Re: Draft of extensions format

[Peter Deacon <peterd@iea-software.com>]

On Thu, 2 Sep 2010, Alan DeKok wrote:

> > I think this boils down to my advocating for a flat model where each
> > item stands alone while the draft is advocating a hierarchical model
> > where each items identity is strictly dependent on its parent.

>  Pretty much, yes.  That's a result of adding the TLV format, which is
> breaks the flat model wide open.

There are many ways of representing the same structured data.  Purely 
hierarchical approach advocated in the draft suffers from the multiple 
inheritance problem.

> > When I say TBD.1 it means User-Name (Type 1) encoded in whatever TBD is.
> > (TLV, Extension..etc)
> > Under the drafts scheme the attributes defined would be:

> > Input
> > Output
> > Input.Octets
> > Input.Packets
> > Output.Octets
> > Output.Packets

>  Yes.  It's not optimal, but it's been proven to work in 3GPP2 and WiMAX.
> > Under my recommendation the attribute picture is flattened:

> > Input (TLV Attribute)
> > Output (TLV Attribute)
> > Octets (Attribute)
> > Packets (Attribute)

>  How do you encode the TLV's?  As 16 bit quantities?  They must be,
> because otherwise all 256 attributes would be already allocated.

Yes, my proposal is the type field be a 16-bit or 14-bit field to save a 
byte on fragment and extra flag bits.

>  And this suggestion is largely the Diameter Group attribute.  If we go
> down that path, it would be preferable to use a method compatible with
> Diameter, rather than one which is slightly different.

My thinking is the definition is more important than the wire format. 
The wire format is out of sight out, out of mind.  The universally 
standardized definition of attributes is what I am most concerned with. 
If it looks like diameter so be it..

> > 1. More flexibility.  Existing attributes that were never labeled as
> > groupable can be grouped.  For example I could create a generic TLV
> > container labeled 'suspect' containing all attributes that an
> > intermediate proxy does not like.

>  What is the use-case?
>  And we've had that discussion already on this list.  The consensus was
> that there are just too many uncertainties and confusions with that
> approach.  What does it mean when a User-Name is grouped inside of a new
> TLV?  How do existing proxies deal with that data?  Do you put the
> User-Name outside of the TLV, and also inside?

>  These issues *must* be answered before your proposal can move forward.

This was just a hypothetical to provide an example usage of which I have an 
infinite supply so if you need more just ask and I'll rattle off more use 
cases until everyone is satisfied.

In this case its my attribute I define what the group means.. My TLV 
attribute is labeled Proxy-Suspects and it means everything in the group is 
an attribute an intermediate proxy server in the chain did not "like".

Its proxied by servers who do not support/understand it the same as any 
other unknown or specifically unsupported attribute would be per this 
draft and other RFCs.

Since the TLV is an attribute type in itself the system must understand 
what the type means before it can do anything with the data contained 
within it.  The User-Name attribute inside the TLV is characterized by its 
container and semantics associated with the definition of the type.

Example...

TLV - Proxy-Suspects
- TLV Proxy-Suspect-Attribute
-	User-Name = Rumpelstiltskin
	Proxy-Suspect-Reason = Too-Big
- TLV Proxy-Suspect-Attribute
	Framed-IP-Address = 127.0.0.1
	Proxy-Suspect-Reason = Policy-Reject

> > 2. "Like" attributes within TLVs can be reused.  In the example above
> > Octets and Packets need only be defined once and then apply to Input,
> > Output and maybe a future "Combined" TLV container.  To some extent this
> > is just a schema/definition argument.

>  That is an admirable goal, and one which the document does not meet.
> Existing information (3GPP2, WiMAX, vendors, etc.) shows that the re-use
> isn't much of a problem, as it has been done.
>  Again, what is the use-case for this?

I think fundamentally there is a difference in the efforts you cite have a 
finite scope to a specific problem domain.  The WG is defining a broadly 
scoped attribute that applies to many disparate problem domains and so 
what is workable in these cases may not be ideal in the general case.

> > 3. The standard VSA space can be extended with less complexity/wholesale
> > change to existing infrastructure as every attribute definition stands
> > alone and is therefore fully compatible with the current model.

>  What is the use-case?  How is it "less complex"?  How is encapsulating
> User-Name in a TLV "fully compatible" with current RADIUS?

The issue is the attributes are defined based on their parents and don't 
standalone and so don't fit with the current flat model of defining 
attributes with integer values as self-contained entities.  Subgroups 
require implementation infrastructure change to support.

Again assume TLV grouping is *NOT* used in this case.  The drafts scheme 
has a dual use to extend the standard space AND support TLVs.  The problem 
is it should in my opinion be possible for a client to use use extended 
attributes without having to support TLVs and the sub attribute encoding 
scheme that go with them.

My recommendation is easier because each attribute retains a unique 
integer identity as is current practice for all standard attributes and 
most VSAs and thus easier for client vendors to implement extended 
attributes within their existing systems if they do not also have a need 
to support TLVs.

> > 1. What is allowed in a group may or may not simply be defined by
> > declaration in a dictionary.  Need a concept to declare constraints
> > (LDAP "object classes").  I would argue you would need this anyway if
> > there was interest in for example declaring minimum required sub
> > attributes for a specific TLV.
> >
> > 2. There is a strange aspect in that the additional space has to be
> > "bootstrapped".  Either hardwired or configuration to say standard space
> > > 2^8 goes to a TBD extension attribute along the same lines as
> > Vendor-Specific (26) in the implementation.

>  Please propose something *concrete*, with use-cases.

In terms of definition of attributes RADIUS is traditionally very loosely 
structured.  Attributes you don't understand can be tolerated even tho 
there is no way to communicate the information attribute x was ignored.

Subsequently new features such as Disconnect/CoA enforced a more strict 
interpretation in which unknown attributes mandate a NAK response by the 
NAS.

Loose vs strict structure is a subjective space and I can cite an example 
that would lean in either direction.

My suggestion WRT definition is to always define the minimal requirements 
in terms of sub-attributes for the use of any TLV and the possible 
sub-attributes whenever a TLV is defined in an RFC.

In terms of adherence only Recommend they are followed and give clients or 
servers the option of rejecting TLVs if the constraints are not met. 
Ideally these semantics would be defined with the TLV attribute and can be 
stronger or weaker based on the semantics of the specific TLV.

> > Anyway after looking over the draft again I have some (un)related comments:

> > I think fragmentation support for 'jumbo' attribute values is a good
> > thing however with the draft there does not seem to be a way to do both
> > TLV grouping and attributes with large payloads at the same time.  IIRC
> > wimax VSAs support this.  Could perhaps just get rid of TLV format and
> > reuse the extended type as TLV?

>  The discussions Avi and & had were that we couldn't see a use-case for
> TLVs needing more than 253 octets of data.  The WiMAX VSAs do *not*
> support TLVs having large payloads.

I double checked and I don't believe this is correct..  See:
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/WiMAX_Overview6.html

I have found other material that explicitly say the continuation flag may 
be used specifically with WiMax TLVs allowing up to 4k or so TLVs.

In any event this statement seems a little confusing to me.  On one hand 
you introduce a container that supports fragments but on the other hand 
say that there is no use case in TLVs supporting fragments.

In terms of a use case my Proxy-Suspects TLV would work here as well as it 
needs to potentially be larger than 2^8 for cases where the proxy server 
does not like multiple attributes.

> > In RADIUS everything is a "TLV" .. If it were labeled Container TLV or
> > something similar to disambiguate the data types actual intended use it
> > would be less confusing (to me).

>  RFC 2865 defines Attributes.  The acronym TLV does not appear in any
> standards-track RADIUYS document.

TLV is universally understood to mean Type-Length-Value which all RADIUS 
attributes are.  This is the source of my confusion.

> > To the extent relationship between TLVs and attributes need to be
> > defined your correct.  At the same time however it's not required when
> > TLVs are not used.  In my view an important difference.

>  It's semantics.  Calling a new attribute 1234 or 241.1 makes little
> difference.

So can we call them 1234 or maybe both? :)

regards,
Peter

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>