RE: Choice of Data Model SMI vs XML vs. UML

From owner-aaa-bof@merit.edu Tue Jan 9 20:10:03 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA23950 for ; Tue, 9 Jan 2001 20:10:03 -0500 (EST) Received: by segue.merit.edu (Postfix) id BC9E35DF84; Tue, 9 Jan 2001 19:49:25 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id CB2CE5DF85; Tue, 9 Jan 2001 19:31:12 -0500 (EST) Received: from aaa.interlinknetworks.com (interlink.merit.edu [198.108.95.110]) by segue.merit.edu (Postfix) with ESMTP id 03E225DEF2 for ; Tue, 9 Jan 2001 19:17:00 -0500 (EST) Received: from Interlinknetworks.com (unknown [198.108.5.3]) by aaa.interlinknetworks.com (Postfix) with ESMTP id 0496474; Tue, 9 Jan 2001 19:17:06 -0500 (EST) Message-ID: <3A5BAA1A.50A452C3@Interlinknetworks.com> Date: Tue, 09 Jan 2001 19:17:30 -0500 From: David Spence Organization: Interlink Networks, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Juergen Schoenwaelder Cc: Erik.Guttman@germany.sun.com, aaa-wg@merit.edu Subject: Re: Choice of Data Model SMI vs XML vs. UML References: <200101091323.OAA20320@henkell.ibr.cs.tu-bs.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Juergen Schoenwaelder wrote: >... > >> David's proposal comes yet again from another different angle. Its > >> main background is the observation that AVP combinations that can > >> be meaningfully combined in a message are actually not well > >> defined. > > Erik> I do not know that this is a very big issue. If DIAMETER > Erik> command codes specify what MUST be there and how to interpret > Erik> it, other AVPs which are present should not prevent proper > Erik> interpretation of the command. > > Erik> We have been around this point a number of times - there are > Erik> good reasons to use the RADIUS approach as it is flexible: > Erik> Specify what is required, allow arbitrary ordering and > Erik> additional AVP message components. No one has argued for > Erik> removing this flexibility, though there has been discussion > Erik> about how this would facilitate a formal ABNF for the protocol. > > There are again two issues here. The first one is a protocol issue, > namely whether it is legal so ship additional AVPs with a message. > The second one is the question which set of AVPs actually consitute a > given message. Even the current specs use a kind of a BNF notation > trying to make that clear. But there are issues because the specs do > not really say what the semantics of the BNF notation are. >... It's actually worse than that. The presence of the BNF gives one the impression that the permissible contents of each message are specified. But the BNF is not complete. The BNF for both the AA-Request and AA-Answer messages in draft-calhoun-diameter-nasreq-05.txt contain the line: [] But the term is not expanded. The implication might be that any of the AVPs defined in section 6 would do. Section 6, however, is divided into subsections. Some of the subsections, such as section 6.2, "Framed Access Authorization AVPs", and section 6.3, "Non-Framed Access Authorization AVPs", can be inferred to be mutually exclusive, i.e., you would not expect to find an attribute defined in 6.2 and an attribute defined in 6.3 to appear in the same message. But the draft does not state that explicitly. Even if the draft were to state that explicitly, one might then assume that any of the attributes from section 6.2 could be meaningfully combined when providing a framed access service. What, then, would it mean if the Framed-IPX-Network and Framed-AppleTalk-Network AVPs were included in the same message? My problem with the BNF is that it appears to specify permissible messages but does not. RADIUS, at least, does not make that pretension. -- David Spence email: DSpence@Interlinknetworks.com Interlink Networks, Inc. phone: (734) 821-1203 775 Technology Drive, Suite 200 fax: (734) 821-1235 Ann Arbor, MI 48108 U.S.A. From owner-aaa-bof@merit.edu Tue Jan 9 20:25:00 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA24146 for ; Tue, 9 Jan 2001 20:25:00 -0500 (EST) Received: by segue.merit.edu (Postfix) id BDB6B5DFBF; Tue, 9 Jan 2001 20:16:16 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id D18C65E0E5; Tue, 9 Jan 2001 20:03:07 -0500 (EST) Received: from aaa.interlinknetworks.com (interlink.merit.edu [198.108.95.110]) by segue.merit.edu (Postfix) with ESMTP id F41855E16D for ; Tue, 9 Jan 2001 19:48:44 -0500 (EST) Received: from Interlinknetworks.com (unknown [198.108.5.3]) by aaa.interlinknetworks.com (Postfix) with ESMTP id 0C3D574; Tue, 9 Jan 2001 19:48:52 -0500 (EST) Message-ID: <3A5BB18A.F2877B39@Interlinknetworks.com> Date: Tue, 09 Jan 2001 19:49:14 -0500 From: David Spence Organization: Interlink Networks, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Erik Guttman Cc: Juergen Schoenwaelder , Pat.Calhoun@eng.sun.com, aaa-wg@merit.edu Subject: Re: Choice of Data Model SMI vs XML vs. UML References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Erik Guttman wrote: >... > Why can't we standarize DIAMETER (its current informal spec) and later > model it with SMIng? If we find errors in the spec, we can cycle > it in the standards process. I think this would be a useful endeavor. > Once SMIng notation is standardized, we could begin this process of > rewriting the DIAMETER specification with the goal of improving it. >... Question: What if the SMIng model were more restrictive than the original DIAMETER standard? In other words, what if the SMIng model prohibited message contents that the pre-SMIng DIAMETER standard allowed (but were either nonsensical or at least ambiguous) -- like including the Framed-IPX-Network and Framed-AppleTalk-Network AVPs in the same message? It would be good to avoid having to make incompatible changes like that. Would it make any sense to standardize part of DIAMETER now, like the base protocol and Mobile IP extensions, without data modeling, but delay standardizing the NASREQ extensions until the NASREQ data elements can be modeled? I'm thinking that with NASREQ, we have less time pressure (because of the existence of RADIUS), and so the successor to RADIUS should provide the best platform for future expansion that we can. It may be argued that the NASREQ application is simple enough that data modeling is unnecessary, but I fear that won't always be the case. You ought to be able to encompass more services in the future, such as DSL, broadband, and LAN access. Without data modeling, things are going to get really messy. -- David Spence email: DSpence@Interlinknetworks.com Interlink Networks, Inc. phone: (734) 821-1203 775 Technology Drive, Suite 200 fax: (734) 821-1235 Ann Arbor, MI 48108 U.S.A. From owner-aaa-bof@merit.edu Tue Jan 9 22:43:17 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id WAA26917 for ; Tue, 9 Jan 2001 22:43:17 -0500 (EST) Received: by segue.merit.edu (Postfix) id DDEA85DD91; Tue, 9 Jan 2001 22:43:01 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C45345DE11; Tue, 9 Jan 2001 22:43:01 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id B10ED5DD91 for ; Tue, 9 Jan 2001 22:43:00 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id TAA24911; Tue, 9 Jan 2001 19:42:56 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id TAA12992; Tue, 9 Jan 2001 19:42:56 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id SAA09224; Tue, 9 Jan 2001 18:53:57 -0800 (PST) Date: Tue, 9 Jan 2001 18:50:21 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Re: Choice of Data Model SMI vs XML vs. UML To: David Spence Cc: Juergen Schoenwaelder , Erik.Guttman@germany.sun.com, aaa-wg@merit.edu In-Reply-To: "Your message with ID" <3A5BAA1A.50A452C3@Interlinknetworks.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > What, then, > would it mean if the Framed-IPX-Network and Framed-AppleTalk-Network AVPs > were included in the same message? My problem with the BNF is that it > appears to specify permissible messages but does not. RADIUS, at least, > does not make that pretension. I actually do not see why one cannot run both IPX and Appletalk over the same PPP connection. Am I missing something fundamental? In any case, I do agree (and I don't think that anyone has argued this) that the BNF needs to change. However, how drastic must the change be? This is a real question, because if one was to attempt to define all possible combinations, the RFC would be ungodly long (perhaps as an appendix it would be ok). PatC From owner-aaa-bof@merit.edu Tue Jan 9 23:30:09 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id XAA27228 for ; Tue, 9 Jan 2001 23:30:09 -0500 (EST) Received: by segue.merit.edu (Postfix) id 50ADE5DE48; Tue, 9 Jan 2001 23:29:36 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id DF6D15DF81; Tue, 9 Jan 2001 23:28:35 -0500 (EST) Received: from franklin.cisco.com (franklin.cisco.com [171.70.156.17]) by segue.merit.edu (Postfix) with ESMTP id C339C5E1B4 for ; Tue, 9 Jan 2001 23:27:46 -0500 (EST) Received: from gwzpc ([10.64.194.1] (may be forged)) by franklin.cisco.com (8.8.6 (PHNE_17190)/CISCO.SERVER.1.2) with SMTP id UAA21758; Tue, 9 Jan 2001 20:26:58 -0800 (PST) Reply-To: From: "Glen Zorn" To: "David Spence" , "Erik Guttman" Cc: "Juergen Schoenwaelder" , , Subject: RE: Choice of Data Model SMI vs XML vs. UML Date: Tue, 9 Jan 2001 20:17:06 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3A5BB18A.F2877B39@Interlinknetworks.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit David Spence [mailto:DSpence@Interlinknetworks.com] writes: > Erik Guttman wrote: > >... > > Why can't we standarize DIAMETER (its current informal spec) and later > > model it with SMIng? If we find errors in the spec, we can cycle > > it in the standards process. I think this would be a useful endeavor. > > Once SMIng notation is standardized, we could begin this process of > > rewriting the DIAMETER specification with the goal of improving it. > >... > > Question: What if the SMIng model were more restrictive than the original > DIAMETER standard? In other words, what if the SMIng model prohibited > message contents that the pre-SMIng DIAMETER standard allowed (but were > either nonsensical or at least ambiguous) -- like including the > Framed-IPX-Network and Framed-AppleTalk-Network AVPs in the same message? In this case, the model would be broken. AFAIK, it is neither nonsensical nor ambiguous to include both the Framed-IPX-Network and Framed-AppleTalk-Network AVPs in the same message, since PPP can carry both (and IP, too!) simultaneously. > It would be good to avoid having to make incompatible changes like that. Since the history of SNMP is one of incompatible changes, I fail to see why anything should change now ;-) > > Would it make any sense to standardize part of DIAMETER now, like the base > protocol and Mobile IP extensions, without data modeling, but delay > standardizing the NASREQ extensions until the NASREQ data elements can be > modeled? I'm thinking that with NASREQ, we have less time > pressure (because > of the existence of RADIUS), The reason for the inception of this effort (some 4 years ago) was the inadequacy of RADIUS. I can't see how the situation has improved. > and so the successor to RADIUS should provide > the best platform for future expansion that we can. It may be argued that > the NASREQ application is simple enough that data modeling is unnecessary, > but I fear that won't always be the case. You ought to be able > to encompass > more services in the future, such as DSL, broadband, and LAN access. In the future? RADIUS (or bizarre, usually proprietary, variants thereof) is being used for these things (and more) right now. > Without data modeling, things are going to get really messy. They already have, some time ago. We _do not_ need to spend another three years blathering about silver bullets. > > -- > David Spence email: > DSpence@Interlinknetworks.com > Interlink Networks, Inc. phone: (734) 821-1203 > 775 Technology Drive, Suite 200 fax: (734) 821-1235 > Ann Arbor, MI 48108 > U.S.A. > > From owner-aaa-bof@merit.edu Wed Jan 10 08:03:54 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA15157 for ; Wed, 10 Jan 2001 08:03:54 -0500 (EST) Received: by segue.merit.edu (Postfix) id 109DC5DDAC; Wed, 10 Jan 2001 08:00:21 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id F01A25DDE8; Wed, 10 Jan 2001 08:00:20 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 43FBB5DDA6 for ; Wed, 10 Jan 2001 08:00:19 -0500 (EST) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id FAA04672; Wed, 10 Jan 2001 05:00:07 -0800 (PST) Received: from stag (d-ehdb03-142-95 [129.157.142.95]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.0) with SMTP id OAA23535; Wed, 10 Jan 2001 14:00:04 +0100 (MET) Message-ID: <00e201c07b04$8d162be0$5f8e9d81@stag.Germany.Sun.COM> From: "Erik Guttman" To: , "Randy Bush" Cc: "Erik Guttman" Subject: diameter grammar proposal Date: Wed, 10 Jan 2001 13:55:02 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Folks, I propose the following section be added to the DIAMETER base spec. This will allow us to specify DIAMETER in a more formal way. This is unfortunately not as formal as a BNF would be, but DIAMETER messages allow for arbitrary ordering of many elements. Still, we need to be able to specify that some elements may appear only once, and some have to appear in fixed positions. I believe this grammar suffices to do this. Please send comments. (Randy, does this hold water?) Erik --------------------------------------------------------------------- 1.3 Notation The DIAMETER protocol is composed of messages which have three components - a message header, a command code and a set of AVPs. Each message type is distinguished by a single command code. Command are specified using the following notation. Command-Code-Name ::= { qual AVP } qual [ qual AVP ] qual < AVP > The symbol # will be replaced by the command Id which is to be placed in the message header. The symbol AVP MAY be replaced by the names of any specific AVP. Elements surrounded by less than, greater than '<' and '>' are FIXED in sequence. For example, the DIAMETER header MUST precede all AVPs. Elements surrounded by set brackets '{' and '}' are REQUIRED to be present in the message. They MAY be in any order within the message provided they do not violate order imposed by message fixed elements in the grammar (which are defined between '<' and '>' brackets.) Elements surrounded by square brackets '[' and ']' are OPTIONAL. AVPs which are listed in this section MAY be included in the message, in any order, provided they do not violate order imposed by fixed message elements in the grammar. AVPs listed in FIXED or REQUIRED sections MUST NOT be considered OPTIONAL as well. An AVP required to appear once in one section MUST NOT, therefor, be included as the result of an 'OPTIONAL AVP' rule. The token 'qual' can be the following: omitted One instance of the following entry is required. '*' Zero or more instances of the following entry are required. '+' One or more of instances of the following entry are required. '?' Zero or one of instances of the following entry are required. Example-Command ::= { User-Name *Host-Name } * [ AVP ] ? < Integrity-Check-Vector > The command defined by the preceding grammar MUST begin with a DIAMETER header, with the command code Id set to 9999999. There follows a User-Name AVP, zero or more Host-Name AVPs and zero or more arbitrary other AVPs (but not User-Name, Host-Name or Integrity-Check-Vector AVPs). The REQUIRED and OPTIONAL AVPs can be permuted into any order, provided that none of them come before the Header. DIAMETER messages which violate the grammar defined for the command code are considered malformed and are rejected. See Section 5.0. From owner-aaa-bof@merit.edu Wed Jan 10 08:16:46 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA15661 for ; Wed, 10 Jan 2001 08:16:45 -0500 (EST) Received: by segue.merit.edu (Postfix) id 6B4395DDA6; Wed, 10 Jan 2001 08:15:11 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 2BA635DDD0; Wed, 10 Jan 2001 08:15:11 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id D75765DDA6 for ; Wed, 10 Jan 2001 08:15:08 -0500 (EST) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id FAA14407; Wed, 10 Jan 2001 05:15:06 -0800 (PST) Received: from stag (d-ehdb03-142-95 [129.157.142.95]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.0) with SMTP id OAA22127; Wed, 10 Jan 2001 14:15:04 +0100 (MET) Message-ID: <011d01c07b06$a545a900$5f8e9d81@stag.Germany.Sun.COM> From: "Erik Guttman" To: , Subject: proposed new section for DIAMETER base specification Date: Wed, 10 Jan 2001 14:10:03 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit I am in the process of reworking the diameter specification according to proposals made in the AAA design team. I would like more feedback from implementors and working group participants about some of these changes, as they have received very little feedback. I believe we do not want to add requirements or change the protocol at this point unless there is strong support and a good reason for doing so. Please refer to draft-ietf-aaa-issues-04.txt, section 9.1 and draft-ietf-aaa-solutions-01.txt, section 9.1. The proposed changed text would define 3 flags for the diameter message header. ----------------------------------------------------------- Proposed change to section 2.1 Flags The Message Flags field is five bits, and is currently unused. This field MUST be initialized to zero. is replaced by -> The Message Flags field is five bits. The following bits are assigned: +---+---+---+---+---+ | z | z | E | I | R | +---+---+---+---+---+ 0x10 MUST be zero - this flag bit is reserved for future use. 0x08 MUST be zero - this flag bit is reserved for future use. 0x04 ('E' Expect Reply) The message solicits a response. 0x02 ('I' Interrogation) The message is a Query or a Reply. 0x01 ('R' Response) The message is a response another message. These flags are set depending on the command code used in a DIAMETER message. This enables the type of message to be interpreted, even if the specific command code is not recognized. Command Type Flags Set Indication - - - Request E - - Answer E - R Query E I - Reply E I R A DIAMETER node MUST NOT set these flags in any other combination. A DIAMETER node receiving a message in which these flags are not set appropriately SHOULD NOT reject the message for this reason, but MAY log the event for diagnosis. From owner-aaa-bof@merit.edu Wed Jan 10 09:24:21 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA17579 for ; Wed, 10 Jan 2001 09:24:21 -0500 (EST) Received: by segue.merit.edu (Postfix) id 6922D5DDEA; Wed, 10 Jan 2001 09:24:06 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 57D265DDE8; Wed, 10 Jan 2001 09:24:06 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 46A785DDC4 for ; Wed, 10 Jan 2001 09:24:05 -0500 (EST) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id GAA25508; Wed, 10 Jan 2001 06:24:01 -0800 (PST) Received: from stag (d-ehdb03-142-95 [129.157.142.95]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.0) with SMTP id PAA11339; Wed, 10 Jan 2001 15:23:54 +0100 (MET) Message-ID: <012b01c07b10$4314be60$5f8e9d81@stag.Germany.Sun.COM> From: "Erik Guttman" To: , Subject: data type modifications to DIAMETER Date: Wed, 10 Jan 2001 15:18:52 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit As proposed in draft-ietf-aaa-issues-04.txt and draft-ietf-aaa-solutions-01.txt section 9.2, I am revising the basic data types in DIAMETER. I do not list all the changes in this document - but the implications are the following. 1. Data type changes: Old type New type ------------ ------------- Address Address Data OctetString String OctetString Time Unsigned32 Integer32 Integer32 Integer64 Integer64 Complex Grouped Unsigned32 Unsigned64 Float32 Float64 Float128 2. Scalar quantities (Ids and so on from AVPs) had Integer32 type. Now they have Unsigned32 type. 3. String is now one interpretation of an OctetString. 4. Time is now one interpretation of an Unsigned32 value. 5. The biggest change is the elimination of the 'Complex' data type. Now all AVPs have an 'atomic' data type except for Grouped. Grouped takes as its value a list of AVPs which have to be included (AVP header and all) in exactly the sequence specified. Implications for DIAMETER implementations: The only real change is that Complex data types have been restructured. Code handling AVPs which were previously of type Complex will have to change. Code which handled the previous types will be easily mapped into the new data types (Integer32 -> Unsigned32, Time -> Unsigned32, String -> OctetString) There are some subtle range checking changes to be made (maybe) since scalars are now Unsigned32 where before they were Integer32. Rationale: See draft-ietf-aaa-issues-04.txt. In short, there were several problems with the basic types used by DIAMETER. (1) Some were interpretations (String and Time) not basic scalars. (2) Some were ambiguous (Integer32 used as an unsigned scalar). (3) Not including basic types (floats, mostly) makes future expansion hard. (4) The types specified were incompatible with SMI and SPPI data types. (5) The complex data type made it hard to create a general data model, easily automated parsers and general 'sniffers.' All AVPs should either have atomic values or a list of AVPs as their values. (6) The Grouped-AVP was unnecessarily complex. (7) Complex data types required a 'hack' for fixing the length of certain data fields (such as using 16 bytes for addresses where they could be 4 bytes long). This is no longer necessary. Erik From owner-aaa-bof@merit.edu Wed Jan 10 09:50:34 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA18288 for ; Wed, 10 Jan 2001 09:50:34 -0500 (EST) Received: by segue.merit.edu (Postfix) id 940985DDC4; Wed, 10 Jan 2001 09:49:12 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 7F5FB5DE19; Wed, 10 Jan 2001 09:49:12 -0500 (EST) Received: from newman.frascone.com (frascone.com [216.62.83.25]) by segue.merit.edu (Postfix) with SMTP id 2E5FC5DDC4 for ; Wed, 10 Jan 2001 09:49:11 -0500 (EST) Received: (qmail 24525 invoked by uid 500); 10 Jan 2001 14:50:23 -0000 Date: Wed, 10 Jan 2001 08:50:23 -0600 From: David Frascone To: Pat Calhoun Cc: aaa-wg@merit.edu Subject: Re: DISCUSSION REQUESTED: ADIF, Batching, M bit Message-ID: <20010110085023.H23197@newman.frascone.com> Mail-Followup-To: Pat Calhoun , aaa-wg@merit.edu References: <002101c078f3$54d67220$8a1b6e0a@arenanet.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Pat.Calhoun@Eng.Sun.COM on Tue, Jan 09, 2001 at 08:14:27AM -0800 X-encrypt-payload: no Sender: owner-aaa-bof@merit.edu Precedence: bulk > > However, I think that specifying a recommended XML or SMI format for the > accounting file that is written on the server MAY be a desirable goal. > Good idea! That way, the transport model is still clean, and we can also specify an XML model for the accounting records. I think this is the best of both worlds. -Dave From owner-aaa-bof@merit.edu Wed Jan 10 10:33:55 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA19356 for ; Wed, 10 Jan 2001 10:33:55 -0500 (EST) Received: by segue.merit.edu (Postfix) id 8BFA85DDF3; Wed, 10 Jan 2001 10:30:26 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 76EE05DDF6; Wed, 10 Jan 2001 10:30:26 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id 1BB605DDF3 for ; Wed, 10 Jan 2001 10:30:24 -0500 (EST) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id HAA28054; Wed, 10 Jan 2001 07:30:22 -0800 (PST) Received: from stag (d-ehdb03-142-95 [129.157.142.95]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.0) with SMTP id QAA19223; Wed, 10 Jan 2001 16:30:20 +0100 (MET) Message-ID: <015d01c07b19$8aa8efe0$5f8e9d81@stag.Germany.Sun.COM> From: "Erik Guttman" To: "David Frascone" , Cc: "Erik Guttman" Subject: Fw: diameter grammar proposal Date: Wed, 10 Jan 2001 16:25:17 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Dave, >My problem is: If you list all of the "optional" AVPs, then it seems like >if an AVP is received that is not on the "optional" list, it is an error. I >think listing optional AVPs is problematic. My solution to this problem is to allow the token 'AVP' to stand for *any* AVP. In the example: >> Example-Command ::= >> { User-Name *Host-Name } >> * [ AVP ] >> ? < Integrity-Check-Vector > >> >> The command defined by the preceding grammar MUST begin with a >> DIAMETER header, with the command code Id set to 9999999. There >> follows a User-Name AVP, zero or more Host-Name AVPs and zero or >> more arbitrary other AVPs (but not User-Name, Host-Name or >> Integrity-Check-Vector AVPs). Here 'AVP' could be anything (vendor specified or otherwise) BUT the requirement is that the optional AVP rule cannot include AVPs otherwise specified in REQUIRED or FIXED fields. That allows you to write rules for AVPs which can only occur once, or have to occur in a particular sequence. Erik From owner-aaa-bof@merit.edu Wed Jan 10 11:28:38 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA20627 for ; Wed, 10 Jan 2001 11:28:37 -0500 (EST) Received: by segue.merit.edu (Postfix) id E866E5DDF6; Wed, 10 Jan 2001 11:27:58 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C58CF5DDF0; Wed, 10 Jan 2001 11:27:58 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 152B65DDF6 for ; Wed, 10 Jan 2001 11:27:57 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id IAA08559; Wed, 10 Jan 2001 08:27:55 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id IAA22942; Wed, 10 Jan 2001 08:27:53 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id IAA22696; Wed, 10 Jan 2001 08:16:28 -0800 (PST) Date: Wed, 10 Jan 2001 08:12:51 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Proposed change to DIAMETER header To: diameter@diameter.org, aaa-wg@merit.edu Cc: Pat.Calhoun@eng.sun.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk All, The method the protocol is currently specified, it requires that an implementation walk through each AVP, looking for the ICV AVP in order to perform the necessary replay and authentication checks. What this means is that there is a significant amount of work required to ensure that the packet is in fact authentic. This does not bode well for denial of service attacks. So I would like to propose adding the ICV-Offset to the DIAMETER header, as shown below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RADIUS PCC=254 | Flags | Ver | Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Command-Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ICV-Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVPs ... +-+-+-+-+-+-+-+-+-+-+-+-+- [...] [ed: and something like (actual words will change):] ICV-Offset The ICV-Offset contains the number of octets from the start of the DIAMETER header where the ICV AVP can be found. When the ICV is computed, this field MUST be set to zero. If no ICV was added to the packet, the value of the ICV-Offset field MUST be zero. The above change makes it MUCH easier for implementations to authenticate the packet before parsing through all AVPs in the message. Do people think this is a worthwhile change? I believe this will make the protocol less prone to denial of service attacks. Thanks, PatC From owner-aaa-bof@merit.edu Wed Jan 10 11:28:49 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA20648 for ; Wed, 10 Jan 2001 11:28:48 -0500 (EST) Received: by segue.merit.edu (Postfix) id A10005DE19; Wed, 10 Jan 2001 11:27:58 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 8E4175DE05; Wed, 10 Jan 2001 11:27:58 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id A32C65DDF0 for ; Wed, 10 Jan 2001 11:27:56 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id IAA08558 for ; Wed, 10 Jan 2001 08:27:54 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id IAA22946 for ; Wed, 10 Jan 2001 08:27:54 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id IAA22447 for ; Wed, 10 Jan 2001 08:05:43 -0800 (PST) Date: Wed, 10 Jan 2001 08:02:07 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: test To: aaa-wg@merit.edu Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk I think I've been dropped from the list, this is a test. PatC From owner-aaa-bof@merit.edu Wed Jan 10 11:28:58 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA20664 for ; Wed, 10 Jan 2001 11:28:58 -0500 (EST) Received: by segue.merit.edu (Postfix) id 66EB05DDF0; Wed, 10 Jan 2001 11:28:18 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 729555DE04; Wed, 10 Jan 2001 11:28:02 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id 16F9D5DE33 for ; Wed, 10 Jan 2001 11:27:58 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id IAA06943 for ; Wed, 10 Jan 2001 08:27:57 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id IAA22957; Wed, 10 Jan 2001 08:27:56 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id HAA21891; Wed, 10 Jan 2001 07:36:51 -0800 (PST) Date: Wed, 10 Jan 2001 07:33:15 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Re: diameter grammar proposal To: Erik Guttman Cc: pat.calhoun@eng.sun.com, aaa-wg@merit.edu In-Reply-To: "Your message with ID" <014a01c07b15$d64d6560$5f8e9d81@stag.Germany.Sun.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk >I propose the following section be added to the DIAMETER base spec. >This will allow us to specify DIAMETER in a more formal way. This is >unfortunately not as formal as a BNF would be, but DIAMETER messages >allow for arbitrary ordering of many elements. Still, we need to >be able to specify that some elements may appear only once, and some >have to appear in fixed positions. I believe this grammar suffices >to do this. Please send comments. Here are my two cents. I actually really like Erik's proposal. For the most part, the dictionary and how messages are defined in the protocol specs are two separate issues, and I am not sure why we've decided to combine the two. The proposal below is much richer than today's spec, since it allows DIAMETER to defined the message set, while providing information on the number of AVPs that may (or MUST) be present in the message. This type of information is present in RADIUS, and is really lacking in DIAMETER. So here is my proposal. Come out with draft-ietf-aaa-diameter-*00.txt as a WG work item, with the proposed grammar below. Have the WG work out the details of data model, and consider whether the message definition in the specs must follow the accepted grammar. If need be, updated the spoecs as *01.txt. The reason why I want this done is that there is a bakeoff coming up in 1.5 months, and some of us really want specs to write against. As you know, the grammar used does not affect the on-the-wire protocol, so this does not affect the bakeoff. Comments? PatC > >(Randy, does this hold water?) > >Erik >--------------------------------------------------------------------- > >1.3 Notation > > The DIAMETER protocol is composed of messages which have three > components - a message header, a command code and a set of AVPs. > Each message type is distinguished by a single command code. > Command are specified using the following notation. > > Command-Code-Name ::= > { qual AVP } > qual [ qual AVP ] > qual < AVP > > > The symbol # will be replaced by the command Id which is to be > placed in the message header. The symbol AVP MAY be replaced > by the names of any specific AVP. > > Elements surrounded by less than, greater than '<' and '>' are > FIXED in sequence. For example, the DIAMETER header MUST > precede all AVPs. > > Elements surrounded by set brackets '{' and '}' are REQUIRED > to be present in the message. They MAY be in any order within > the message provided they do not violate order imposed by message > fixed elements in the grammar (which are defined between '<' > and '>' brackets.) > > Elements surrounded by square brackets '[' and ']' are OPTIONAL. > AVPs which are listed in this section MAY be included in the > message, in any order, provided they do not violate order imposed > by fixed message elements in the grammar. AVPs listed in FIXED > or REQUIRED sections MUST NOT be considered OPTIONAL as well. > An AVP required to appear once in one section MUST NOT, therefor, > be included as the result of an 'OPTIONAL AVP' rule. > > The token 'qual' can be the following: > > omitted One instance of the following entry is required. > '*' Zero or more instances of the following entry are > required. > '+' One or more of instances of the following entry > are required. > '?' Zero or one of instances of the following entry > are required. > > Example-Command ::= > { User-Name *Host-Name } > * [ AVP ] > ? < Integrity-Check-Vector > > > The command defined by the preceding grammar MUST begin with a > DIAMETER header, with the command code Id set to 9999999. There > follows a User-Name AVP, zero or more Host-Name AVPs and zero or > more arbitrary other AVPs (but not User-Name, Host-Name or > Integrity-Check-Vector AVPs). The REQUIRED and OPTIONAL AVPs > can be permuted into any order, provided that none of them come > before the Header. > > DIAMETER messages which violate the grammar defined for the > command code are considered malformed and are rejected. See > Section 5.0. From owner-aaa-bof@merit.edu Wed Jan 10 11:48:50 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA21090 for ; Wed, 10 Jan 2001 11:48:48 -0500 (EST) Received: by segue.merit.edu (Postfix) id 817C55DE03; Wed, 10 Jan 2001 11:45:39 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 6B1465DE1D; Wed, 10 Jan 2001 11:45:39 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id 2776D5DE03 for ; Wed, 10 Jan 2001 11:45:38 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id IAA19440; Wed, 10 Jan 2001 08:45:37 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id IAA26813; Wed, 10 Jan 2001 08:45:37 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id IAA23376; Wed, 10 Jan 2001 08:45:35 -0800 (PST) Date: Wed, 10 Jan 2001 08:41:58 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Section 2.2.5 To: aaa-wg@merit.edu, diameter@diameter.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk Does anyone see why section 2.2.5 (tandard DIAMETER Extension AVPs)needs to be in the base protocol? It is problematic, since if some of the extensions do not go through IESG at the same time, the base protocol *could* become obsolete. Anyone object to my removing it? PatC From owner-aaa-bof@merit.edu Wed Jan 10 12:43:06 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA22250 for ; Wed, 10 Jan 2001 12:43:05 -0500 (EST) Received: by segue.merit.edu (Postfix) id A63815DE0A; Wed, 10 Jan 2001 12:42:35 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 967555DE04; Wed, 10 Jan 2001 12:42:35 -0500 (EST) Received: from aaa.interlinknetworks.com (interlink.merit.edu [198.108.95.110]) by segue.merit.edu (Postfix) with ESMTP id BCB495DDFD for ; Wed, 10 Jan 2001 12:42:34 -0500 (EST) Received: from Interlinknetworks.com (unknown [198.108.5.3]) by aaa.interlinknetworks.com (Postfix) with ESMTP id C14E073; Wed, 10 Jan 2001 12:42:41 -0500 (EST) Message-ID: <3A5C9F2B.5A969021@Interlinknetworks.com> Date: Wed, 10 Jan 2001 12:43:07 -0500 From: David Spence Organization: Interlink Networks, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Pat Calhoun Cc: Juergen Schoenwaelder , Erik.Guttman@germany.sun.com, aaa-wg@merit.edu Subject: Re: Choice of Data Model SMI vs XML vs. UML References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Pat Calhoun wrote: > > > What, then, > > would it mean if the Framed-IPX-Network and Framed-AppleTalk-Network AVPs > > were included in the same message? My problem with the BNF is that it > > appears to specify permissible messages but does not. RADIUS, at least, > > does not make that pretension. > > I actually do not see why one cannot run both IPX and Appletalk over the same > PPP connection. Am I missing something fundamental? >... Well, of course, you're right. But in some ways it underlines the problem, namely, that there isn't any model that says one way or the other. -- David Spence email: DSpence@Interlinknetworks.com Interlink Networks, Inc. phone: (734) 821-1203 775 Technology Drive, Suite 200 fax: (734) 821-1235 Ann Arbor, MI 48108 U.S.A. From owner-aaa-bof@merit.edu Wed Jan 10 12:56:30 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA22444 for ; Wed, 10 Jan 2001 12:56:30 -0500 (EST) Received: by segue.merit.edu (Postfix) id 016125DE29; Wed, 10 Jan 2001 12:56:12 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id DF0FF5DE51; Wed, 10 Jan 2001 12:56:11 -0500 (EST) Received: from aaa.interlinknetworks.com (interlink.merit.edu [198.108.95.110]) by segue.merit.edu (Postfix) with ESMTP id 0F4015DE29 for ; Wed, 10 Jan 2001 12:56:11 -0500 (EST) Received: from Interlinknetworks.com (unknown [198.108.5.3]) by aaa.interlinknetworks.com (Postfix) with ESMTP id B9C3A73; Wed, 10 Jan 2001 12:56:17 -0500 (EST) Message-ID: <3A5CA25B.97E37802@Interlinknetworks.com> Date: Wed, 10 Jan 2001 12:56:43 -0500 From: David Spence Organization: Interlink Networks, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: gwz@cisco.com Cc: Erik Guttman , Juergen Schoenwaelder , Pat.Calhoun@eng.sun.com, aaa-wg@merit.edu Subject: Re: Choice of Data Model SMI vs XML vs. UML References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Glen Zorn wrote: >... > > and so the successor to RADIUS should provide > > the best platform for future expansion that we can. It may be argued that > > the NASREQ application is simple enough that data modeling is unnecessary, > > but I fear that won't always be the case. You ought to be able > > to encompass > > more services in the future, such as DSL, broadband, and LAN access. > > In the future? RADIUS (or bizarre, usually proprietary, variants thereof) > is being used for these things (and more) right now. Precisely! But not in a standard way. And while it isn't in our charter to standardize those things now, we are creating the framework within which future standardization will proceed. The point was that the supposed simplicity of RADIUS cannot be used as an argument that data modeling is not necessary. > > > Without data modeling, things are going to get really messy. > > They already have, some time ago. We _do not_ need to spend another three > years blathering about silver bullets. Agreed. >... -- David Spence email: DSpence@Interlinknetworks.com Interlink Networks, Inc. phone: (734) 821-1203 775 Technology Drive, Suite 200 fax: (734) 821-1235 Ann Arbor, MI 48108 U.S.A. From owner-aaa-bof@merit.edu Wed Jan 10 12:57:49 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA22498 for ; Wed, 10 Jan 2001 12:57:49 -0500 (EST) Received: by segue.merit.edu (Postfix) id 2279A5DE5B; Wed, 10 Jan 2001 12:57:35 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 108C95DE51; Wed, 10 Jan 2001 12:57:35 -0500 (EST) Received: from localhost.ipunplugged.com (unknown [195.42.212.161]) by segue.merit.edu (Postfix) with ESMTP id 8BBB85DE16 for ; Wed, 10 Jan 2001 12:57:33 -0500 (EST) Received: from fredrikj (c8.local.ipunplugged.com [192.168.4.207]) by localhost.ipunplugged.com (8.9.3/8.9.3) with SMTP id SAA07513; Wed, 10 Jan 2001 18:58:30 +0100 From: "Fredrik Johansson" To: "Pat Calhoun" , , Subject: RE: Section 2.2.5 Date: Wed, 10 Jan 2001 18:59:58 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit I agree, remove it or perhaps leave something like. 2.2.5 Additional DIAMETER Extension AVPs Additional AVPs may be defined in other DIAMETER Extensions. These may be Extension specific or may add some additional feature to the DIAMETER protocol as a whole. However these are not mandatory for the proper hanling of the base protocol. For more information see respective DIAMETER Extension document. /Fredrik >-----Original Message----- >From: owner-aaa-bof@merit.edu [mailto:owner-aaa-bof@merit.edu]On Behalf >Of Pat Calhoun >Sent: den 10 januari 2001 17:42 >To: aaa-wg@merit.edu; diameter@diameter.org >Subject: Section 2.2.5 > > >Does anyone see why section 2.2.5 (tandard DIAMETER Extension >AVPs)needs to be >in the base protocol? It is problematic, since if some of the extensions do >not go through IESG at the same time, the base protocol *could* become >obsolete. > >Anyone object to my removing it? > >PatC > From owner-aaa-bof@merit.edu Wed Jan 10 13:04:08 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA22645 for ; Wed, 10 Jan 2001 13:04:08 -0500 (EST) Received: by segue.merit.edu (Postfix) id 4D9755DE1A; Wed, 10 Jan 2001 13:01:41 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 39E525DE16; Wed, 10 Jan 2001 13:01:41 -0500 (EST) Received: from cisco.com (titans.cisco.com [161.44.216.10]) by segue.merit.edu (Postfix) with ESMTP id 157055DE1A for ; Wed, 10 Jan 2001 13:01:39 -0500 (EST) Received: from titans.cisco.com (titans.cisco.com [161.44.216.10]) by cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id NAA07632; Wed, 10 Jan 2001 13:01:06 -0500 (EST) Date: Wed, 10 Jan 2001 13:01:06 -0500 (EST) From: Mark Eklund To: Erik Guttman Cc: aaa-wg@merit.edu, Randy Bush Subject: Re: diameter grammar proposal In-Reply-To: <00e201c07b04$8d162be0$5f8e9d81@stag.Germany.Sun.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk A few questions/comments. 1. I am used to seeing qualifiers after the argument like in regular expressions. For example Host-Name* instead of *Host-Name. This is a personal preference. 2. Why do you need the optional brackets [] when you have the '*' and '?' operators. I.E. what is the difference in *[Host-Name] and *Host-Name? 3. Do you plan to define Grouped-AVP in the specifications? -mark On Wed, 10 Jan 2001, Erik Guttman wrote: > > > Folks, > > I propose the following section be added to the DIAMETER base spec. > This will allow us to specify DIAMETER in a more formal way. This is > unfortunately not as formal as a BNF would be, but DIAMETER messages > allow for arbitrary ordering of many elements. Still, we need to > be able to specify that some elements may appear only once, and some > have to appear in fixed positions. I believe this grammar suffices > to do this. Please send comments. > > (Randy, does this hold water?) > > Erik > --------------------------------------------------------------------- > > 1.3 Notation > > The DIAMETER protocol is composed of messages which have three > components - a message header, a command code and a set of AVPs. > Each message type is distinguished by a single command code. > Command are specified using the following notation. > > Command-Code-Name ::= > { qual AVP } > qual [ qual AVP ] > qual < AVP > > > The symbol # will be replaced by the command Id which is to be > placed in the message header. The symbol AVP MAY be replaced > by the names of any specific AVP. > > Elements surrounded by less than, greater than '<' and '>' are > FIXED in sequence. For example, the DIAMETER header MUST > precede all AVPs. > > Elements surrounded by set brackets '{' and '}' are REQUIRED > to be present in the message. They MAY be in any order within > the message provided they do not violate order imposed by message > fixed elements in the grammar (which are defined between '<' > and '>' brackets.) > > Elements surrounded by square brackets '[' and ']' are OPTIONAL. > AVPs which are listed in this section MAY be included in the > message, in any order, provided they do not violate order imposed > by fixed message elements in the grammar. AVPs listed in FIXED > or REQUIRED sections MUST NOT be considered OPTIONAL as well. > An AVP required to appear once in one section MUST NOT, therefor, > be included as the result of an 'OPTIONAL AVP' rule. > > The token 'qual' can be the following: > > omitted One instance of the following entry is required. > '*' Zero or more instances of the following entry are > required. > '+' One or more of instances of the following entry > are required. > '?' Zero or one of instances of the following entry > are required. > > Example-Command ::= > { User-Name *Host-Name } > * [ AVP ] > ? < Integrity-Check-Vector > > > The command defined by the preceding grammar MUST begin with a > DIAMETER header, with the command code Id set to 9999999. There > follows a User-Name AVP, zero or more Host-Name AVPs and zero or > more arbitrary other AVPs (but not User-Name, Host-Name or > Integrity-Check-Vector AVPs). The REQUIRED and OPTIONAL AVPs > can be permuted into any order, provided that none of them come > before the Header. > > DIAMETER messages which violate the grammar defined for the > command code are considered malformed and are rejected. See > Section 5.0. > > > > > > From owner-aaa-bof@merit.edu Wed Jan 10 13:08:34 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA22700 for ; Wed, 10 Jan 2001 13:08:34 -0500 (EST) Received: by segue.merit.edu (Postfix) id A19595DE04; Wed, 10 Jan 2001 13:08:12 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 8FBEC5DDFD; Wed, 10 Jan 2001 13:08:12 -0500 (EST) Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by segue.merit.edu (Postfix) with ESMTP id 3CA995DDA5 for ; Wed, 10 Jan 2001 13:08:11 -0500 (EST) Received: from mr5.exu.ericsson.se. (mr5u3.ericy.com [208.237.135.124]) by imr1.ericy.com (8.10.2/8.10.2) with ESMTP id f0AI88K09847; Wed, 10 Jan 2001 12:08:08 -0600 (CST) Received: from newman.exu.ericsson.se (newman.exu.ericsson.se [138.85.75.179]) by mr5.exu.ericsson.se. (8.10.2/8.10.2) with ESMTP id f0AI4jC25355; Wed, 10 Jan 2001 12:04:45 -0600 (CST) Received: from qpop.exu.ericsson.se (qpop [138.85.1.15]) by newman.exu.ericsson.se (8.7.5/8.7.3) with ESMTP id MAA20579; Wed, 10 Jan 2001 12:08:07 -0600 (CST) Received: from kev (busam66.berkeley.us.am.ericsson.se [138.85.159.216]) by qpop.exu.ericsson.se (8.9.1/8.9.1) with SMTP id MAA07119; Wed, 10 Jan 2001 12:08:04 -0600 (CST) Message-ID: <002501c07b30$452d0980$91aea8c0@erilab.com> From: "Kevin Purser" To: "Erik Guttman" , , References: <011d01c07b06$a545a900$5f8e9d81@stag.Germany.Sun.COM> Subject: Re: proposed new section for DIAMETER base specification Date: Wed, 10 Jan 2001 10:07:59 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Hi Erik/All, Just a quick comment... (inline) > > 0x10 MUST be zero - this flag bit is reserved for future use. > 0x08 MUST be zero - this flag bit is reserved for future use. > 0x04 ('E' Expect Reply) The message solicits a response. > 0x02 ('I' Interrogation) The message is a Query or a Reply. > 0x01 ('R' Response) The message is a response another message. > > These flags are set depending on the command code used in a > DIAMETER message. This enables the type of message to be > interpreted, even if the specific command code is not recognized. > > Command Type Flags Set > Indication - - - > Request E - - > Answer E - R > Query E I - > Reply E I R > It seems a bit odd to set the "Expect Reply" bit in a Reply message, and probably an Answer message as well, since neither of which directly solicit a Reply. > A DIAMETER node MUST NOT set these flags in any other combination. > A DIAMETER node receiving a message in which these flags are not > set appropriately SHOULD NOT reject the message for this reason, > but MAY log the event for diagnosis. > > > From owner-aaa-bof@merit.edu Wed Jan 10 13:56:26 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA24246 for ; Wed, 10 Jan 2001 13:56:26 -0500 (EST) Received: by segue.merit.edu (Postfix) id D32F95DE11; Wed, 10 Jan 2001 13:56:07 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C3A615DE00; Wed, 10 Jan 2001 13:56:07 -0500 (EST) Received: from mail01.bridgewatersystems.com (mail01.bridgewatersystems.com [216.113.7.9]) by segue.merit.edu (Postfix) with ESMTP id ACE3C5DDFF for ; Wed, 10 Jan 2001 13:56:06 -0500 (EST) Received: from kansparc099.bridgewatersys.com (cactusgw.bridgewatersys.com [216.113.7.2]) by mail01.bridgewatersystems.com (8.9.3/8.9.3) with ESMTP id OAA08397; Wed, 10 Jan 2001 14:51:56 -0500 Received: from mjones (mjones.bridgewatersys.com [192.168.150.32]) by kansparc099.bridgewatersys.com (8.9.3+Sun/8.9.1) with SMTP id NAA15824; Wed, 10 Jan 2001 13:56:24 -0500 (EST) From: "Mark Jones" To: "Erik Guttman" , Subject: RE: diameter grammar proposal Date: Wed, 10 Jan 2001 14:03:05 -0500 Message-ID: <008a01c07b37$f6836d80$2096a8c0@bridgewatersys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <00e201c07b04$8d162be0$5f8e9d81@stag.Germany.Sun.COM> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Erik, Aren't the {} and [] brackets redundant given the 'qual' token definitions? i.e. '*' = Zero or more instances MAY be present in the packet = OPTIONAL AVP '+' = At least one instance MUST be present in the packet = MANDATORY AVP '?' = Zero or one instances MAY be present in the packet = OPTIONAL AVP omitted = Exactly one instance MUST be present in the packet = MANDATORY AVP Regards, Mark > -----Original Message----- > From: owner-aaa-bof@merit.edu [mailto:owner-aaa-bof@merit.edu]On Behalf > Of Erik Guttman > Sent: January 10, 2001 7:55 AM > To: aaa-wg@merit.edu; Randy Bush > Cc: Erik Guttman > Subject: diameter grammar proposal > > > > > Folks, > > I propose the following section be added to the DIAMETER base spec. > This will allow us to specify DIAMETER in a more formal way. This is > unfortunately not as formal as a BNF would be, but DIAMETER messages > allow for arbitrary ordering of many elements. Still, we need to > be able to specify that some elements may appear only once, and some > have to appear in fixed positions. I believe this grammar suffices > to do this. Please send comments. > > (Randy, does this hold water?) > > Erik > --------------------------------------------------------------------- > > 1.3 Notation > > The DIAMETER protocol is composed of messages which have three > components - a message header, a command code and a set of AVPs. > Each message type is distinguished by a single command code. > Command are specified using the following notation. > > Command-Code-Name ::= > { qual AVP } > qual [ qual AVP ] > qual < AVP > > > The symbol # will be replaced by the command Id which is to be > placed in the message header. The symbol AVP MAY be replaced > by the names of any specific AVP. > > Elements surrounded by less than, greater than '<' and '>' are > FIXED in sequence. For example, the DIAMETER header MUST > precede all AVPs. > > Elements surrounded by set brackets '{' and '}' are REQUIRED > to be present in the message. They MAY be in any order within > the message provided they do not violate order imposed by message > fixed elements in the grammar (which are defined between '<' > and '>' brackets.) > > Elements surrounded by square brackets '[' and ']' are OPTIONAL. > AVPs which are listed in this section MAY be included in the > message, in any order, provided they do not violate order imposed > by fixed message elements in the grammar. AVPs listed in FIXED > or REQUIRED sections MUST NOT be considered OPTIONAL as well. > An AVP required to appear once in one section MUST NOT, therefor, > be included as the result of an 'OPTIONAL AVP' rule. > > The token 'qual' can be the following: > > omitted One instance of the following entry is required. > '*' Zero or more instances of the following entry are > required. > '+' One or more of instances of the following entry > are required. > '?' Zero or one of instances of the following entry > are required. > > Example-Command ::= > { User-Name *Host-Name } > * [ AVP ] > ? < Integrity-Check-Vector > > > The command defined by the preceding grammar MUST begin with a > DIAMETER header, with the command code Id set to 9999999. There > follows a User-Name AVP, zero or more Host-Name AVPs and zero or > more arbitrary other AVPs (but not User-Name, Host-Name or > Integrity-Check-Vector AVPs). The REQUIRED and OPTIONAL AVPs > can be permuted into any order, provided that none of them come > before the Header. > > DIAMETER messages which violate the grammar defined for the > command code are considered malformed and are rejected. See > Section 5.0. > > > > > > From owner-aaa-bof@merit.edu Wed Jan 10 16:35:31 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA27664 for ; Wed, 10 Jan 2001 16:35:30 -0500 (EST) Received: by segue.merit.edu (Postfix) id D299E5DE24; Wed, 10 Jan 2001 16:34:16 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C116B5DE05; Wed, 10 Jan 2001 16:34:16 -0500 (EST) Received: from mail01.bridgewatersystems.com (mail01.bridgewatersystems.com [216.113.7.9]) by segue.merit.edu (Postfix) with ESMTP id F084A5DDFF for ; Wed, 10 Jan 2001 16:34:14 -0500 (EST) Received: from kansparc099.bridgewatersys.com (cactusgw.bridgewatersys.com [216.113.7.2]) by mail01.bridgewatersystems.com (8.9.3/8.9.3) with ESMTP id RAA09668; Wed, 10 Jan 2001 17:29:39 -0500 Received: from mjones (mjones.bridgewatersys.com [192.168.150.32]) by kansparc099.bridgewatersys.com (8.9.3+Sun/8.9.1) with SMTP id QAA19531; Wed, 10 Jan 2001 16:34:08 -0500 (EST) From: "Mark Jones" To: , Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) Date: Wed, 10 Jan 2001 16:40:48 -0500 Message-ID: <008f01c07b4d$ff21d740$2096a8c0@bridgewatersys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit In DIAMETER, the IPv4 and IPv6 addresses are collapsed into the single Address datatype where the actual IP version is determined from the length. The RADIUS and IPv6 draft (draft-aboba-radius-ipv6-04.txt) appears to take a different approach by using separate AVPs for IPv4 and IPv6 addresses, e.g. Login-IP-Host and Login-IPv6-Host. I was considering whether the DIAMETER approach could also applied in RADIUSv6 since a common approach would simplify the RADIUS-DIAMETER gateway implementation. The RADIUSv6 draft does state that IPv4 and IPv6 attributes MAY be included in the same RADIUS message and the NAS will decide which attributes to use. However, I see no reason why a DIAMETER or RADIUS packet could not contain two instances of the same address AVP: one IPv4 and one IPv6 address. The NAS could still use the same logic to decide which attributes to use for the session. Are there any other issues that would prevent a common approach? Regards, Mark > -----Original Message----- > From: owner-diameter@diameter.org [mailto:owner-diameter@diameter.org]On > Behalf Of Pat Calhoun > Sent: January 10, 2001 9:44 AM > To: diameter@diameter.org > Subject: [diameter] data type modifications to DIAMETER (Fwd) > > > FYI > >----------------Begin Forwarded Message----------------< > > Date: Wed, 10 Jan 2001 15:18:52 +0100 > From: "Erik Guttman" > Subject: data type modifications to DIAMETER > To: diameter@diameter.org, aaa-wg@merit.edu > > > As proposed in draft-ietf-aaa-issues-04.txt and > draft-ietf-aaa-solutions-01.txt section 9.2, I am > revising the basic data types in DIAMETER. > > I do not list all the changes in this document - > but the implications are the following. > > 1. Data type changes: > > Old type New type > ------------ ------------- > Address Address > Data OctetString > String OctetString > Time Unsigned32 > Integer32 Integer32 > Integer64 Integer64 > Complex Grouped > Unsigned32 > Unsigned64 > Float32 > Float64 > Float128 > > 2. Scalar quantities (Ids and so on from AVPs) had Integer32 type. > Now they have Unsigned32 type. > > 3. String is now one interpretation of an OctetString. > > 4. Time is now one interpretation of an Unsigned32 value. > > 5. The biggest change is the elimination of the 'Complex' data > type. Now all AVPs have an 'atomic' data type except for > Grouped. Grouped takes as its value a list of AVPs which > have to be included (AVP header and all) in exactly the > sequence specified. > > Implications for DIAMETER implementations: > > The only real change is that Complex data types have been > restructured. Code handling AVPs which were previously of > type Complex will have to change. > > Code which handled the previous types will be easily mapped > into the new data types (Integer32 -> Unsigned32, Time -> > Unsigned32, String -> OctetString) There are some subtle > range checking changes to be made (maybe) since scalars are now > Unsigned32 where before they were Integer32. > > Rationale: > > See draft-ietf-aaa-issues-04.txt. In short, there were several > problems with the basic types used by DIAMETER. (1) Some were > interpretations (String and Time) not basic scalars. (2) Some > were ambiguous (Integer32 used as an unsigned scalar). (3) Not > including basic types (floats, mostly) makes future expansion > hard. (4) The types specified were incompatible with SMI and > SPPI data types. (5) The complex data type made it hard to > create a general data model, easily automated parsers and > general 'sniffers.' All AVPs should either have atomic values > or a list of AVPs as their values. (6) The Grouped-AVP was > unnecessarily complex. (7) Complex data types required a 'hack' > for fixing the length of certain data fields (such as using 16 > bytes for addresses where they could be 4 bytes long). This is > no longer necessary. > > Erik > > > > >----------------End Forwarded Message----------------< > > From owner-aaa-bof@merit.edu Wed Jan 10 16:39:22 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA27722 for ; Wed, 10 Jan 2001 16:39:21 -0500 (EST) Received: by segue.merit.edu (Postfix) id B6BA45DE14; Wed, 10 Jan 2001 16:39:06 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id A5DE85DE05; Wed, 10 Jan 2001 16:39:06 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id 580D85DDFF for ; Wed, 10 Jan 2001 16:39:05 -0500 (EST) Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id NAA25339; Wed, 10 Jan 2001 13:38:58 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id NAA22011; Wed, 10 Jan 2001 13:38:57 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id NAA00826; Wed, 10 Jan 2001 13:38:55 -0800 (PST) Date: Wed, 10 Jan 2001 13:35:19 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) To: Mark Jones Cc: aaa-wg@merit.edu, diameter@diameter.org In-Reply-To: "Your message with ID" <008f01c07b4d$ff21d740$2096a8c0@bridgewatersys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk I think that the orignal intent of having a dual purpose AVP was to reduce the number of AVPs that would have to be defined. Furthermore, the Implementation Guidelines, which describes the protocol gateway stuff, would have to include text that describes what to do if an IPv4 was found, as opposed to an IPv6 address. Are there any others that have any concerns with the dual purpose AVP approach? PatC From owner-aaa-bof@merit.edu Wed Jan 10 16:55:12 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA28096 for ; Wed, 10 Jan 2001 16:55:12 -0500 (EST) Received: by segue.merit.edu (Postfix) id A2B665DE1C; Wed, 10 Jan 2001 16:54:44 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 84DD45DE16; Wed, 10 Jan 2001 16:54:44 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id BD2E15DE05 for ; Wed, 10 Jan 2001 16:54:42 -0500 (EST) Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id NAA27484; Wed, 10 Jan 2001 13:54:40 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id NAA27098; Wed, 10 Jan 2001 13:54:37 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id NAA01183; Wed, 10 Jan 2001 13:54:35 -0800 (PST) Date: Wed, 10 Jan 2001 13:50:59 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Re: proposed new section for DIAMETER base specification To: aaa-wg@merit.edu, diameter@diameter.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > > It seems a bit odd to set the "Expect Reply" bit in a Reply message, and > probably an Answer message as well, since neither of which directly solicit > a Reply. Agreed, and the text would actually look like: ---- [...] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RADIUS PCC=254 |r r E I R| Ver | Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [...] Flags The Message Flags field is five bits. The following bits are assigned: r(eserved) MUST be zero - this flag bit is reserved for future use. E(xpected Reply) - The message solicits a response. I(nterrogation) - The message is a Query or a Reply. R(esponse) - The message is a response another message. These flags are set depending on the command code used in a DIAMETER message. This enables the type of message to be interpreted, even if the specific command code is not recognized. Command Type Flags Set Indication - - - Request E - - Answer - - R Query E I - Reply - I R A DIAMETER node MUST NOT set these flags in any other combination. A DIAMETER node receiving a message in which these flags are not set appropriately SHOULD NOT reject the message for this reason, but MAY log the event for diagnosis. ---- Any objections? This text was in the solutions I-D (or similar text), and no objections were received. Further, I think that this information is VERY important for proxies, since they need to know when a message is a request or a response (especially important when they do not support the extension, but still wish to route the message). Of course, there is also the question of removing the PCC or not. PatC From owner-aaa-bof@merit.edu Wed Jan 10 16:55:23 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA28134 for ; Wed, 10 Jan 2001 16:55:22 -0500 (EST) Received: by segue.merit.edu (Postfix) id C3DA65DDFF; Wed, 10 Jan 2001 16:54:46 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 89A665DE2F; Wed, 10 Jan 2001 16:54:46 -0500 (EST) Received: from mail01.bridgewatersystems.com (mail01.bridgewatersystems.com [216.113.7.9]) by segue.merit.edu (Postfix) with ESMTP id 3BC6E5DDFF for ; Wed, 10 Jan 2001 16:54:42 -0500 (EST) Received: from kansparc099.bridgewatersys.com (cactusgw.bridgewatersys.com [216.113.7.2]) by mail01.bridgewatersystems.com (8.9.3/8.9.3) with ESMTP id RAA09797; Wed, 10 Jan 2001 17:50:14 -0500 Received: from mjones (mjones.bridgewatersys.com [192.168.150.32]) by kansparc099.bridgewatersys.com (8.9.3+Sun/8.9.1) with SMTP id QAA19930; Wed, 10 Jan 2001 16:54:43 -0500 (EST) From: "Mark Jones" To: "Pat Calhoun" Cc: , Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) Date: Wed, 10 Jan 2001 17:01:24 -0500 Message-ID: <009201c07b50$df796950$2096a8c0@bridgewatersys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Pat, I understand the rationale of the dual purpose AVP and have no concerns about its use in DIAMETER. I was just suggesting that we consider using the same approach in RADIUSv6 to simplify the gateway implementation. Regards, Mark > -----Original Message----- > From: owner-aaa-bof@merit.edu [mailto:owner-aaa-bof@merit.edu]On Behalf > Of Pat Calhoun > Sent: January 10, 2001 4:35 PM > To: Mark Jones > Cc: aaa-wg@merit.edu; diameter@diameter.org > Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) > > > I think that the orignal intent of having a dual purpose AVP was > to reduce the > number of AVPs that would have to be defined. Furthermore, the > Implementation > Guidelines, which describes the protocol gateway stuff, would > have to include > text that describes what to do if an IPv4 was found, as opposed to an IPv6 > address. > > Are there any others that have any concerns with the dual purpose > AVP approach? > PatC > > > From owner-aaa-bof@merit.edu Wed Jan 10 16:57:22 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA28435 for ; Wed, 10 Jan 2001 16:57:22 -0500 (EST) Received: by segue.merit.edu (Postfix) id D9A815DE1D; Wed, 10 Jan 2001 16:57:06 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id C83085DE16; Wed, 10 Jan 2001 16:57:06 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 7DE725DE05 for ; Wed, 10 Jan 2001 16:57:05 -0500 (EST) Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id NAA28407; Wed, 10 Jan 2001 13:56:53 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id NAA27801; Wed, 10 Jan 2001 13:56:48 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id NAA01237; Wed, 10 Jan 2001 13:56:46 -0800 (PST) Date: Wed, 10 Jan 2001 13:53:08 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) To: Mark Jones Cc: Pat Calhoun , aaa-wg@merit.edu, diameter@diameter.org In-Reply-To: "Your message with ID" <009201c07b50$df796950$2096a8c0@bridgewatersys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk Oh, I see. You were questioning whether RADIUSv6 should change. That may be harder to do, unless these new attributes have a new type, perhaps Dual-Address, instead of Address. PatC > Pat, > > I understand the rationale of the dual purpose AVP and have no concerns > about its use in DIAMETER. I was just suggesting that we consider using the > same approach in RADIUSv6 to simplify the gateway implementation. > > Regards, > Mark > > > -----Original Message----- > > From: owner-aaa-bof@merit.edu [mailto:owner-aaa-bof@merit.edu]On Behalf > > Of Pat Calhoun > > Sent: January 10, 2001 4:35 PM > > To: Mark Jones > > Cc: aaa-wg@merit.edu; diameter@diameter.org > > Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) > > > > > > I think that the orignal intent of having a dual purpose AVP was > > to reduce the > > number of AVPs that would have to be defined. Furthermore, the > > Implementation > > Guidelines, which describes the protocol gateway stuff, would > > have to include > > text that describes what to do if an IPv4 was found, as opposed to an IPv6 > > address. > > > > Are there any others that have any concerns with the dual purpose > > AVP approach? > > PatC > > > > > > > From owner-aaa-bof@merit.edu Wed Jan 10 17:04:41 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA28616 for ; Wed, 10 Jan 2001 17:04:40 -0500 (EST) Received: by segue.merit.edu (Postfix) id E61575DEA1; Wed, 10 Jan 2001 17:03:33 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id D44145DE9E; Wed, 10 Jan 2001 17:03:33 -0500 (EST) Received: from newman.frascone.com (frascone.com [216.62.83.25]) by segue.merit.edu (Postfix) with SMTP id 8A2C85DE47 for ; Wed, 10 Jan 2001 17:03:32 -0500 (EST) Received: (qmail 27395 invoked by uid 500); 10 Jan 2001 22:04:49 -0000 Date: Wed, 10 Jan 2001 16:04:49 -0600 From: David Frascone To: Pat Calhoun Cc: aaa-wg@merit.edu, diameter@diameter.org Subject: Re: proposed new section for DIAMETER base specification Message-ID: <20010110160449.H26737@newman.frascone.com> Mail-Followup-To: Pat Calhoun , aaa-wg@merit.edu, diameter@diameter.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Pat.Calhoun@Eng.Sun.COM on Wed, Jan 10, 2001 at 01:50:59PM -0800 X-encrypt-payload: no Sender: owner-aaa-bof@merit.edu Precedence: bulk I don't see any need for the PCC now that Diameter is *not* running over UDP. > Of course, there is also the question of removing the PCC or not. From owner-aaa-bof@merit.edu Wed Jan 10 18:18:51 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA03887 for ; Wed, 10 Jan 2001 18:18:50 -0500 (EST) Received: by segue.merit.edu (Postfix) id 262025DDE6; Wed, 10 Jan 2001 18:16:17 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 11D525DE25; Wed, 10 Jan 2001 18:16:17 -0500 (EST) Received: from mail01.bridgewatersystems.com (mail01.bridgewatersystems.com [216.113.7.9]) by segue.merit.edu (Postfix) with ESMTP id 4647D5DDE6 for ; Wed, 10 Jan 2001 18:16:15 -0500 (EST) Received: from kansparc099.bridgewatersys.com (cactusgw.bridgewatersys.com [216.113.7.2]) by mail01.bridgewatersystems.com (8.9.3/8.9.3) with ESMTP id TAA10357; Wed, 10 Jan 2001 19:12:02 -0500 Received: from mjones (mjones.bridgewatersys.com [192.168.150.32]) by kansparc099.bridgewatersys.com (8.9.3+Sun/8.9.1) with SMTP id SAA01579; Wed, 10 Jan 2001 18:16:31 -0500 (EST) From: "Mark Jones" To: "Pat Calhoun" Cc: , Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) Date: Wed, 10 Jan 2001 18:23:12 -0500 Message-ID: <009901c07b5c$4cc5e820$2096a8c0@bridgewatersys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Pat, > Oh, I see. You were questioning whether RADIUSv6 should change. > That may be harder to do, unless these new attributes have a new type, > perhaps Dual-Address, instead of Address. > Would new RADIUS attributes for IPv6 addresses still be required if RADIUSv6 were to adopt the dual purpose AVP approach? If, as suggested by the RADIUSv6 spec, the RADIUS packet contained both IPv4 and IPv6 AVPs, the NAS can still distinguish the IPv4/IPv6 addresses by their length and so can choose the appropriate instance of the address AVP depending on whether its client is IPv4 or IPv6. If there is not a common approach to IPv4/IPv6 address encoding, the DIAMETER-RADIUS gateway must translate, for example, a DIAMETER Login-IP-Host AVP to a RADIUS Login-IP-Host or Login-IPv6-Host AVP depending on its length. Not complex. Just tedious. Regards, Mark From owner-aaa-bof@merit.edu Wed Jan 10 18:49:03 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA04810 for ; Wed, 10 Jan 2001 18:49:02 -0500 (EST) Received: by segue.merit.edu (Postfix) id 6A8325DE2B; Wed, 10 Jan 2001 18:47:07 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 593CF5DE25; Wed, 10 Jan 2001 18:47:07 -0500 (EST) Received: from mail01.bridgewatersystems.com (mail01.bridgewatersystems.com [216.113.7.9]) by segue.merit.edu (Postfix) with ESMTP id 78FC55DE00 for ; Wed, 10 Jan 2001 18:47:05 -0500 (EST) Received: from kansparc099.bridgewatersys.com (cactusgw.bridgewatersys.com [216.113.7.2]) by mail01.bridgewatersystems.com (8.9.3/8.9.3) with ESMTP id TAA10504 for ; Wed, 10 Jan 2001 19:42:55 -0500 Received: from mjones (mjones.bridgewatersys.com [192.168.150.32]) by kansparc099.bridgewatersys.com (8.9.3+Sun/8.9.1) with SMTP id SAA01888 for ; Wed, 10 Jan 2001 18:47:24 -0500 (EST) From: "Mark Jones" To: Subject: RE: [diameter] RE: diameter grammar proposal Date: Wed, 10 Jan 2001 18:54:04 -0500 Message-ID: <009f01c07b60$9d22e300$2096a8c0@bridgewatersys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Pat, > If we were to make the above changes, would you object to this > ABNF format in the -00 spec? > No objections here. As you point out, the bake-off is coming up fast so lets go with this for the -00 spec. Regards, Mark From owner-aaa-bof@merit.edu Wed Jan 10 19:11:09 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id TAA05477 for ; Wed, 10 Jan 2001 19:11:09 -0500 (EST) Received: by segue.merit.edu (Postfix) id 88D2C5DE16; Wed, 10 Jan 2001 19:10:37 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 61A1E5DE05; Wed, 10 Jan 2001 19:10:37 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 1A24A5DE16 for ; Wed, 10 Jan 2001 19:10:36 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id QAA17820; Wed, 10 Jan 2001 16:10:33 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id QAA07484; Wed, 10 Jan 2001 16:10:33 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id QAA04507; Wed, 10 Jan 2001 16:10:24 -0800 (PST) Date: Wed, 10 Jan 2001 16:06:47 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) To: Mark Jones Cc: Pat Calhoun , aaa-wg@merit.edu, diameter@diameter.org In-Reply-To: "Your message with ID" <009901c07b5c$4cc5e820$2096a8c0@bridgewatersys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > Would new RADIUS attributes for IPv6 addresses still be required if RADIUSv6 > were to adopt the dual purpose AVP approach? If, as suggested by the > RADIUSv6 spec, the RADIUS packet contained both IPv4 and IPv6 AVPs, the NAS > can still distinguish the IPv4/IPv6 addresses by their length and so can > choose the appropriate instance of the address AVP depending on whether its > client is IPv4 or IPv6. > > If there is not a common approach to IPv4/IPv6 address encoding, the > DIAMETER-RADIUS gateway must translate, for example, a DIAMETER > Login-IP-Host AVP to a RADIUS Login-IP-Host or Login-IPv6-Host AVP depending > on its length. Not complex. Just tedious. But how would you deal with backward compatibility? This seems especially important given that in a roaming network, you never know whether the home, or the NAS, support v6. PatC From owner-aaa-bof@merit.edu Wed Jan 10 19:49:52 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id TAA07753 for ; Wed, 10 Jan 2001 19:49:52 -0500 (EST) Received: by segue.merit.edu (Postfix) id 123475DE51; Wed, 10 Jan 2001 19:47:25 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id F0A125DE4B; Wed, 10 Jan 2001 19:47:24 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id D80515DDE8 for ; Wed, 10 Jan 2001 19:47:23 -0500 (EST) Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id QAA26409; Wed, 10 Jan 2001 16:47:22 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id QAA17473; Wed, 10 Jan 2001 16:47:22 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id QAA05621; Wed, 10 Jan 2001 16:47:20 -0800 (PST) Date: Wed, 10 Jan 2001 16:43:43 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: The Identifier field To: aaa-wg@merit.edu, diameter@diameter.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk [ed: I hate this cross-posting, but it seems necessary :(] Tony brought up a question some time ago as to the usefulness of the Identifier field. I believe that no justification was provided at the time for the existence of the field. In the process of editing the base protocol, it came to me the reason why such a field may be required. Assume for a moment that we are a NAS, and that two authorization messages are sent for the same user (let's assume for the moment that these are for different services). When either of the responses are received, how would the NAS know to match request and the response. The obvious answer is to require that the NAS walk through the whole message, looking for clues (e.g. service type). This is rather cumbersome. The Identifier field DOES provide such a hint. However, we need to make sure that the Identifier field IS NOT modified in transit towards the home server (as it is done in RADIUS), because there really is no need to do so, and it does complicate the protocol. So I propose keeping the Identifier field, but adding text that it is ONLY of use to the initiator of a request to match up the response. Does this make sense? PatC From owner-aaa-bof@merit.edu Wed Jan 10 20:00:15 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA07891 for ; Wed, 10 Jan 2001 20:00:15 -0500 (EST) Received: by segue.merit.edu (Postfix) id 713625DE4B; Wed, 10 Jan 2001 19:59:50 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 4F80F5DE55; Wed, 10 Jan 2001 19:59:50 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id 0DCA85DE4B for ; Wed, 10 Jan 2001 19:59:49 -0500 (EST) Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id QAA10546; Wed, 10 Jan 2001 16:59:48 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id QAA19879; Wed, 10 Jan 2001 16:59:47 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id QAA05879; Wed, 10 Jan 2001 16:59:45 -0800 (PST) Date: Wed, 10 Jan 2001 16:56:08 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Capabilities Negotiation and proxies To: aaa-wg@merit.edu, diameter@diameter.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk All, As discussed a few days ago, a proxy MAY wish to proxy ANY type of message, regardless of the extension. Therefore, the current text in the base protocol does not allow this behavior since it would require that proxies advertise ALL possible extensions. Therefore, I am proposing adding the last paragraph to section 2.5.3. Furthermore, I believe that ALL messages MUST include the extension ID of the particular message. The reason being that a proxy would need to identify a server in the home domain that can handle the message, but it may not recognize the command. Comments? Objections? Proposed Text? PatC 2.5.3 Extension-Id AVP The Extension-Id AVP (AVP Code 258) is of type Unsigned32 and is used in order to identify a specific DIAMETER extension. This AVP is used in the Device-Reboot-Ind message in order to inform the peer what extensions are locally supported. The Extension-Id MUST also be present in all messages that are defined in a separate DIAMETER specification and have an Extension ID assigned. Each DIAMETER extension draft MUST have an IANA assigned extension Idenfier (see section 8.3). The base protocol does not require an Extension-Id since its support is mandatory. There MAY be more than one Extension-Id AVP within a DIAMETER Device-Reboot-Ind message. The following values are recognized: NASREQ 1 [7] Strong Security 2 [11] Resource Management 3 [29] Mobile-IP 4 [10] Accounting 5 [15] Furthermore, servers acting as Redirect or Proxy servers (see Section 6.0) MAY wish to advertise support for ALL possible extensions. Such servers are then responsible for finding a downstream server that supports the extension of a particular message. This is done by including the Extension-Id AVP with a value of zero (0). From owner-aaa-bof@merit.edu Wed Jan 10 20:12:57 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA08137 for ; Wed, 10 Jan 2001 20:12:57 -0500 (EST) Received: by segue.merit.edu (Postfix) id 77A8D5DE25; Wed, 10 Jan 2001 20:12:41 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 67A405DE05; Wed, 10 Jan 2001 20:12:41 -0500 (EST) Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by segue.merit.edu (Postfix) with ESMTP id 247675DDE8 for ; Wed, 10 Jan 2001 20:12:40 -0500 (EST) Received: from mr4u3.ericy.com (mr4u3.ericy.com [208.237.135.127]) by imr1.ericy.com (8.10.2/8.10.2) with ESMTP id f0B1BfK24495; Wed, 10 Jan 2001 19:11:41 -0600 (CST) Received: from newman.exu.ericsson.se (newman.exu.ericsson.se [138.85.75.179]) by mr4u3.ericy.com (8.10.2/8.10.2) with ESMTP id f0B1BfU01659; Wed, 10 Jan 2001 19:11:41 -0600 (CST) Received: from qpop.exu.ericsson.se (qpop [138.85.1.15]) by newman.exu.ericsson.se (8.7.5/8.7.3) with ESMTP id TAA10813; Wed, 10 Jan 2001 19:11:41 -0600 (CST) Received: from ericsson.com (busam50.berkeley.us.am.ericsson.se [138.85.159.200]) by qpop.exu.ericsson.se (8.9.1/8.9.1) with ESMTP id TAA16150; Wed, 10 Jan 2001 19:11:38 -0600 (CST) Message-ID: <3A5D0286.327AA826@ericsson.com> Date: Wed, 10 Jan 2001 16:47:02 -0800 From: Tony Johansson Organization: Ericsson Inc X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Pat Calhoun Cc: aaa-wg@merit.edu, diameter@diameter.org Subject: Re: The Identifier field References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Good point and I think this make sense to keep the Identifier field as state below. BR, /Tony Pat Calhoun wrote: > [ed: I hate this cross-posting, but it seems necessary :(] > > Tony brought up a question some time ago as to the usefulness of the > Identifier field. I believe that no justification was provided at the time for > the existence of the field. In the process of editing the base protocol, it > came to me the reason why such a field may be required. > > Assume for a moment that we are a NAS, and that two authorization messages are > sent for the same user (let's assume for the moment that these are for > different services). When either of the responses are received, how would the > NAS know to match request and the response. The obvious answer is to require > that the NAS walk through the whole message, looking for clues (e.g. service > type). This is rather cumbersome. > > The Identifier field DOES provide such a hint. However, we need to make sure > that the Identifier field IS NOT modified in transit towards the home server > (as it is done in RADIUS), because there really is no need to do so, and it > does complicate the protocol. > > So I propose keeping the Identifier field, but adding text that it is ONLY of > use to the initiator of a request to match up the response. > > Does this make sense? > > PatC From owner-aaa-bof@merit.edu Wed Jan 10 21:01:51 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA09216 for ; Wed, 10 Jan 2001 21:01:51 -0500 (EST) Received: by segue.merit.edu (Postfix) id 22A455DDA8; Wed, 10 Jan 2001 21:00:12 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id DF7155DE05; Wed, 10 Jan 2001 21:00:11 -0500 (EST) Received: from mgw-x1.nokia.com (mgw-x1.nokia.com [131.228.20.21]) by segue.merit.edu (Postfix) with ESMTP id 64C1C5DDA8 for ; Wed, 10 Jan 2001 21:00:08 -0500 (EST) Received: from esvir03nok.nokia.com (esvir03nokt.ntc.nokia.com [172.21.143.35]) by mgw-x1.nokia.com (Switch-2.1.0/Switch-2.1.0) with ESMTP id f0B1xt313997 for ; Thu, 11 Jan 2001 03:59:55 +0200 (EET) Received: from esebh11nok.ntc.nokia.com (unverified) by esvir03nok.nokia.com (Content Technologies SMTPRS 4.1.2) with ESMTP id ; Thu, 11 Jan 2001 04:00:06 +0200 Received: by esebh11nok with Internet Mail Service (5.5.2652.78) id ; Thu, 11 Jan 2001 04:00:06 +0200 Message-ID: From: Dongfeng.Jing@nokia.com To: Pat.Calhoun@Eng.Sun.COM, aaa-wg@merit.edu, diameter@diameter.org Subject: RE: [diameter] Capabilities Negotiation and proxies Date: Thu, 11 Jan 2001 03:54:44 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2652.78) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-aaa-bof@merit.edu Precedence: bulk why the value of Extension_ID can not use a bit of that Unsigned32. for example : NASREQ 1 Strong Security 2 Resource Management 4 Mobile-IP 8 Accounting 16 dongfeng.jing > -----Original Message----- > From: ext Pat Calhoun [mailto:Pat.Calhoun@Eng.Sun.COM] > Sent: 11. January 2001 8:56 > To: aaa-wg@merit.edu; diameter@diameter.org > Subject: [diameter] Capabilities Negotiation and proxies > > > All, > > As discussed a few days ago, a proxy MAY wish to proxy ANY > type of message, > regardless of the extension. Therefore, the current text in > the base protocol > does not allow this behavior since it would require that > proxies advertise ALL > possible extensions. > > Therefore, I am proposing adding the last paragraph to section 2.5.3. > Furthermore, I believe that ALL messages MUST include the > extension ID of the > particular message. The reason being that a proxy would need > to identify a > server in the home domain that can handle the message, but it > may not recognize > the command. > > Comments? Objections? Proposed Text? > > PatC > > 2.5.3 Extension-Id AVP > > The Extension-Id AVP (AVP Code 258) is of type Unsigned32 > and is used > in order to identify a specific DIAMETER extension. This > AVP is used > in the Device-Reboot-Ind message in order to inform the peer what > extensions are locally supported. The Extension-Id MUST > also be present > in all messages that are defined in a separate DIAMETER > specification > and have an Extension ID assigned. > > Each DIAMETER extension draft MUST have an IANA assigned extension > Idenfier (see section 8.3). The base protocol does not require an > Extension-Id since its support is mandatory. > > There MAY be more than one Extension-Id AVP within a DIAMETER > Device-Reboot-Ind message. The following values are recognized: > > NASREQ 1 [7] > Strong Security 2 [11] > Resource Management 3 [29] > Mobile-IP 4 [10] > Accounting 5 [15] > > Furthermore, servers acting as Redirect or Proxy servers (see > Section 6.0) MAY wish to advertise support for ALL possible > extensions. Such servers are then responsible for finding a > downstream server that supports the extension of a particular > message. This is done by including the Extension-Id AVP with a > value of zero (0). > From owner-aaa-bof@merit.edu Thu Jan 11 05:11:13 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id FAA28149 for ; Thu, 11 Jan 2001 05:11:13 -0500 (EST) Received: by segue.merit.edu (Postfix) id 50C0D5DD8C; Thu, 11 Jan 2001 05:10:37 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 31DC35DE0B; Thu, 11 Jan 2001 05:10:37 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id BF6EA5DD8C for ; Thu, 11 Jan 2001 05:10:35 -0500 (EST) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id CAA26364; Thu, 11 Jan 2001 02:10:31 -0800 (PST) Received: from vayne (muc-isdn-11 [129.157.164.111]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.0) with SMTP id LAA07341; Thu, 11 Jan 2001 11:10:28 +0100 (MET) Date: Thu, 11 Jan 2001 11:20:56 +0100 (MET) From: Erik Guttman Reply-To: Erik Guttman Subject: Re: diameter grammar proposal To: Mark Eklund Cc: Erik Guttman , aaa-wg@merit.edu, Randy Bush In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk Mark, Thanks for your questions, they helped me see where my grammar proposal was weak. I attempt to strengthen it below. Please let me know if this answers your question and meets our needs. > 1. I am used to seeing qualifiers after the argument like in > regular expressions. For example Host-Name* instead of > *Host-Name. This is a personal preference. The *, ? and + are in the spirit of ABNF (see RFC 2234) rather than as glob or regular expressions. They precede the grammar element they qualify. > 2. Why do you need the optional brackets [] when you have the > '*' and '?' operators. I.E. what is the difference in > *[Host-Name] and *Host-Name? The grammar conventions I proposed were not formally specified. That made it confusing, as you point out. How about the following ABNF for all diameter message definitions: command-def = command-name "::=" diameter-message diameter-name = ALPHA *(ALPHA / DIGIT / "-") command-name = diameter-name ; The command-name has to be Command name, defined in ; the base or exteneded DIAMETER specifications. diameter-message = header [ *fixed] [ *required] [ *optional] [ *fixed] header = "" fixed = [qual] "<" avp-spec ">" required = [qual] "{" avp-spec "}" optional = [qual] "[" avp-name "]" ; The avp-name in the 'optional' rule cannot evaluate ; to any AVP Name which is included in a fixed or ; required rule. qual = [min] "*" [max] ; Rather than the confusing '?', '+' and '*' ; use ABNF conventions, RFC 2234 section 3.6. ; ; NOTE: "[" and "]" have a different meaning than ; in ABNF (see the optional rule, above). These ; braces cannot be used to express an optional fixed ; rules (such as an optional ICV at the end.) To do ; this, the convention is '0*1fixed'. min = 1*DIGIT ; The minimum number of times the element may be ; present. max = 1*DIGIT ; The maximum number of times the element may be ; present. avp-spec = diameter-name ; The avp-spec has to be an AVP Name, defined in the ; base or extended DIAMETER specifications. avp-name = avp-spec | "AVP" ; The string "AVP" stands for *any* arbitrary AVP Name. This is more restricted than the grammar I described (but did not specify) in my previous email. (1) You can only put fixed rules at the beginning or end of the message. This limits the possible command grammars you can produce, but I think this is OK. (2) You can only specify one AVP per fixed, required or optional rule, where I indicated you could have any number AVPs in them. This will make the grammar specifications more verbose. (3) Since you only have one AVP per rule, you only need the 'qual' outside the braces, which eliminates the ambiguity of my initial proposal (where you could ask "Where do you put the qual? What is the meaning of putting it one place instead of the other? What does it mean if you put it in both places? etc.) The revised 'example' would look like: Example-Command ::= { User-Name } *{ Host-Name } *[ AVP ] 0*1< Integrity-Check-Vector > The command defined by the preceding grammar MUST begin with a DIAMETER header, with the command code Id set to 9999999. There follows a User-Name AVP, zero or more Host-Name AVPs and zero or more arbitrary other AVPs (but not User-Name, Host-Name or Integrity-Check-Vector AVPs). The REQUIRED and OPTIONAL AVPs can be permuted into any order, provided that none of them come before the Header or after the Integrity-Check Vector. > 3. Do you plan to define Grouped-AVP in the specifications? No - Grouped-AVP is going away, to be replaced by a Grouped value. Other email on this was sent to the list with the subject "data type modifications to DIAMETER" Erik ._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. E r i k G u t t m a n SHORT msgs: 01728655497@d2-message.de Sr Staff Engineer, Sun Microsystems Email: erik.guttman@sun.com Eichhoelzelstr. 7, 74915 Waibstadt Germany Phone: +49 172 865 5497 From owner-aaa-bof@merit.edu Thu Jan 11 05:11:23 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id FAA28166 for ; Thu, 11 Jan 2001 05:11:23 -0500 (EST) Received: by segue.merit.edu (Postfix) id C62405DE49; Thu, 11 Jan 2001 05:10:41 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 95D485DE4A; Thu, 11 Jan 2001 05:10:41 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id BA4005DE49 for ; Thu, 11 Jan 2001 05:10:37 -0500 (EST) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id CAA26382; Thu, 11 Jan 2001 02:10:35 -0800 (PST) Received: from vayne (muc-isdn-11 [129.157.164.111]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.0) with SMTP id LAA07751; Thu, 11 Jan 2001 11:10:32 +0100 (MET) Date: Thu, 11 Jan 2001 11:20:59 +0100 (MET) From: Erik Guttman Reply-To: Erik Guttman Subject: RE: diameter grammar proposal To: Mark Jones Cc: Erik Guttman , aaa-wg@merit.edu In-Reply-To: "Your message with ID" <008a01c07b37$f6836d80$2096a8c0@bridgewatersys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk Mark, > Aren't the {} and [] brackets redundant given the 'qual' token definitions? > > i.e. > '*' = Zero or more instances MAY be present in the packet = OPTIONAL AVP > '+' = At least one instance MUST be present in the packet = MANDATORY AVP > '?' = Zero or one instances MAY be present in the packet = OPTIONAL AVP > omitted = Exactly one instance MUST be present in the packet = MANDATORY > AVP First - I suggest we get rid of the '+' and '?' qualifiers - they only confuse the issue. I suggest a grammar without them in a separate message sent to the list. Regarding the use of {} and [] for required and optional definitions: It is important to distinguish between AVPs required by a command and those which are optional. For those that are required, we want to say how many have to be there. For those that are optional, we want to leave things open. BUT we have to be sure that by leaving things open we don't allow the 'optional' rules to collide with the 'required' rules. Say you MUST have one and only one 'Foo-AVP' in command X, and there is an option rule, for sticking in any arbitrary AVP. You could evaluate that rule to allow N additional 'Foo-AVP's in the command X message. That is why I want to separate optional and required AVPs in the message specifications. This does NOT directly relate to the use of the term 'Mandatory' in DIAMETER. Mandatory means the 'M' bit is set - which has consequences if the receiver of a message doesn't have the ability to interpret the AVP with the 'M' bit set. This discussion has been pursued in other threads. Erik ._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. E r i k G u t t m a n SHORT msgs: 01728655497@d2-message.de Sr Staff Engineer, Sun Microsystems Email: erik.guttman@sun.com Eichhoelzelstr. 7, 74915 Waibstadt Germany Phone: +49 172 865 5497 From owner-aaa-bof@merit.edu Thu Jan 11 09:19:47 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA01620 for ; Thu, 11 Jan 2001 09:19:47 -0500 (EST) Received: by segue.merit.edu (Postfix) id E998E5DDE3; Thu, 11 Jan 2001 09:19:11 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id CF38C5DDB7; Thu, 11 Jan 2001 09:19:11 -0500 (EST) Received: from mx.databus.com (p101-44.acedsl.com [160.79.101.44]) by segue.merit.edu (Postfix) with ESMTP id 2A2705DD90 for ; Thu, 11 Jan 2001 09:19:10 -0500 (EST) Received: (from barney@localhost) by mx.databus.com (8.11.1/8.11.1) id f0BEJ3p79067; Thu, 11 Jan 2001 09:19:03 -0500 (EST) (envelope-from barney) Date: Thu, 11 Jan 2001 09:19:03 -0500 From: Barney Wolff To: Pat Calhoun Cc: aaa-wg@merit.edu, diameter@diameter.org Subject: Re: The Identifier field Message-ID: <20010111091903.A78837@mx.databus.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from Pat.Calhoun@Eng.Sun.COM on Wed, Jan 10, 2001 at 04:43:43PM -0800 Sender: owner-aaa-bof@merit.edu Precedence: bulk Pat, in RADIUS the id comes back to the originator of a request, and whether it's modified between proxies is not visible to the requester. Why would you want to impose further requirements above that? To be sure, a stateless proxy would have to keep the id unchanged, because it won't notice when the response comes back, but a stateful proxy will, and can therefore obey the requirement while still generating a useful id of its own. You can argue that Proxy-State provides the same opportunity for fast lookup, but the AVP is not in a fixed position, while the id is part of the header. The justification of the field is that it allows the receiver of a response to do an efficient lookup of its request state. That motive stays the same for DIAMETER, and helps proxies as well as NAS's - but only if the proxy can set the id. I see no benefit to disallowing that. There's already an unmodifiable AVP for session-id, and we don't need two. Barney On Wed, Jan 10, 2001 at 04:43:43PM -0800, Pat Calhoun wrote: > [ed: I hate this cross-posting, but it seems necessary :(] > > Tony brought up a question some time ago as to the usefulness of the > Identifier field. I believe that no justification was provided at the time for > the existence of the field. In the process of editing the base protocol, it > came to me the reason why such a field may be required. > > Assume for a moment that we are a NAS, and that two authorization messages are > sent for the same user (let's assume for the moment that these are for > different services). When either of the responses are received, how would the > NAS know to match request and the response. The obvious answer is to require > that the NAS walk through the whole message, looking for clues (e.g. service > type). This is rather cumbersome. > > The Identifier field DOES provide such a hint. However, we need to make sure > that the Identifier field IS NOT modified in transit towards the home server > (as it is done in RADIUS), because there really is no need to do so, and it > does complicate the protocol. > > So I propose keeping the Identifier field, but adding text that it is ONLY of > use to the initiator of a request to match up the response. > > Does this make sense? > > PatC > > From owner-aaa-bof@merit.edu Thu Jan 11 10:23:26 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA03445 for ; Thu, 11 Jan 2001 10:23:26 -0500 (EST) Received: by segue.merit.edu (Postfix) id DDFEB5DE28; Thu, 11 Jan 2001 10:23:10 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id CAD075DE41; Thu, 11 Jan 2001 10:23:10 -0500 (EST) Received: from mail01.bridgewatersystems.com (mail01.bridgewatersystems.com [216.113.7.9]) by segue.merit.edu (Postfix) with ESMTP id 4BCE95DE28 for ; Thu, 11 Jan 2001 10:23:09 -0500 (EST) Received: from kansparc099.bridgewatersys.com (cactusgw.bridgewatersys.com [216.113.7.2]) by mail01.bridgewatersystems.com (8.9.3/8.9.3) with ESMTP id LAA13411; Thu, 11 Jan 2001 11:18:59 -0500 Received: from mjones (mjones.bridgewatersys.com [192.168.150.32]) by kansparc099.bridgewatersys.com (8.9.3+Sun/8.9.1) with SMTP id KAA10527; Thu, 11 Jan 2001 10:23:28 -0500 (EST) From: "Mark Jones" To: "Erik Guttman" Cc: Subject: RE: diameter grammar proposal Date: Thu, 11 Jan 2001 10:30:08 -0500 Message-ID: <00ca01c07be3$60ffe6b0$2096a8c0@bridgewatersys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Erik, > BUT we have to be sure that by leaving things open we don't allow the > 'optional' rules to collide with the 'required' rules. Where 'optional' rules are those rules which refer to optional AVPs. The rules themselves are NOT optional, correct? > Say you > MUST have one and only one 'Foo-AVP' in command X, and there is an > option rule, for sticking in any arbitrary AVP. You could evaluate > that rule to allow N additional 'Foo-AVP's in the command X message. > I see. You are concerned about conflicting rules. I am still not convinced that ambiguity exists here. I had assumed that all rules MUST be satisfied when evaluating whether a packet is valid. From your example, adding more Foo-AVPs breaks the first rule and therefore would be illegal. > This does NOT directly relate to the use of the term 'Mandatory' in > DIAMETER. Mandatory means the 'M' bit is set - which has consequences > if the receiver of a message doesn't have the ability to interpret the > AVP with the 'M' bit set. This discussion has been pursued in other > threads. > Agreed. Lets never talk of it again :) Regards, Mark From owner-aaa-bof@merit.edu Thu Jan 11 10:29:10 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA03769 for ; Thu, 11 Jan 2001 10:29:09 -0500 (EST) Received: by segue.merit.edu (Postfix) id 1D55B5DE3F; Thu, 11 Jan 2001 10:28:52 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 0BABD5DE39; Thu, 11 Jan 2001 10:28:52 -0500 (EST) Received: from cisco.com (titans.cisco.com [161.44.216.10]) by segue.merit.edu (Postfix) with ESMTP id B1F1B5DDB7 for ; Thu, 11 Jan 2001 10:28:49 -0500 (EST) Received: from titans.cisco.com (titans.cisco.com [161.44.216.10]) by cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id KAA15034; Thu, 11 Jan 2001 10:28:11 -0500 (EST) Date: Thu, 11 Jan 2001 10:28:11 -0500 (EST) From: Mark Eklund To: Erik Guttman Cc: Erik Guttman , aaa-wg@merit.edu, Randy Bush Subject: Re: diameter grammar proposal In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk Erik, Thanks, that answers my earlier questions. Also, is there a need to support Command Flags like E, I, and R in this specification? -mark On Thu, 11 Jan 2001, Erik Guttman wrote: > Mark, > > Thanks for your questions, they helped me see where my grammar > proposal was weak. I attempt to strengthen it below. Please > let me know if this answers your question and meets our needs. > > > 1. I am used to seeing qualifiers after the argument like in > > regular expressions. For example Host-Name* instead of > > *Host-Name. This is a personal preference. > > The *, ? and + are in the spirit of ABNF (see RFC 2234) rather > than as glob or regular expressions. They precede the grammar > element they qualify. > > > 2. Why do you need the optional brackets [] when you have the > > '*' and '?' operators. I.E. what is the difference in > > *[Host-Name] and *Host-Name? > > The grammar conventions I proposed were not formally specified. That > made it confusing, as you point out. How about the following ABNF for > all diameter message definitions: > > command-def = command-name "::=" diameter-message > > diameter-name = ALPHA *(ALPHA / DIGIT / "-") > > command-name = diameter-name > ; The command-name has to be Command name, defined in > ; the base or exteneded DIAMETER specifications. > > diameter-message = header [ *fixed] [ *required] [ *optional] [ *fixed] > > header = "" > > fixed = [qual] "<" avp-spec ">" > > required = [qual] "{" avp-spec "}" > > optional = [qual] "[" avp-name "]" > ; The avp-name in the 'optional' rule cannot evaluate > ; to any AVP Name which is included in a fixed or > ; required rule. > > qual = [min] "*" [max] > ; Rather than the confusing '?', '+' and '*' > ; use ABNF conventions, RFC 2234 section 3.6. > ; > ; NOTE: "[" and "]" have a different meaning than > ; in ABNF (see the optional rule, above). These > ; braces cannot be used to express an optional fixed > ; rules (such as an optional ICV at the end.) To do > ; this, the convention is '0*1fixed'. > > min = 1*DIGIT > ; The minimum number of times the element may be > ; present. > > max = 1*DIGIT > ; The maximum number of times the element may be > ; present. > > avp-spec = diameter-name > ; The avp-spec has to be an AVP Name, defined in the > ; base or extended DIAMETER specifications. > > avp-name = avp-spec | "AVP" > ; The string "AVP" stands for *any* arbitrary AVP Name. > > This is more restricted than the grammar I described (but did not specify) > in my previous email. > > (1) You can only put fixed rules at the beginning or end of the message. > This limits the possible command grammars you can produce, but I > think this is OK. > > (2) You can only specify one AVP per fixed, required or optional rule, > where I indicated you could have any number AVPs in them. This > will make the grammar specifications more verbose. > > (3) Since you only have one AVP per rule, you only need the 'qual' > outside the braces, which eliminates the ambiguity of my initial > proposal (where you could ask "Where do you put the qual? What > is the meaning of putting it one place instead of the other? > What does it mean if you put it in both places? etc.) > > The revised 'example' would look like: > > Example-Command ::= > { User-Name } > *{ Host-Name } > *[ AVP ] > 0*1< Integrity-Check-Vector > > > The command defined by the preceding grammar MUST begin with a > DIAMETER header, with the command code Id set to 9999999. There > follows a User-Name AVP, zero or more Host-Name AVPs and zero or > more arbitrary other AVPs (but not User-Name, Host-Name or > Integrity-Check-Vector AVPs). The REQUIRED and OPTIONAL AVPs > can be permuted into any order, provided that none of them come > before the Header or after the Integrity-Check Vector. > > > 3. Do you plan to define Grouped-AVP in the specifications? > > No - Grouped-AVP is going away, to be replaced by a Grouped value. > Other email on this was sent to the list with the subject > > "data type modifications to DIAMETER" > > Erik > > > ._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. > E r i k G u t t m a n SHORT msgs: 01728655497@d2-message.de > Sr Staff Engineer, Sun Microsystems Email: erik.guttman@sun.com > Eichhoelzelstr. 7, 74915 Waibstadt Germany Phone: +49 172 865 5497 > > > From owner-aaa-bof@merit.edu Thu Jan 11 11:28:35 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA06717 for ; Thu, 11 Jan 2001 11:28:35 -0500 (EST) Received: by segue.merit.edu (Postfix) id 093715DE4A; Thu, 11 Jan 2001 11:28:04 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id E8CAC5DE41; Thu, 11 Jan 2001 11:28:03 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id A9A655DE39 for ; Thu, 11 Jan 2001 11:28:02 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id IAA00196; Thu, 11 Jan 2001 08:28:00 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id IAA03155; Thu, 11 Jan 2001 08:27:57 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id HAA19473; Thu, 11 Jan 2001 07:01:10 -0800 (PST) Date: Thu, 11 Jan 2001 06:57:31 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Redirect To: diameter@diameter.org, aaa-wg@merit.edu Cc: Pat.Calhoun@eng.sun.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk All, The current base protocol specification states that a redirect server returns a response to the requestor with the error code set to redirect. However, some discussions we have been having recently on this list implies that redirect and proxy servers may not actually support all extensions, and may only support the bare minimum required for packets to be forwarded to the home server. Therefore, I question how such servers would ever know how to set the command code field to the correct response. So, if we really need to support the above case, one of the following needs to be done: 1. Do nothing and require that proxies/redirect servers support extensions (this is a valid requirement). 2. Make sure that the redirect indication is returned in an MRI (Message-Reject-Ind) message. However, one does question how request/responses are matched up properly, and the details of this need to be refined 3. A MUCH more drastic change, and one I am not sure that I like but I am adding for completeness. No longer distingush request from responses, but rather make use of the bits in the message header to distinguish whether the message is a request or a response. So an Access message would have the request mode (when bits are set), or a response (when the bits indicate a response). This *seems* clean, but is a huge change for implementations and the protocol. I think that the simplest is #2 above, but I am opening up this can of worms now to get a feel for how people think their proxies will operate. PatC From owner-aaa-bof@merit.edu Thu Jan 11 11:28:47 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA06751 for ; Thu, 11 Jan 2001 11:28:46 -0500 (EST) Received: by segue.merit.edu (Postfix) id 5117E5DE52; Thu, 11 Jan 2001 11:28:08 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 377185DE50; Thu, 11 Jan 2001 11:28:08 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id EFCEA5DE5C for ; Thu, 11 Jan 2001 11:28:04 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id IAA00229; Thu, 11 Jan 2001 08:28:02 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id IAA03186; Thu, 11 Jan 2001 08:28:01 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id GAA18848; Thu, 11 Jan 2001 06:26:15 -0800 (PST) Date: Thu, 11 Jan 2001 06:22:37 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Re: The Identifier field To: Barney Wolff Cc: Pat Calhoun , aaa-wg@merit.edu, diameter@diameter.org In-Reply-To: "Your message with ID" <20010111091903.A78837@mx.databus.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > Pat, in RADIUS the id comes back to the originator of a request, > and whether it's modified between proxies is not visible to the > requester. Why would you want to impose further requirements > above that? To be sure, a stateless proxy would have to keep > the id unchanged, because it won't notice when the response > comes back, but a stateful proxy will, and can therefore obey > the requirement while still generating a useful id of its own. > > You can argue that Proxy-State provides the same opportunity > for fast lookup, but the AVP is not in a fixed position, while > the id is part of the header. > > The justification of the field is that it allows the receiver of > a response to do an efficient lookup of its request state. That > motive stays the same for DIAMETER, and helps proxies as well as > NAS's - but only if the proxy can set the id. I see no benefit > to disallowing that. There's already an unmodifiable AVP for > session-id, and we don't need two. ok, I can buy that. However, I am not sure that I want to describe how proxies make use of the Identifier field, or should I? I believe that I will simply add text stating that the id is used to match request and replies, and leave it at that. *However* please keep in mind that the ID only is not really that useful. Let's consider a NAS that issues an accounting message with the ID set to 4. As it turns out, it ALSO receives an unsolicited message from a home server with the ID set to 4. Since it is not the originator of the message, then it should attempt to ignore the ID field. So my text was that the ID, the Session-Id and the command-code are used on the NAS to match request and replies. PatC From owner-aaa-bof@merit.edu Thu Jan 11 12:28:07 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA09526 for ; Thu, 11 Jan 2001 12:28:07 -0500 (EST) Received: by segue.merit.edu (Postfix) id 881595DFA5; Thu, 11 Jan 2001 12:24:59 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 344BC5DE55; Thu, 11 Jan 2001 12:24:51 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id 4C7985DF67 for ; Thu, 11 Jan 2001 12:22:09 -0500 (EST) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id JAA12497; Thu, 11 Jan 2001 09:22:07 -0800 (PST) Received: from vayne (muc-isdn-8 [129.157.164.108]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.0) with SMTP id SAA13983; Thu, 11 Jan 2001 18:22:05 +0100 (MET) Date: Thu, 11 Jan 2001 18:32:33 +0100 (MET) From: Erik Guttman Reply-To: Erik Guttman Subject: Re: diameter grammar proposal To: Mark Eklund Cc: Erik Guttman , aaa-wg@merit.edu In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > Also, is there a need to support Command Flags like E, I, and R > in this specification? The grammar specification covers AVPs. The flags are specified for all commands (by their type -Ind, -Rqst, -Answer, -Query, -Reply) and go into the DIAMETER header. DIAMETER implementations will have to support those flags. This is useful for reasons pointed out in draft-ietf-aaa-issues-04.txt and Pat's point that proxies can benefit from knowing a message is an Indication, request/query or a reply/answer. Erik ._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. E r i k G u t t m a n SHORT msgs: 01728655497@d2-message.de Sr Staff Engineer, Sun Microsystems Email: erik.guttman@sun.com Eichhoelzelstr. 7, 74915 Waibstadt Germany Phone: +49 172 865 5497 From owner-aaa-bof@merit.edu Thu Jan 11 12:30:17 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA09636 for ; Thu, 11 Jan 2001 12:30:16 -0500 (EST) Received: by segue.merit.edu (Postfix) id D2E985DECF; Thu, 11 Jan 2001 12:27:45 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id B0ED55DEFD; Thu, 11 Jan 2001 12:27:45 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 2FEBF5DECF for ; Thu, 11 Jan 2001 12:27:44 -0500 (EST) Received: from efra05-home.Germany.Sun.COM ([129.157.43.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id JAA28497; Thu, 11 Jan 2001 09:27:40 -0800 (PST) Received: from vayne (muc-isdn-8 [129.157.164.108]) by efra05-home.Germany.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.0) with SMTP id SAA25337; Thu, 11 Jan 2001 18:27:38 +0100 (MET) Date: Thu, 11 Jan 2001 18:38:05 +0100 (MET) From: Erik Guttman Reply-To: Erik Guttman Subject: RE: diameter grammar proposal To: Mark Jones Cc: Erik Guttman , aaa-wg@merit.edu In-Reply-To: "Your message with ID" <00ca01c07be3$60ffe6b0$2096a8c0@bridgewatersys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > > BUT we have to be sure that by leaving things open we don't allow the > > 'optional' rules to collide with the 'required' rules. > > Where 'optional' rules are those rules which refer to optional AVPs. The > rules themselves are NOT optional, correct? Right. I should've said the rules for 'optional AVPs'. > > Say you > > MUST have one and only one 'Foo-AVP' in command X, and there is an > > option rule, for sticking in any arbitrary AVP. You could evaluate > > that rule to allow N additional 'Foo-AVP's in the command X message. > > > > I see. You are concerned about conflicting rules. I am still not convinced > that ambiguity exists here. I had assumed that all rules MUST be satisfied > when evaluating whether a packet is valid. From your example, adding more > Foo-AVPs breaks the first rule and therefore would be illegal. The current diameter spec (which lists but doesn't constrain AVPs to include) it is possible to put in WHATEVER, including more Foo-AVPs. There is no mechanism to describe as illegal putting in multiple AVPs of a given type (or ordering of AVPs in a message). That is why I am proposing a more formal grammar, which still allows constrained, but still flexible inclusion of semi-arbitrary AVPs and reordering. Erik ._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. E r i k G u t t m a n SHORT msgs: 01728655497@d2-message.de Sr Staff Engineer, Sun Microsystems Email: erik.guttman@sun.com Eichhoelzelstr. 7, 74915 Waibstadt Germany Phone: +49 172 865 5497 From owner-aaa-bof@merit.edu Thu Jan 11 12:54:28 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA10761 for ; Thu, 11 Jan 2001 12:54:27 -0500 (EST) Received: by segue.merit.edu (Postfix) id 1E14A5DE77; Thu, 11 Jan 2001 12:53:47 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 0DB2C5DE74; Thu, 11 Jan 2001 12:53:47 -0500 (EST) Received: from gate.internaut.com (unknown [64.38.134.108]) by segue.merit.edu (Postfix) with ESMTP id 90D295DE6C for ; Thu, 11 Jan 2001 12:53:45 -0500 (EST) Received: from e1kj2 (kidneybean [64.38.134.109]) by gate.internaut.com (8.10.2/8.10.2) with SMTP id f0BHoXR22223 for ; Thu, 11 Jan 2001 09:50:33 -0800 From: "Bernard Aboba" To: "Aaa-Wg@Merit. Edu" Subject: Security proposals for Interim meeting, Feburary 7, 2001 Date: Thu, 11 Jan 2001 09:53:51 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-Mimeole: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit So that we can be prepared for our interim meeting on February 7, 2001, I'd like to ask for volunteers to present security proposals. These proposals should be complete in the sense that they describe everything that is required to solve the security issues that we face. The goal of the exercise will be to convince the WG that one or more of the proposals are viable in the real world. Here's a first cut at what is needed for the various proposals: 1. CMS. I'd like to see a proposal on how CMS can be used for both e2e and hop-by-hop security. Also, given this I'd like to understand whether password hiding is still necessary, and if so, why. The proposal should be clear about: a. Whether PKI is required or not, and exactly what infrastructure is needed (CRL servers, offline/online CAs, etc.) b. Efficiency issues (key reuse) c. Code size and implementation availability (can this be implemented on a NAS?) 2. GSS_API. I'd like to see a proposal describing the deployment scenarios in more detail. Issues to discuss further include: a. GSS_API methods that could be supported within the 1 round trip framework (is this only Kerberos V?) b. Proposed mandatory to implement method c. Code size and availability d. Deployment implications 1. Kerberos KDC on the Internet? 2. IAKERB proxies? 3. DNS support for KDC location? 4. Authorization issues 3. IPSEC. Issues to discuss further include: a. Can use of ESP with non-null transform eliminate need for password hiding? b. Can IKE MM cert policy validate biz relationships or is this asking too much? c. Security implications of referral 1. Firewall hole for IPSEC/IKE from any source to AAA server 2. AAA server does packet filtering not firewall 3. Implications for NAS vulnerabilities From owner-aaa-bof@merit.edu Thu Jan 11 13:05:00 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11322 for ; Thu, 11 Jan 2001 13:04:59 -0500 (EST) Received: by segue.merit.edu (Postfix) id 97EC95DDD9; Thu, 11 Jan 2001 13:04:43 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 863A45DDB7; Thu, 11 Jan 2001 13:04:43 -0500 (EST) Received: from mail01.bridgewatersystems.com (mail01.bridgewatersystems.com [216.113.7.9]) by segue.merit.edu (Postfix) with ESMTP id 550915DD95 for ; Thu, 11 Jan 2001 13:04:41 -0500 (EST) Received: from kansparc099.bridgewatersys.com (cactusgw.bridgewatersys.com [216.113.7.2]) by mail01.bridgewatersystems.com (8.9.3/8.9.3) with ESMTP id OAA14676; Thu, 11 Jan 2001 14:00:21 -0500 Received: from mjones (mjones.bridgewatersys.com [192.168.150.32]) by kansparc099.bridgewatersys.com (8.9.3+Sun/8.9.1) with SMTP id NAA14642; Thu, 11 Jan 2001 13:04:50 -0500 (EST) From: "Mark Jones" To: "Pat Calhoun" Cc: , Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) Date: Thu, 11 Jan 2001 13:11:30 -0500 Message-ID: <00fc01c07bf9$ebe30210$2096a8c0@bridgewatersys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Pat, > But how would you deal with backward compatibility? This seems especially > important given that in a roaming network, you never know whether > the home, or the NAS, support v6. > Wouldn't all the RADIUS/DIAMETER servers in the proxy chain will know whether the NAS itself is IPv6 or IPv4 by virtue of (1) in DIAMETER, the length of the NAS-IP-Address AVP, or (2) in RADIUS, presence of the NAS-IP-Address vs NAS-IPv6-Address AVP? It seem unlikely to me that a RADIUS request received from an IPv6 NAS by a dual-stack (v4/v6) RADIUS server would then be proxied unmodified to a legacy IPv4 RADIUS server. Similarly, a RADIUS response received from an IPv6 RADIUS server would not be returned unmodified to a legacy IPv4 NAS. Do you think the dual purpose AVP approach would significantly increase the complexity of the translation being done by a dual-stack RADIUS server? Whether the host requesting service from the NAS actually supports IPv6 is another issue since as the RADIUSv6 draft points out: "Note that a NAS sending a RADIUS Access-Request may not know a-priori whether the host will be using IPv4, IPv6, or both. For example, within PPP, NCP occurs after LCP, so that address assignment will not occur until after RADIUS authentication and authorization has completed. Therefore it is presumed that the IPv6 attributes described in this document MAY be sent along with IPv4-related attributes within the same RADIUS message and that the NAS will decide which attributes to use." Regards, Mark From owner-aaa-bof@merit.edu Thu Jan 11 13:05:40 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11362 for ; Thu, 11 Jan 2001 13:05:39 -0500 (EST) Received: by segue.merit.edu (Postfix) id 6F5225DDDB; Thu, 11 Jan 2001 13:05:24 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 5D3D35DD95; Thu, 11 Jan 2001 13:05:24 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id A30965DDB7 for ; Thu, 11 Jan 2001 13:05:22 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA13451; Thu, 11 Jan 2001 10:05:03 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id KAA29920; Thu, 11 Jan 2001 10:04:28 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id KAA18825; Thu, 11 Jan 2001 10:04:27 -0800 (PST) Date: Thu, 11 Jan 2001 10:00:48 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Re: Security proposals for Interim meeting, Feburary 7, 2001 To: Bernard Aboba Cc: "Aaa-Wg@Merit. Edu" In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk Bernard, Should I assume from your e-mail that hop-by-hop is out in the base spec? I think discounting hop security is a mistake. Should I bring a contribution detailing this method? PatC > So that we can be prepared for our interim meeting on > February 7, 2001, I'd like to ask for volunteers to > present security proposals. These proposals should be > complete in the sense that they describe everything > that is required to solve the security issues that > we face. > > The goal of the exercise will be to convince the > WG that one or more of the proposals are viable in > the real world. > > Here's a first cut at what is needed for the various > proposals: > > 1. CMS. I'd like to see a proposal on how CMS can be > used for both e2e and hop-by-hop security. Also, given > this I'd like to understand whether password hiding is > still necessary, and if so, why. The proposal should > be clear about: > a. Whether PKI is required or not, and exactly > what infrastructure is needed (CRL servers, > offline/online CAs, etc.) > b. Efficiency issues (key reuse) > c. Code size and implementation availability > (can this be implemented on a NAS?) > > 2. GSS_API. I'd like to see a proposal describing > the deployment scenarios in more detail. > Issues to discuss further include: > a. GSS_API methods that could be supported > within the 1 round trip framework (is this > only Kerberos V?) > b. Proposed mandatory to implement method > c. Code size and availability > d. Deployment implications > 1. Kerberos KDC on the Internet? > 2. IAKERB proxies? > 3. DNS support for KDC location? > 4. Authorization issues > > 3. IPSEC. > Issues to discuss further include: > a. Can use of ESP with non-null transform > eliminate need for password hiding? > b. Can IKE MM cert policy validate biz relationships or > is this asking too much? > c. Security implications of referral > 1. Firewall hole for IPSEC/IKE from any source to > AAA server > 2. AAA server does packet filtering not firewall > 3. Implications for NAS vulnerabilities > > > From owner-aaa-bof@merit.edu Thu Jan 11 13:12:24 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11562 for ; Thu, 11 Jan 2001 13:12:24 -0500 (EST) Received: by segue.merit.edu (Postfix) id 51EF05DE39; Thu, 11 Jan 2001 13:12:06 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 409915DDB7; Thu, 11 Jan 2001 13:12:06 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id F12FA5DD95 for ; Thu, 11 Jan 2001 13:12:04 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA17342; Thu, 11 Jan 2001 10:12:01 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id KAA02712; Thu, 11 Jan 2001 10:12:00 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id KAA29082; Thu, 11 Jan 2001 10:11:59 -0800 (PST) Date: Thu, 11 Jan 2001 10:08:22 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) To: Mark Jones Cc: Pat Calhoun , aaa-wg@merit.edu, diameter@diameter.org In-Reply-To: "Your message with ID" <00fc01c07bf9$ebe30210$2096a8c0@bridgewatersys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > Whether the host requesting service from the NAS actually supports IPv6 is > another issue since as the RADIUSv6 draft points out: > > "Note that a NAS sending a RADIUS Access-Request may not know a-priori > whether the host will be using IPv4, IPv6, or both. For example, within > PPP, NCP occurs after LCP, so that address assignment will not occur > until after RADIUS authentication and authorization has completed. > Therefore it is presumed that the IPv6 attributes described in this > document MAY be sent along with IPv4-related attributes within the same > RADIUS message and that the NAS will decide which attributes to use." Right, but chances of getting *something* back from the home server are quite high if two attributes are added, one for each address family, as opposed to inserting an IPv6 in an attribute that the home server expected to be only 32bit in length. Chances it would drop the request in this case, hence increasing the difficulty in troubleshooting. PatC From owner-aaa-bof@merit.edu Thu Jan 11 13:18:52 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11679 for ; Thu, 11 Jan 2001 13:18:52 -0500 (EST) Received: by segue.merit.edu (Postfix) id 8DA815DE41; Thu, 11 Jan 2001 13:15:18 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 78D685DDB7; Thu, 11 Jan 2001 13:15:18 -0500 (EST) Received: from mx.databus.com (p101-44.acedsl.com [160.79.101.44]) by segue.merit.edu (Postfix) with ESMTP id B47BD5DD95 for ; Thu, 11 Jan 2001 13:15:16 -0500 (EST) Received: (from barney@localhost) by mx.databus.com (8.11.1/8.11.1) id f0BIEDY79894; Thu, 11 Jan 2001 13:14:13 -0500 (EST) (envelope-from barney) Date: Thu, 11 Jan 2001 13:14:13 -0500 From: Barney Wolff To: Bernard Aboba Cc: "Aaa-Wg@Merit. Edu" Subject: Re: Security proposals for Interim meeting, Feburary 7, 2001 Message-ID: <20010111131413.B79807@mx.databus.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from aboba@internaut.com on Thu, Jan 11, 2001 at 09:53:51AM -0800 Sender: owner-aaa-bof@merit.edu Precedence: bulk It may have been pointed out already, but referral imho does not imply that the target is the ultimate server that must itself contain the sensitive user database. The target will be whatever the home domain says is its public face - which if the administrators have any sense, will be a proxy. Even if you attempt to mandate true "end-ness" such that the home server is not a proxy, how could anybody outside the home domain detect a violation? We would be foolish to attempt to legislate against things that cannot be detected or forcibly suppressed. A proxy makes a much better AAA firewall than any general-purpose firewall could ever hope to be. Re IKE-from-anywhere, how does a roaming VPN setup work, if not that? I too wish that IKE were less DoSable, though. Barney On Thu, Jan 11, 2001 at 09:53:51AM -0800, Bernard Aboba wrote: ... > 3. IPSEC. > c. Security implications of referral > 1. Firewall hole for IPSEC/IKE from any source to > AAA server > 2. AAA server does packet filtering not firewall From owner-aaa-bof@merit.edu Thu Jan 11 13:29:42 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11825 for ; Thu, 11 Jan 2001 13:29:42 -0500 (EST) Received: by segue.merit.edu (Postfix) id 6596F5DE56; Thu, 11 Jan 2001 13:29:24 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 548C05DE50; Thu, 11 Jan 2001 13:29:24 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 46C105DDB7 for ; Thu, 11 Jan 2001 13:29:23 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA24194; Thu, 11 Jan 2001 10:29:19 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id KAA07355; Thu, 11 Jan 2001 10:29:05 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id KAA04559; Thu, 11 Jan 2001 10:29:04 -0800 (PST) Date: Thu, 11 Jan 2001 10:25:27 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Preview of new DIAMETER base protocol To: diameter@diameter.org, aaa-wg@merit.edu Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk All, I am making a preview of the next base protocol available at www.diameter.org. This version has not been sent to the secretariat for publication, and is Identified as Alpha 1. Given the number of changes, I though it would be worthwhile getting some review prior to sending it in as a WG work item. It includes: - Changes from the solutions I-D - Lots of additional changes throughout the document as a result of the changes. - Fix to the state machine - etc, etc. It does NOT include: - New ABNF grammar (I thought more comments and careful review of Erik's proposal would be best). - AES security (the current text still includes the MD5 style hiding. I have asked for help with AES, and expect to have something soon). The document can be found at http://www.diameter.org/draft-calhoun-diameter-18.txt, while the diffs (against version 17) are at http://www.diameter.org/diffs-in-18.txt. Although I have reviewed the spec, it is possible that some inconsistencies still exist. So any feedback would be most appreciated. Thanks, PatC From owner-aaa-bof@merit.edu Thu Jan 11 13:33:56 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA11905 for ; Thu, 11 Jan 2001 13:33:56 -0500 (EST) Received: by segue.merit.edu (Postfix) id 1B1F15DE83; Thu, 11 Jan 2001 13:33:22 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id F28715DE8D; Thu, 11 Jan 2001 13:33:21 -0500 (EST) Received: from smtp1.kolumbus.fi (smtp1.kolumbus.fi [193.229.0.36]) by segue.merit.edu (Postfix) with ESMTP id 60DED5DE83 for ; Thu, 11 Jan 2001 13:33:20 -0500 (EST) Received: from jariws1 (ab16d3hel.dial.kolumbus.fi [212.54.18.16]) by smtp1.kolumbus.fi (8.9.0/8.9.0) with SMTP id UAA11449; Thu, 11 Jan 2001 20:33:01 +0200 (EET) Message-ID: <00cf01c07bfc$d5ba3820$8a1b6e0a@arenanet.fi> From: "Jari Arkko" To: "Pat Calhoun" , "Mark Jones" Cc: , References: Subject: Re: [diameter] data type modifications to DIAMETER (Fwd) Date: Thu, 11 Jan 2001 20:32:20 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Pat writes: > Right, but chances of getting *something* back from the home server are quite > high if two attributes are added, one for each address family, as opposed to > inserting an IPv6 in an attribute that the home server expected to be only > 32bit in length. Chances it would drop the request in this case, hence > increasing the difficulty in troubleshooting. Thinking about the major places (e.g. 3g) where DIAMETER could be deployed in the future, I think it would be even reasonable to *require* IPv6 attribute support from all DIAMETER nodes. Which would be rather trivial and different from than supporting IPv6 itself on DIAMETER or the functions of the NAS. Jari From owner-aaa-bof@merit.edu Thu Jan 11 13:41:40 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA12026 for ; Thu, 11 Jan 2001 13:41:40 -0500 (EST) Received: by segue.merit.edu (Postfix) id 260AD5DDFB; Thu, 11 Jan 2001 13:41:22 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 1466D5DDB7; Thu, 11 Jan 2001 13:41:22 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id F3F1A5DD95 for ; Thu, 11 Jan 2001 13:41:20 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA29798; Thu, 11 Jan 2001 10:41:17 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id KAA11022; Thu, 11 Jan 2001 10:41:16 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id KAA04902; Thu, 11 Jan 2001 10:41:11 -0800 (PST) Date: Thu, 11 Jan 2001 10:37:33 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Re: [diameter] data type modifications to DIAMETER (Fwd) To: Jari Arkko Cc: aaa-wg@merit.edu, diameter@diameter.org, Mark Jones In-Reply-To: "Your message with ID" <200101111926.f0BJQiL23668@charizard.diameter.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > Pat writes: > >> Right, but chances of getting *something* back from the home server are quite >> high if two attributes are added, one for each address family, as opposed to >> inserting an IPv6 in an attribute that the home server expected to be only >> 32bit in length. Chances it would drop the request in this case, hence >> increasing the difficulty in troubleshooting. > > Thinking about the major places (e.g. 3g) where DIAMETER could be > deployed in the future, I think it would be even reasonable to *require* IPv6 > attribute > support from all DIAMETER nodes. Which would be rather trivial and > different from than supporting IPv6 itself on DIAMETER or the functions > of the NAS. I didn't think that was the original comment (or perhaps I've really misunderstood this from the beginning). I thought the issue was more regarding the RADIUS protocol. v4/v6 support is mandatory in the DIAMETER protocol. Whether a NAS or Server supports either, or both, protocols is irrelevant. All we care about is ensuring that requests and responses are recognized. PatC From owner-aaa-bof@merit.edu Thu Jan 11 13:52:48 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA12321 for ; Thu, 11 Jan 2001 13:52:44 -0500 (EST) Received: by segue.merit.edu (Postfix) id 5083D5DE50; Thu, 11 Jan 2001 13:52:19 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 406BA5DDB7; Thu, 11 Jan 2001 13:52:19 -0500 (EST) Received: from smtp1.kolumbus.fi (smtp1.kolumbus.fi [193.229.0.36]) by segue.merit.edu (Postfix) with ESMTP id 9F5A25DD95 for ; Thu, 11 Jan 2001 13:52:17 -0500 (EST) Received: from jariws1 (ab16d3hel.dial.kolumbus.fi [212.54.18.16]) by smtp1.kolumbus.fi (8.9.0/8.9.0) with SMTP id UAA17089; Thu, 11 Jan 2001 20:52:12 +0200 (EET) Message-ID: <00d401c07bff$8403eaa0$8a1b6e0a@arenanet.fi> From: "Jari Arkko" To: "Pat Calhoun" , , References: Subject: Re: Proposed change to DIAMETER header Date: Thu, 11 Jan 2001 20:51:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit > The method the protocol is currently specified, it requires that an > implementation walk through each AVP, looking for the ICV AVP in order to > perform the necessary replay and authentication checks. What this means is > that there is a significant amount of work required to ensure that the packet > is in fact authentic. This does not bode well for denial of service attacks. > > So I would like to propose adding the ICV-Offset to the DIAMETER header, as > shown below: I don't care that much either way, but I would just note a couple of things: 1) The MAC calculation is in any case heavier than any reasonable ICV attribute seeking operation, so I don't really know if this buys that much. Or perhaps you are simplifying the DIAMETER hardware ICV engine design for the next SPARC station ;-) 2) If I would program a server, I would make a separate small piece of code to look for the ICV for received packets; don't think more than a simple loop is required since the ICV hopefully couldn't be inside any AVP groups, and no XML data dictionaries need to be consulted either. 3) If there's an ICV offset in the header, somebody's going to have to go and check later that it corresponds to the actual place of the attribute. Also, before the ICV is checked we need to ensure it falls within the bounds of the message. Unnecessary complexity. [In any case, I'd rather have statically keyed IPsec as a MUST than the AVP, since that would be useful for encryption as well as integrity, and would benefit more apps at the same time. And again, many DIAMETER uses I see would be in the v6 domain and there IPsec exists anyway...] Jari From owner-aaa-bof@merit.edu Thu Jan 11 14:40:34 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA13237 for ; Thu, 11 Jan 2001 14:40:34 -0500 (EST) Received: by segue.merit.edu (Postfix) id 8767C5DEE8; Thu, 11 Jan 2001 14:34:37 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 061B65DE7D; Thu, 11 Jan 2001 14:34:36 -0500 (EST) Received: from mail01.bridgewatersystems.com (mail01.bridgewatersystems.com [216.113.7.9]) by segue.merit.edu (Postfix) with ESMTP id 1EC9D5DE7D for ; Thu, 11 Jan 2001 14:33:58 -0500 (EST) Received: from kansparc099.bridgewatersys.com (cactusgw.bridgewatersys.com [216.113.7.2]) by mail01.bridgewatersystems.com (8.9.3/8.9.3) with ESMTP id PAA15494; Thu, 11 Jan 2001 15:29:43 -0500 Received: from mjones (mjones.bridgewatersys.com [192.168.150.32]) by kansparc099.bridgewatersys.com (8.9.3+Sun/8.9.1) with SMTP id OAA16813; Thu, 11 Jan 2001 14:34:12 -0500 (EST) From: "Mark Jones" To: "Pat Calhoun" Cc: Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) Date: Thu, 11 Jan 2001 14:40:52 -0500 Message-ID: <00ff01c07c06$68110dd0$2096a8c0@bridgewatersys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Pat, [diameter@diameter.org removed from CC list. Thread concerns RADIUSv6.] > > Right, but chances of getting *something* back from the home > server are quite > high if two attributes are added, one for each address family, as > opposed to > inserting an IPv6 in an attribute that the home server expected to be only > 32bit in length. Chances it would drop the request in this case, hence > increasing the difficulty in troubleshooting. > Yes, I understand the potential problem if a packet containing an IPv6 address AVP arrives at an IPv4 RADIUS server: 1) Using two different AVPs, one for each address family An IPv6 NAS sends an Access-Request containing Foo-IP-Address AVP and Foo-IPv6-Address AVP to the first hop dual-stack RADIUS server. This RADIUS server proxies the request unmodified onto an IPv4 RADIUS server. The IPv4 RADIUS server ignores Foo-IPv6-Address since it has an unknown Type but otherwise processes the request normally. 2) Using two instances of the same AVP, one for each address family An IPv6 NAS sends an Access-Request containing a 4-byte (IPv4) Foo-IP-Address AVP and an 8-byte (IPv6) Foo-IP-Address AVP to the first hop dual-stack RADIUS server. This RADIUS server proxies the request unmodified onto an IPv4 RADIUS server. The IPv4 RADIUS server drops the request on encountering an 8-byte Foo-IP-Address since it expected a 4-byte IPv4 address. Is this the problem you are refering to? Alternatively, the dual-stack RADIUS server filters out the IPv6 AVPs before sending on the request to the IPv4 RADIUS server. In my example (2) above, the dual-stack RADIUS server removes the 8-byte Foo-IP-Address AVP before forwarding the request. The IPv4 RADIUS server just sees the 4-byte (IPv4) Foo-IP-Address AVP and processes the request normally. Regards, Mark From owner-aaa-bof@merit.edu Thu Jan 11 15:06:02 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA13660 for ; Thu, 11 Jan 2001 15:06:01 -0500 (EST) Received: by segue.merit.edu (Postfix) id A56295DEF9; Thu, 11 Jan 2001 15:04:59 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 0E16C5DD95; Thu, 11 Jan 2001 15:04:33 -0500 (EST) Received: from aaa.interlinknetworks.com (interlink.merit.edu [198.108.95.110]) by segue.merit.edu (Postfix) with ESMTP id 627205E012 for ; Thu, 11 Jan 2001 14:59:15 -0500 (EST) Received: from Interlinknetworks.com (unknown [198.108.5.3]) by aaa.interlinknetworks.com (Postfix) with ESMTP id 9827573; Thu, 11 Jan 2001 14:59:22 -0500 (EST) Message-ID: <3A5E10AF.B687C688@Interlinknetworks.com> Date: Thu, 11 Jan 2001 14:59:43 -0500 From: David Spence Organization: Interlink Networks, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Pat Calhoun Cc: aaa-wg@merit.edu, diameter@diameter.org Subject: Re: Capabilities Negotiation and proxies References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Suppose an AAA server acts as home server for some realms and proxy for others. Then what does it advertise? (Assume that as home server it does not support all extensions, but as a routing proxy it is willing to proxy all extensions.) Pat Calhoun wrote: > > All, > > As discussed a few days ago, a proxy MAY wish to proxy ANY type of message, > regardless of the extension. Therefore, the current text in the base protocol > does not allow this behavior since it would require that proxies advertise ALL > possible extensions. > > Therefore, I am proposing adding the last paragraph to section 2.5.3. > Furthermore, I believe that ALL messages MUST include the extension ID of the > particular message. The reason being that a proxy would need to identify a > server in the home domain that can handle the message, but it may not recognize > the command. > > Comments? Objections? Proposed Text? > > PatC > > 2.5.3 Extension-Id AVP > > The Extension-Id AVP (AVP Code 258) is of type Unsigned32 and is used > in order to identify a specific DIAMETER extension. This AVP is used > in the Device-Reboot-Ind message in order to inform the peer what > extensions are locally supported. The Extension-Id MUST also be present > in all messages that are defined in a separate DIAMETER specification > and have an Extension ID assigned. > > Each DIAMETER extension draft MUST have an IANA assigned extension > Idenfier (see section 8.3). The base protocol does not require an > Extension-Id since its support is mandatory. > > There MAY be more than one Extension-Id AVP within a DIAMETER > Device-Reboot-Ind message. The following values are recognized: > > NASREQ 1 [7] > Strong Security 2 [11] > Resource Management 3 [29] > Mobile-IP 4 [10] > Accounting 5 [15] > > Furthermore, servers acting as Redirect or Proxy servers (see > Section 6.0) MAY wish to advertise support for ALL possible > extensions. Such servers are then responsible for finding a > downstream server that supports the extension of a particular > message. This is done by including the Extension-Id AVP with a > value of zero (0). -- David Spence email: DSpence@Interlinknetworks.com Interlink Networks, Inc. phone: (734) 821-1203 775 Technology Drive, Suite 200 fax: (734) 821-1235 Ann Arbor, MI 48108 U.S.A. From owner-aaa-bof@merit.edu Thu Jan 11 15:23:56 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA13899 for ; Thu, 11 Jan 2001 15:23:56 -0500 (EST) Received: by segue.merit.edu (Postfix) id BB8175DEF5; Thu, 11 Jan 2001 15:23:39 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id A8C645DEDF; Thu, 11 Jan 2001 15:23:39 -0500 (EST) Received: from franklin.cisco.com (franklin.cisco.com [171.70.156.17]) by segue.merit.edu (Postfix) with ESMTP id 69CDC5DEDC for ; Thu, 11 Jan 2001 15:23:38 -0500 (EST) Received: from gwzpc ([64.104.42.105] (may be forged)) by franklin.cisco.com (8.8.6 (PHNE_17190)/CISCO.SERVER.1.2) with SMTP id MAA03386; Thu, 11 Jan 2001 12:23:00 -0800 (PST) Reply-To: From: "Glen Zorn" To: "Pat Calhoun" , "Mark Jones" Cc: , Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) Date: Thu, 11 Jan 2001 12:13:03 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 In-Reply-To: Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Pat Calhoun [mailto:Pat.Calhoun@eng.sun.com] writes: > > Would new RADIUS attributes for IPv6 addresses still be > required if RADIUSv6 > > were to adopt the dual purpose AVP approach? Wouldn't this scheme require changes to RADIUS data types? That can't be done... > > If, as suggested by the > > RADIUSv6 spec, the RADIUS packet contained both IPv4 and IPv6 > AVPs, the NAS > > can still distinguish the IPv4/IPv6 addresses by their length and so can > > choose the appropriate instance of the address AVP depending on > whether its > > client is IPv4 or IPv6. > > > > If there is not a common approach to IPv4/IPv6 address encoding, the > > DIAMETER-RADIUS gateway must translate, for example, a DIAMETER > > Login-IP-Host AVP to a RADIUS Login-IP-Host or Login-IPv6-Host > AVP depending > > on its length. Not complex. Just tedious. Such is the life of a gateway :-) > > But how would you deal with backward compatibility? This seems especially > important given that in a roaming network, you never know whether > the home, or > the NAS, support v6. > > PatC > > > From owner-aaa-bof@merit.edu Thu Jan 11 15:44:04 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA14237 for ; Thu, 11 Jan 2001 15:44:03 -0500 (EST) Received: by segue.merit.edu (Postfix) id B75675DF93; Thu, 11 Jan 2001 15:42:03 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 992045DF92; Thu, 11 Jan 2001 15:42:03 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 4CE6B5DE8A for ; Thu, 11 Jan 2001 15:42:02 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id MAA13095; Thu, 11 Jan 2001 12:42:00 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id MAA16476; Thu, 11 Jan 2001 12:41:55 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id MAA12597; Thu, 11 Jan 2001 12:41:52 -0800 (PST) Date: Thu, 11 Jan 2001 12:38:14 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Re: Capabilities Negotiation and proxies To: David Spence Cc: Pat Calhoun , aaa-wg@merit.edu, diameter@diameter.org In-Reply-To: "Your message with ID" <3A5E10AF.B687C688@Interlinknetworks.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk Then it would return the error code stating that the extension was not supported. Furthermore, I sent some text early this week (or was it last week), that would solve this problem, but it was a major change. It would require that all home servers advertise their local domains. The proxy could then use this information to figure out whether the next hop is a proxy, or a home server for a given domain. btw, I am NOT attempting to create a routing protocol for NAIs. This is a one-hop only thing. Still not really sure that I like this approach either, but I am willing to listen to suggestions. PatC From owner-aaa-bof@merit.edu Thu Jan 11 15:49:00 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA14290 for ; Thu, 11 Jan 2001 15:49:00 -0500 (EST) Received: by segue.merit.edu (Postfix) id 01D065DE7F; Thu, 11 Jan 2001 15:45:05 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id B81AC5DE8A; Thu, 11 Jan 2001 15:45:03 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by segue.merit.edu (Postfix) with ESMTP id 61CB75DE7F for ; Thu, 11 Jan 2001 15:45:01 -0500 (EST) Received: from engmail3.Eng.Sun.COM ([129.144.170.5]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id MAA13074; Thu, 11 Jan 2001 12:44:58 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail3.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id MAA17347; Thu, 11 Jan 2001 12:44:57 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id MAA12665; Thu, 11 Jan 2001 12:44:56 -0800 (PST) Date: Thu, 11 Jan 2001 12:41:18 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: RE: [diameter] data type modifications to DIAMETER (Fwd) To: gwz@cisco.com Cc: Pat Calhoun , Mark Jones , aaa-wg@merit.edu In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk > Pat Calhoun [mailto:Pat.Calhoun@eng.sun.com] writes: > > > > Would new RADIUS attributes for IPv6 addresses still be > > required if RADIUSv6 > > > were to adopt the dual purpose AVP approach? > > Wouldn't this scheme require changes to RADIUS data types? That can't be > done... That's my point, but Mark is envisioning an environment where proxies strip out AVPs based on the next hop's capabilities (see previous e-mail). Of course, this doesn't help too much in environments where a v6 nas talks to a v4/v6 proxy, to a v4 proxy then to a v4/v6 home server. PatC From owner-aaa-bof@merit.edu Thu Jan 11 16:40:37 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id QAA15173 for ; Thu, 11 Jan 2001 16:40:37 -0500 (EST) Received: by segue.merit.edu (Postfix) id C6F7C5DDBA; Thu, 11 Jan 2001 16:40:19 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id AE8225DE5D; Thu, 11 Jan 2001 16:40:19 -0500 (EST) Received: from mx.databus.com (p101-44.acedsl.com [160.79.101.44]) by segue.merit.edu (Postfix) with ESMTP id 5CBF15DDBA for ; Thu, 11 Jan 2001 16:40:18 -0500 (EST) Received: (from barney@localhost) by mx.databus.com (8.11.1/8.11.1) id f0BLe5U80617; Thu, 11 Jan 2001 16:40:05 -0500 (EST) (envelope-from barney) Date: Thu, 11 Jan 2001 16:40:05 -0500 From: Barney Wolff To: Pat Calhoun Cc: David Spence , aaa-wg@merit.edu, diameter@diameter.org Subject: Re: Capabilities Negotiation and proxies Message-ID: <20010111164005.A80566@mx.databus.com> References: <3A5E10AF.B687C688@Interlinknetworks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from Pat.Calhoun@eng.sun.com on Thu, Jan 11, 2001 at 12:38:14PM -0800 Sender: owner-aaa-bof@merit.edu Precedence: bulk Tell us why a requester should know or care whether its "server" is actually a home server or another proxy. IMHO, that would be a really bad thing. We're running into the downside of session-oriented AAA, when the underlying situation is independent transactions. I suggest we simply ignore it - the AAA requester should be configured for the server it talks to "most of the time" and just recover in real time from what should be very rare cases, that a Mandatory AVP, or even a whole extension, is not understood by some roamer's home server. Barney On Thu, Jan 11, 2001 at 12:38:14PM -0800, Pat Calhoun wrote: > Then it would return the error code stating that the extension was not > supported. Furthermore, I sent some text early this week (or was it last > week), that would solve this problem, but it was a major change. It would > require that all home servers advertise their local domains. The proxy could > then use this information to figure out whether the next hop is a proxy, or a > home server for a given domain. > > btw, I am NOT attempting to create a routing protocol for NAIs. This is a > one-hop only thing. > > Still not really sure that I like this approach either, but I am willing to > listen to suggestions. > > PatC > > From owner-aaa-bof@merit.edu Thu Jan 11 17:18:43 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA15589 for ; Thu, 11 Jan 2001 17:18:43 -0500 (EST) Received: by segue.merit.edu (Postfix) id C42AD5DE6D; Thu, 11 Jan 2001 17:16:23 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id B26615DE66; Thu, 11 Jan 2001 17:16:23 -0500 (EST) Received: from aaa.interlinknetworks.com (interlink.merit.edu [198.108.95.110]) by segue.merit.edu (Postfix) with ESMTP id DDA935DDEF for ; Thu, 11 Jan 2001 17:16:22 -0500 (EST) Received: from phoenix (unknown [198.108.5.3]) by aaa.interlinknetworks.com (Postfix) with SMTP id 559F574 for ; Thu, 11 Jan 2001 17:16:30 -0500 (EST) From: "Bob Kopacz" To: "Aaa-Wg" Subject: DIAMETER Base Protocol (Alpha 1) / 2.5.1 Vendor-Name AVP Date: Thu, 11 Jan 2001 17:15:57 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-aaa-bof@merit.edu Precedence: bulk Content-Transfer-Encoding: 7bit Hi Pat, The DRI contains a Vendor-Name AVP, which the draft says is so that a Diameter peer might "know which vendor specific attributes may be sent to the peer". Since it is the 32-bit vendor number that appears in the AVP header and in the Diameter header, should the DRI instead include a Vendor-ID AVP which contains the vendor's enterprise code? It seems a vendor ID value would be more directly useful for the above-mentioned purpose. Or if the Vendor-Name AVP is the way to go, should there be a list of vendor name strings so that they can be mapped to known vendors, and an indication if this string is case-sensitive, etc.? The "DIAMETER Base Protocol (Alpha 1)" document says: > 2.5.1 Vendor-Name AVP > > The Vendor-Name AVP (AVP Code 266) is of type > OctetString and is used to inform a DIAMETER peer of the > Vendor Name of the DIAMETER device. This MAY be used in > order to know which vendor specific attributes may be > sent to the peer. It is also envisioned that the > combination of the Vendor-Name and the Firmware-Revision > (section 2.5.2) AVPs MAY provide very useful debugging > information. From owner-aaa-bof@merit.edu Thu Jan 11 17:25:18 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA15658 for ; Thu, 11 Jan 2001 17:25:18 -0500 (EST) Received: by segue.merit.edu (Postfix) id BD37A5DE9E; Thu, 11 Jan 2001 17:21:38 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 9AA855DEA5; Thu, 11 Jan 2001 17:21:38 -0500 (EST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by segue.merit.edu (Postfix) with ESMTP id 21E095DE93 for ; Thu, 11 Jan 2001 17:21:37 -0500 (EST) Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id OAA16208; Thu, 11 Jan 2001 14:21:35 -0800 (PST) Received: from nasnfs.eng.sun.com (nasnfs.Eng.Sun.COM [10.6.84.20]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id OAA04168; Thu, 11 Jan 2001 14:21:35 -0800 (PST) Received: from mordor (mordor [129.146.120.122]) by nasnfs.eng.sun.com (8.9.3+Sun/8.9.1) with SMTP id OAA28320; Thu, 11 Jan 2001 14:21:34 -0800 (PST) Date: Thu, 11 Jan 2001 14:17:55 -0800 (PST) From: Pat Calhoun Reply-To: Pat Calhoun Subject: Re: DIAMETER Base Protocol (Alpha 1) / 2.5.1 Vendor-Name AVP To: Bob Kopacz Cc: Aaa-Wg In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-aaa-bof@merit.edu Precedence: bulk I have no idea why a name was chosen over the IANA managed value. I agree that using the value that one would find in the Vendor-Id field seems much more reasonable. I think that the name was added for debugging purpose so users (that have no idea what IANA, much less enterprise numbers) can figure out what's at the other end. What do other prefer? Just the ID, or both? Thanks for the great catch! PatC > Hi Pat, > > The DRI contains a Vendor-Name AVP, which the draft says > is so that a Diameter peer might "know which vendor > specific attributes may be sent to the peer". > > Since it is the 32-bit vendor number that appears in the > AVP header and in the Diameter header, should the DRI > instead include a Vendor-ID AVP which contains the > vendor's enterprise code? It seems a vendor ID value > would be more directly useful for the above-mentioned > purpose. > > Or if the Vendor-Name AVP is the way to go, should there > be a list of vendor name strings so that they can be > mapped to known vendors, and an indication if this string > is case-sensitive, etc.? > > The "DIAMETER Base Protocol (Alpha 1)" document says: > > > 2.5.1 Vendor-Name AVP > > > > The Vendor-Name AVP (AVP Code 266) is of type > > OctetString and is used to inform a DIAMETER peer of the > > Vendor Name of the DIAMETER device. This MAY be used in > > order to know which vendor specific attributes may be > > sent to the peer. It is also envisioned that the > > combination of the Vendor-Name and the Firmware-Revision > > (section 2.5.2) AVPs MAY provide very useful debugging > > information. > > From owner-aaa-bof@merit.edu Thu Jan 11 17:28:10 2001 Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA15686 for ; Thu, 11 Jan 2001 17:28:10 -0500 (EST) Received: by segue.merit.edu (Postfix) id 9D0A05DE99; Thu, 11 Jan 2001 17:27:53 -0500 (EST) Delivered-To: aaa-wg-outgoing@merit.edu Received: by segue.merit.edu (Postfix, from userid 56) id 89E6B5DE9A; Thu, 11 Jan 2001 17:27:53 -0500 (EST) Received: from aaa.interlinknetworks.com (interlink.merit.edu [198.108.95.110]) by segue.merit.edu (Postfix) with ESMTP id BAF2B5DE99 for ; Thu, 11 Jan 2001 17:27:52 -0500 (EST) Received: from phoenix (unknown [198.108.5.3]) by aaa.interlinknetworks.com (Postfix) with SMTP id 232F575 for ; Thu, 11 Jan 2001 17:28:00 -0500 (EST) From: "Bob Kopacz"


*International Executive Guild* Registration Form (US and Canada Only)
Please fill out this form if you would like to be included on The International Executive Guild, For accuracy and publication purposes, please complete and send this form at the earliest opportunity=2E There is no charge or obligation to be listed on The International Executive Guild=2E

Your Name
Your Company
Title
Address
City
State or Province
Country
ZIP/Postal Code
Day Time Telephone
Home Phone	(Not To Be Published)
Email

Your Business	(Financial Svcs, Banking, Computer Hardware, Software, Professional Svcs, Chemicals, Apparel, Aerospace, Food, Government, Utility, etc=2E)
Type of Organization	(M= fg, Dist/Wholesaler, Retailer, Law Firm, Investment Bank, Commercial Bank, University, Financial Consultants, Ad Agency, Contractor, Broker, etc=2E)
Your Business Expertise	(Corp=2EMgmt, Marketing, Civil Engineering, Tax Law, Nuclear Physics, Database Development, Operations, Pathologist, Mortgage Banking, etc=2E)
Major Product Line	(Integrated Circuits, Commercial Aircraft, Adhesives, Cosmetics, Plastic Components, Snack Foods, etc=2E)