[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?

To: Alan DeKok <aland@deployingradius.com>
Subject: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
From: Peter Deacon <peterd@iea-software.com>
Date: Wed, 23 Feb 2011 10:10:45 -0800 (Pacific Standard Time)
Cc: radiusext@ops.ietf.org
In-reply-to: <4D64CD28.9070001@deployingradius.com>
References: <064.b5fbc75965f33629034d4be3708706fb@tools.ietf.org> <4D62317D.5090103@deployingradius.com> <alpine.WNT.2.00.1102210151240.2280@SMURF> <4D62396A.6070400@deployingradius.com> <alpine.WNT.2.00.1102210208590.2280@SMURF> <4D623F20.6040604@deployingradius.com> <alpine.WNT.2.00.1102210233070.2280@SMURF> <4D63C10C.7060205@deployingradius.com> <alpine.WNT.2.00.1102221050040.2280@SMURF> <4D64CD28.9070001@deployingradius.com>
User-agent: Alpine 2.00 (WNT 1167 2008-08-23)

On Wed, 23 Feb 2011, Alan DeKok wrote:

What I propose is allocating two type codes used for all RDTLS requests.

RDTLS-Request
RDTLS-Response

They will be used in a simple 4-byte prefix before the DTLS data by
RADIUS clients and servers.

 If we're doing that, we might as well solve the ID limitation at the
same time.  Add a 64-bit unique "packet identifier", so that one DTLS
session can transport more than 256 RADIUS packets at the same time.

This is not needed since source port is also replaced withRDTLS-Session-ID in the DTLS tracking table.

When source port is removed the effective ID space per DTLS session is thesame as RADIUS... ~2^16 (source ports) * 2^8 (Ids)

 This worries me a little, though.  It involves the creation of a new
protocol, which is neither RADIUS nor DTLS.  I'm not sure it solves
enough problems to warrant the extra complexity.

To simplify somewhat the proposal is just stealing first 4 bytes forsession selection and sending the rest to the DTLS stack.

I don't know how it would be classified politically. In terms of Interopwhether RADIUS sees DTLS or 4 bytes + DTLS the reaction from RADIUSimplementations not supporting DTLS I would expect to materially be thesame.


regards,
Peter

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>

References:
- [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: "radext issue tracker" <trac@tools.ietf.org>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Peter Deacon <peterd@iea-software.com>
- Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
  - From: Alan DeKok <aland@deployingradius.com>

Prev by Date: Re: [radext] RDTLS #67 (new): RADIUS vs RDTLS disambiguation (TLS Alert)
Next by Date: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Previous by thread: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Next by thread: Re: [radext] RDTLS #65 (new): Multiple dtls sessions in a tuple?
Index(es):
- Date
- Thread