1 / 6

Diego R. Lopez - Telefónica ( diego@tid.es )

Support of fragmentation of RADIUS packets in authorization exchanges draft - perez - radext -radius-fragmentation IETF87 – RADEXT. Diego R. Lopez - Telefónica ( diego@tid.es ). Status. - 06 submitted for WG adoption Comments received during -05 WG adoption discussions

libra
Download Presentation

Diego R. Lopez - Telefónica ( diego@tid.es )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Support of fragmentation of RADIUS packets in authorization exchangesdraft-perez-radext-radius-fragmentation IETF87 – RADEXT Diego R. Lopez - Telefónica (diego@tid.es)

  2. Status • -06 submitted for WG adoption • Comments received during -05 WG adoption discussions • Comments to the fragmentation mechanism description • Clearer discussion on the addressed use cases and alternatives in the introduction • Satisfy ABFAB requirements on supporting chunked data transfer prior to the authentication flow • New introductory sections emphasizing the scope of the document • The introduction itself • A new section (2, “Scope of this document”) delimiting the scenarios where the document is intended to be applied • Focused on authorization exchanges • Considering a title and filename change • Along with adoption • “Support of fragmentation of RADIUS packets in authorization exchanges” • …-radext-radius-authz-fragment

  3. WG Adoption • Comments received addressed in -06 • Including a solution acceptable to ABFAB on pre-authentication exchanges • And a clearer scoping • So here we go again

  4. AuthN and AuthZ • A RADIUS conversation is decomposed in three phases: • RADIUS pre-authorization (like a SAML request expressing a required LoA) • RADIUS authentication (like standard RADIUS-EAP) • RADIUS post-authorization (like a SAML response) • Phases are bound through *references* (e.g. State attribute). • Phase (1) finishes with a token which is used in the Access-Request for phase (2).  • Phase (2) finishes with a token in the Access-Accept, which provides a link to phase (3). • Fragmentation is supported in phases 1 and 3 • Phase 2 is unaltered • Fragmentation is based on Access-Request/Access-Accept rounds

  5. Implementation Goals • Implement draft-perez-radext-radius-fragmentation • Serve as a proof of feasibility • Provide on-the-wire feedback for the specification • Proof of concept • Intended for validating the fragmentation mechanism • Work through out-of-the-box FreeRadius proxies • No need of RADIUS fragmentation support on existing/deployed proxies • Open source • Source code contributed to FreeRADIUSavailable

  6. Implementation Details • Based on FreeRadius 2.1.12 • Client based on FreeRadiusradeapclient • Currently implements -04 • Will be updated accordingly once consensus is reached https://libra.inf.um.es/~alex/freeradius-server-2.1.12-fragmentation-support.tar.gz https://libra.inf.um.es/~alex/fragmentation-support-2.1.12.diff

More Related