[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[radext] #25: IESG DISCUSS Comments
#25: IESG DISCUSS Comments
-----------------------------------+----------------------------------------
Reporter: iesg@â | Owner: aland@â
Type: defect | Status: new
Priority: blocker | Milestone: milestone1
Component: tcp-transport | Version: 1.0
Severity: Submitted WG Document | Keywords:
-----------------------------------+----------------------------------------
Discusses and other comments
Summary: Has a DISCUSS. Has enough positions to pass once DISCUSSes are
resolved.
Russ Housley
Comment (2010-05-19)
Please consider the comments from the Gen-ART Review by Glenn
Kowack on 18 May 2010. The review can be found at:
http://www.softarmor.com/rai/temp-gen-art/
draft-ietf-radext-tcp-transport-06-kowack.txt
Lars Eggert
Comment (2010-05-20)
Agree with Tim's DISCUSS.
Section 27, paragraph 13:
> It is not intended
> to define TCP as a transport protocol for RADIUS in the absence of
> TLS.
The document title is "RADIUS Over TCP". It's surprising to then see
that abstract say that it is not intended to define RADIUS over TCP...
Suggestion: Rename document to "Radius over TLS"?
Section 1., paragraph 1:
> While
> there are a number of benefits to using UDP as outlined in [RFC2865]
> Section 2.4, there are also some limitations:
Lack of congestion control is surely a limitation?
Section 1.1., paragraph 2:
> In scenarios where RADIUS proxies exchange a large volume of packets
> (10+ packets per second), it is likely that there will be sufficient
> traffic to enable the congestion window to be widened beyond the
> minimum value on a long-term basis, enabling ACK piggy-backing.
I don't understand what this paragraph means to say. The TCP
congestion window opens already at much lower rates than 10+ pps.
Also, how is this at all related to ACK-piggybacking?
Section 1.1., paragraph 5:
> These problems disappear if a 4096 application-layer payload can be
> used alongside RADIUS over TLS. Since most TCP implementations
> support MTU discovery, the TCP MSS is automatically adjusted to
> account for the MTU, and the larger congestion window supported by
> TCP may allow multiple TCP segments to be sent within a single
> window.
Even those few TCP stacks that don't do PMTUD can already support
arbitrary payloads (just with slightly less efficient packetization).
Section 2.6.1., paragraph 5:
> As noted previously, RADIUS packets SHOULD NOT be re-transmitted to
> the same destination IP and numerical port, but over a different
> transport layer.
Where does it say that? The second paragraph of Section 2.6 says that
they MAY be retransmitted over a new connection (which is different
from a SHOULD NOT). Also, "transport layer" here is unclear - do you
mean "transport connection" (= use a different TCP connection) or do
you mean "transport protocol" (= use UDP)?
Section 2.6.2., paragraph 2:
> Unlike UDP, TLS is subject to issues related to Head of Line (HoL)
> blocking. This occurs when when a TLS segment is lost and a
> subsequent TLS segment arrives out of order. While the RADIUS server
> can process RADIUS packets out of order, the semantics of TLS makes
> this impossible. This limitation can lower the maximum packet
> processing rate of RADIUS over TLS.
s/TLS/TCP/ in this paragraph
Section 2.6.4., paragraph 6:
> After applying the above rules, there are still situations where the
> previous specifications allow a packet to be "silently discarded".
> In these situations, the TCP connections MAY remain open, or MAY be
> closed, as an implementation choice. However, the invalid packet
> MUST be silently discarded.
In order to reduce connection-setup overheads, wouldn't it make sense
to RECOMMEND the connection stay open?
Ralph Droms
Discuss (2010-05-20)
This Discuss is related to Tim's Discuss. This text:
"Bare" TCP transport MAY, however, be used when another method such
as
IPSec [RFC4301] is used to provide additional confidentiality and
security.
Should experience show that such deployments are useful,
this specification
could be moved to standards track.
is confusing. Why would experience with
"bare" TCP or IPSec TCP cause draft-ietf-radext-tcp-transport to progress
to
Standards Track?
Similarly, from the Abstract:
It [draft-ietf-radext-tcp-transport-06.txt] is not intended
to define TCP as a transport protocol for RADIUS in the absence of
TLS.
while several of the motivations for RADIUS over TCP in section 1.1 are
not
specific to RADIUS with TLS.
Adrian Farrel
Comment (2010-05-20)
To follow up on Tim Polk's Discuss point 2
I appreciate the sentiment of the
paragraph, but "NOT RECOMMENDED" is not RFC 2119 language (as idnits would
tell
you). You have to flip the sense of the sentence and use "RECOMMENDED".
But Tim
is also right, please consider "MUST NOT" since the following paragraph...
"Bare" TCP transport MAY, however, be used when another method such
as IPSec [RFC4301] is used to provide additional confidentiality and
security. Should experience show that such deployments are useful,
this specification could be moved to standards track.
...is really confusing. It implies that the purpose of this document *is*
to
define the use of bare TCP transport which is in conflict with the
Abstract.
--
Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/25>
radext <http://tools.ietf.org/radext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>