): RADIUS vs RDTLS disambiguation (TLS Alert)
Previous by thread: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Next by thread: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Index(es):
- Date
- Thread