[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] Question about RADIUS Attribute sub-option

To: Amy <zhaoyuping at huawei.com>
Subject: Re: [dhcwg] Question about RADIUS Attribute sub-option
From: John Schnizlein <jschnizl at cisco.com>
Date: Fri, 11 Aug 2006 10:17:15 -0400
Authentication-results: rtp-dkim-2.cisco.com; header.From=jschnizl@cisco.com; dkim=pass ( sig from cisco.com verified; );
Cc: dhcwg at ietf.org
Dkim-signature: a=rsa-sha1; q=dns; l=2910; t=1155305842; x=1156169842; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jschnizl@cisco.com; z=From:John=20Schnizlein=20<jschnizl@cisco.com> |Subject:Re=3A=20[dhcwg]=20Question=20about=20RADIUS=20Attribute=20sub-option |To:Amy=20<zhaoyuping@huawei.com>; X=v=3Dcisco.com=3B=20h=3DNXvc/wR8/rgXhRF+9+76bWievcw=3D; b=whp2tBkxvfK7tbaulNZcZbK8U0G+JknNshJvo2Op7f7+ALno6PLiHgpDRk6EH/uI1wXrx1nG gW6kA+gWHb4TdZfUMvNqKwpkTuavnv+db6BhBmly/+belqPzTJXAwnuy;
In-reply-to: <001901c6bce7$7a634070$1b05a40a@china.huawei.com>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <001901c6bce7$7a634070$1b05a40a@china.huawei.com>

On Aug 10, 2006, at 9:42 PM, Amy wrote:

I don' know if I catch your mean.

I don't pretend to understand why the RADIUS-doctors and the IESG were so concerned.

During the lifetime of a session, some of the RADIUS attributes are not stable. If we pass these attributes to DHCP Server, we must coordinate state information between a RADIUS Server and a DHCP server, and there is no such mechanism now.

Right?

I never heard the concern specified in as much detail as you have here - so not quite right.

Our goal was to enable the allocation of addresses and other host options to depend on the network access policy provided by RADIUS (even when PPP is not present to deliver this information to the host authorized for access. We thought it reasonable that administrative coordination of which RADIUS attributes would produce which DHCP options would be a matter of local policy, and had no constraints on what could be relayed. Despite the implication that the RADIUS protocol is stateless*, after the IETF last call, we were informed that the document that would become RFC 4014 would not advance until concerns of the RADIUS-doctors were resolved. The list that satisfied the RADIUS-doctors is what was included in RFC 4014.

John

* RFC 2865 page 11
   3. The stateless nature of this protocol simplifies the use of UDP.

From: John Schnizlein [mailto:jschnizl at cisco.com]
Sent: Wednesday, August 09, 2006 11:06 PM

All good questions.

This constraint was what the RADIUS-doctors and the IESG said
was appropriate.  The essential concern was to avoid having
to coordinate state information between a RADIUS server and a
DHCP server.

On Aug 9, 2006, at 1:46 AM, Amy wrote:


Hi,all
     I'm reading RFC4014, and I can not understand the following
sentences in Section 4: DHCP Relay Agent behavior

"To avoid dependencies between the address allocation and other state information between the RADIUS server and the DHCP server, the DHCP relay agent SHOULD include only the attributes in the table below in an instance of the RADIUS Attributes suboption."

  1) What does "other state information between the RADIUS
server and the DHCP Server" refer to?
  2) What does "the dependencies"' refer to?
  3) Why are the attributes that SHOULD include the RADIUS Attribute
sub-option confined to the attributes listed in the following table?

"           #   Attribute
         ---   ---------
           1   User-Name (RFC 2865 [3])
           6   Service-Type (RFC 2865)
          26   Vendor-Specific (RFC 2865)
          27   Session-Timeout (RFC 2865)
          88   Framed-Pool (RFC 2869)
         100   Framed-IPv6-Pool (RFC 3162 [7])
"


_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

References:
- RE: [dhcwg] Question about RADIUS Attribute sub-option
  - From: Amy

Prev by Date: Re: [dhcwg] New draft for leasequery extension
Next by Date: RE: [dhcwg] New draft for leasequery extension
Previous by thread: RE: [dhcwg] Question about RADIUS Attribute sub-option
Next by thread: [dhcwg] DHCPv6 Authentication
Index(es):
- Date
- Thread