[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Last Call: RADIUS Support For Extensible Authentication Protocol (EAP) to Informational

To: <iesg@ietf.org>
Subject: RE: Last Call: RADIUS Support For Extensible Authentication Protocol (EAP) to Informational
From: "Glen Zorn" <gwz@cisco.com>
Date: Wed, 14 May 2003 20:56:47 -0700
Cc: "eap-WG" <eap@frascone.com>, "'Pat Calhoun'" <pcalhoun@bstormnetworks.com>, "'Bernard Aboba'" <aboba@internaut.com>, "Glen Zorn" <gwz@cisco.com>
In-reply-to: <200302130047.TAA20157@ietf.org>
Organization: Cisco Systems

draft-aboba-radius-rfc2869bis-21.txt says in section 2.3:

"In RADIUS [RFC2865], the RADIUS client is responsible for
retransmission
of RADIUS packets. RADIUS/EAP client implementations SHOULD support
dynamic estimation of the RADIUS retransmission timeout, using the
algorithms specified in [RFC2988]."

The reasoning behind this modification to the RADIUS retransmission
strategy is that "... we have seen situations (such as a network-wide
reboot) where RADIUS storms can occur, swamping the RADIUS server(s). In
these situations it would be preferrable for RADIUS clients to support
exponential backoff and a more conservative initial RTO estimate, as in
TCP." (see
http://www.drizzle.com/~aboba/EAP/eapissues.html#Issue%20125).  However,
the TCP RTO algorithms are designed to prevent network congestion, which
(though it may occur) is not the problem we're trying to solve here,
which I think might be better modeled as a server resource contention
problem.  Furthermore, the problem is not specific to EAP-over-RADIUS;
in the situation mentioned above, the same behavior would be observed
regardless of the authentication protocol in use.  This fact suggests
that a solution to the problem (presupposing that a protocol-based
solution is reasonable) should be published as an update to RFC 2865,
rather than RFC 2869.

There are other reasons why the RFC 2998 algorithms are inappropriate
for use with RADIUS. Some are mentioned in RFC 2865 (section 2.4);
others include an initial TMO that is likely to be too short in
situations where one or more RADIUS proxies are traversed, the large
granularity of the timers specified and the deterministic nature of the
algorithms used which in the worst case could result in all the clients
firing repeated salvos of requests in lockstep (not a good way to reduce
instantaneous server loading!).  

~gwz

"They that can give up essential liberty to obtain a little temporary
safety deserve neither..."

-- Benjamin Franklin, 1759 


I've stopped 24,713 spam messages. You can too!
Get your free, safe spam protection at
http://www.cloudmark.com/spamnetsig/

BEGIN:VCARD
VERSION:2.1
N:Zorn;Glen
FN:Glen Zorn
ORG:Cisco Systems
TITLE:CTO Consulting Engineer
NOTE;ENCODING=QUOTED-PRINTABLE:PGP Key Fingerprint: 4F41 B93A 007D E2FC 9769  FB97 FBCF 7DA4 9A2D 1963=0D=
=0A=0D=0A
TEL;HOME;VOICE:+1 (425) 513-8512
TEL;CELL;VOICE:+1 (425) 344-8113
TEL;WORK;FAX:+1 (425) 740-0168
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;500 108th Avenue N.E.=0D=0ASuite 500;Bellevue;WA;98004;USA
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:500 108th Avenue N.E.=0D=0ASuite 500=0D=0ABellevue, WA 98004=0D=0AUSA
URL;WORK:http://www.cisco.com
EMAIL;PREF;INTERNET:gwz@cisco.com
REV:20021107T033833Z
END:VCARD

Follow-Ups:
- RE: Last Call: RADIUS Support For Extensible Authentication Protocol(EAP) to Informational
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: draft-ietf-ppvpn-requirements-06.txt
Next by Date: RE: Last Call: RADIUS Support For Extensible Authentication Protocol(EAP) to Informational
Previous by thread: Re: Last Call: NIS Configuration Options for DHCPv6 to Proposed Standard
Next by thread: RE: Last Call: RADIUS Support For Extensible Authentication Protocol(EAP) to Informational
Index(es):
- Date
- Thread