RADIUS over TCP
draft-ietf-radext-tcp-transport-09

[Ballot comment]
I cleared my DISCUSS, because I think (I hope I have this right) that "this specification"
in this text:

  "Bare" TCP transport MAY, however, be used when another method such
  as IPSec [RFC4301] is used to provide additional confidentiality and
  security.  Should experience show that such deployments are useful,
  this specification could be moved to standards track.

refers to a new, to-be-written document describing the use of TCP+IPSEC.

If I don't have it right, then I still don't understand how experience with TCP+IPSEC
would cause draft-ietf-radext-tcp-transport to be moved to standards track.

[Ballot comment]
I cleared my DISCUSS, because I think (I hope I have this right) that "this specification" in this text:

  "Bare" TCP transport MAY, however, be used when another method such
  as IPSec [RFC4301] is used to provide additional confidentiality and
  security.  Should experience show that such deployments are useful,
  this specification could be moved to standards track.

refers to a new, to-be-written document describing the use of TCP+IPSEC.

If I don't have it right, then I still don't understand how experience with TCP+IPSEC would cause draft-ietf-radext-tcp-transport to be moved to standards track.

[Ballot comment]
To follow up on Tim Polk's Discuss point 2
I appreciate the sentiment of the paragraph, but "NOT RECOMMENDED" is not RFC 2119 language (as idnits would tell you). You have to flip the sense of the sentence and use "RECOMMENDED".
But Tim is also right, please consider "MUST NOT" since the following paragraph...

  "Bare" TCP transport MAY, however, be used when another method such
  as IPSec [RFC4301] is used to provide additional confidentiality and
  security.  Should experience show that such deployments are useful,
  this specification could be moved to standards track.

...is really confusing. It implies that the purpose of this document *is* to define the use of bare TCP transport which is in conflict with the Abstract.

[Ballot discuss]
This Discuss is related to Tim's Discuss.  This text:

  "Bare" TCP transport MAY, however, be used when another method such
  as IPSec [RFC4301] is used to provide additional confidentiality and
  security.  Should experience show that such deployments are useful,
  this specification could be moved to standards track.

is confusing.  Why would experience with "bare" TCP or IPSec TCP cause draft-ietf-radext-tcp-transport to progress to Standards Track?

Similarly, from the Abstract:

  It [draft-ietf-radext-tcp-transport-06.txt] is not intended
  to define TCP as a transport protocol for RADIUS in the absence of
  TLS.

while several of the motivations for RADIUS over TCP in section 1.1 are not specific to RADIUS with TLS.

[Ballot comment]
Agree with Tim's DISCUSS.

Section 27, paragraph 13:
>    It is not intended
>    to define TCP as a transport protocol for RADIUS in the absence of
>    TLS.

  The document title is "RADIUS Over TCP". It's surprising to then see
  that abstract say that it is not intended to define RADIUS over TCP...
  Suggestion: Rename document to "Radius over TLS"?


Section 1., paragraph 1:
>    While
>    there are a number of benefits to using UDP as outlined in [RFC2865]
>    Section 2.4, there are also some limitations:

  Lack of congestion control is surely a limitation?


Section 1.1., paragraph 2:
>    In scenarios where RADIUS proxies exchange a large volume of packets
>    (10+ packets per second), it is likely that there will be sufficient
>    traffic to enable the congestion window to be widened beyond the
>    minimum value on a long-term basis, enabling ACK piggy-backing.

  I don't understand what this paragraph means to say. The TCP
  congestion window opens already at much lower rates than 10+ pps.
  Also, how is this at all related to ACK-piggybacking?


Section 1.1., paragraph 5:
>    These problems disappear if a 4096 application-layer payload can be
>    used alongside RADIUS over TLS.  Since most TCP implementations
>    support MTU discovery, the TCP MSS is automatically adjusted to
>    account for the MTU, and the larger congestion window supported by
>    TCP may allow multiple TCP segments to be sent within a single
>    window.

  Even those few TCP stacks that don't do PMTUD can already support
  arbitrary payloads (just with slightly less efficient packetization).


Section 2.6.1., paragraph 5:
>    As noted previously, RADIUS packets SHOULD NOT be re-transmitted to
>    the same destination IP and numerical port, but over a different
>    transport layer.

  Where does it say that? The second paragraph of Section 2.6 says that
  they MAY be retransmitted over a new connection (which is different
  from a SHOULD NOT). Also, "transport layer" here is unclear - do you
  mean "transport connection" (= use a different TCP connection) or do
  you mean "transport protocol" (= use UDP)?


Section 2.6.2., paragraph 2:
>    Unlike UDP, TLS is subject to issues related to Head of Line (HoL)
>    blocking.  This occurs when when a TLS segment is lost and a
>    subsequent TLS segment arrives out of order.  While the RADIUS server
>    can process RADIUS packets out of order, the semantics of TLS makes
>    this impossible.  This limitation can lower the maximum packet
>    processing rate of RADIUS over TLS.

  s/TLS/TCP/ in this paragraph


Section 2.6.4., paragraph 6:
>    After applying the above rules, there are still situations where the
>    previous specifications allow a packet to be "silently discarded".
>    In these situations, the TCP connections MAY remain open, or MAY be
>    closed, as an implementation choice.  However, the invalid packet
>    MUST be silently discarded.

  In order to reduce connection-setup overheads, wouldn't it make sense
  to RECOMMEND the connection stay open?

[Ballot comment]
Please consider the comments from the Gen-ART Review by Glenn
  Kowack on 18 May 2010.  The review can be found at:

    http://www.softarmor.com/rai/temp-gen-art/
    draft-ietf-radext-tcp-transport-06-kowack.txt

[Ballot discuss]
This is a good document, but there are a few issues that should be addressed before publication.

(1) The document is inconsistent regarding the applicability of this protocol.

From the Abstract, where "It" refers to this document:

                                                                                          It is not intended
  to define TCP as a transport protocol for RADIUS in the absence of
  TLS.

but the last paragraph in the Introduction states:

  "Bare" TCP transport MAY, however, be used when another method such
  as IPSec [RFC4301] is used to provide additional confidentiality and
  security.  Should experience show that such deployments are useful,
  this specification could be moved to standards track.

(2) In a related point, the next to last paragraph in the Introduction states:

  Since "bare" TCP does not provide for confidentiality or enable
  negotiation of credible ciphersuites, its use is not appropriate for
  inter-server communications where strong security is required.  As a
  result the use of "bare" TCP transport (i.e., without additional
  confidentiality and security) is NOT RECOMMENDED, as there has been
  little or no operational experience with it.

Why isn't this a "MUST NOT be used without TLS, IPsec, or other secure
upper layer"?

(3) The security considerations should include a statement along the same lines
as discussed in (2) - e.g., MUST NOT be used unless TLS or IPsec is used in conjunction.

[Ballot discuss]
This is a good document, but there are a few issues that should be addressed before publication.

(1) The document is inconsistent regarding the applicability of this protocol.

From the Abstract, where "It" refers to this document:

                                                                                          It is not intended
  to define TCP as a transport protocol for RADIUS in the absence of
  TLS.

but the last paragraph in the Introduction states:

  "Bare" TCP transport MAY, however, be used when another method such
  as IPSec [RFC4301] is used to provide additional confidentiality and
  security.  Should experience show that such deployments are useful,
  this specification could be moved to standards track.

(2) In a related point, the next to last paragraph in the Introduction states:

  Since "bare" TCP does not provide for confidentiality or enable
  negotiation of credible ciphersuites, its use is not appropriate for
  inter-server communications where strong security is required.  As a
  result the use of "bare" TCP transport (i.e., without additional
  confidentiality and security) is NOT RECOMMENDED, as there has been
  little or no operational experience with it.

Why isn't this a "MUST NOT be used without TLS, IPsec, or other secure
upper layer?

(3) The security considerations should include a statement along the same lines
as discussed in (2) - e.g., MUST NOT be used unless TLS or IPsec is used in conjunction.

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the document
and, in particular, does he or she believe this version is ready
for forwarding to the IESG for publication?

Bernard Aboba is the document shepherd. I have personally reviewed
the document, and believe it is ready for publication as an Experimental
RFC.

(1.b) Has the document had adequate review both from key members of
the interested community and others? Does the Document Shepherd
have any concerns about the depth or breadth of the reviews that
have been performed?

The document has undergone review within the community of RTLS
implementers, as well as within the RADEXT WG. It could benefit
from additional review by the transport community.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective, e.g.,
security, operational complexity, someone familiar with AAA,
internationalization or XML?

This document should be reviewed by the Transport Directorate prior
to publication.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he or
she is uncomfortable with certain parts of the document, or has
concerns whether there really is a need for it. In any event, if
the interested community has discussed those issues and has
indicated that it still wishes to advance the document, detail
those concerns here.

As noted in Section 2.5, there are situations (such as NAS avalanche
restart)
where a proxy implementing RADIUS over TCP/TLS would be unable to keep up
with the UDP packets generated by NAS devices not implementing the
congestion control algorithm described in RFC 5080 Section 2.2.1.

(1.e) How solid is the consensus of the interested community behind
this document? Does it represent the strong concurrence of a few
individuals, with others being silent, or does the interested
community as a whole understand and agree with it?

There is consensus within the RADEXT WG to publish the document as
an Experimental RFC.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

No.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are not
enough; this check needs to be thorough. Has the document met all
formal review criteria it needs to, such as the MIB Doctor, media
type and URI type reviews?

idnits is clean:

idnits 2.12.00

tmp/draft-ietf-radext-tcp-transport-05.txt:

Checking boilerplate required by RFC 5378 and the IETF Trust (see
http://trustee.ietf.org/license-info):
----------------------------------------------------------------------------

No issues found here.

Checking nits according to http://www.ietf.org/ietf/1id-guidelines.txt:
----------------------------------------------------------------------------

No issues found here.

Checking nits according to http://www.ietf.org/ID-Checklist.html:
----------------------------------------------------------------------------

No issues found here.

Miscellaneous warnings:
----------------------------------------------------------------------------

No issues found here.

Checking references for intended status: Experimental
----------------------------------------------------------------------------

-- Unexpected draft version: The latest known version of
draft-ietf-radext-status-server is -03, but you're referring to -06.
(However, the state information for draft-ietf-radext-status-server is
not up-to-date. The last update was 2009-02-13)

Summary: 0 errors (**), 0 warnings (==), 1 comment (--).


(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that are
not ready for advancement or are otherwise in an unclear state?
If such normative references exist, what is the strategy for their
completion? Are there normative references that are downward
references, as described in [RFC3967]? If so, list these downward
references to support the Area Director in the Last Call procedure
for them [RFC3967].

The references in the document have been split into normative and
informative.

Normative references are all stable documents published as RFCs.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body of
the document? If the document specifies protocol extensions, are
reservations requested in appropriate IANA registries? Are the
IANA registries clearly identified? If the document creates a new
registry, does it define the proposed initial contents of the
registry and an allocation procedure for future registrations?
Does it suggested a reasonable name for the new registry? See
[I-D.narten-iana-considerations-rfc2434bis]. If the document
describes an Expert Review process has Shepherd conferred with the
Responsible Area Director so that the IESG can appoint the needed
Expert during the IESG Evaluation?

The IANA Considerations section exists (section 4). It requires no
action by IANA.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML code,
BNF rules, MIB definitions, etc., validate correctly in an
automated checker?

Not applicable.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Writeup? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary

RADIUS has traditionally used UDP as its underlying transport layer, for
reasons described in RFC 2865 Section 2.4. This document defines RADIUS
over TCP, in order to address handling issues related to RADIUS over TLS
(RTLS). It is not intended to define TCP as a transport protocol for
RADIUS in the absence of TLS.

Working Group Summary

This document is part of a set (including the Status-Server and RTLS
specifications) which together define RADIUS over TLS (RTLS).
This document has completed RADEXT WG last call, with the primary
areas of discussion relating to liveness detection and congestion control.

Document Quality

The document has been reviewed by IETF RADEXT WG members.

RADIUS over TCP/TLS has been implemented by multiple vendors,
including RADIATOR and FreeRADIUS. The protocol is currently
deployed by EDUROAM, an educational roaming consortium supporting
more than one million users worldwide. As a result, the document
reflects operational experience.

Personnel

Bernard Aboba is the document shepherd for this document.
Dan Romascanu is the responsible AD.