Extended Attributes
23
Extended Attributes RADEXT - IETF 79 Alan DeKok FreeRADIUS Avi Lior Bridgewater
-
Upload
zedekiah-louis -
Category
Documents
-
view
26 -
download
0
description
Extended Attributes. RADEXT - IETF 79. Alan DeKok FreeRADIUS Avi Lior Bridgewater. Requirements. More RADIUS Attribute Types 256 is too limited Standard support for “long” attributes > 253 octets Better grouping RFC 2868 tags are inadequate. Un-Requirements. - PowerPoint PPT Presentation
Transcript of Extended Attributes
Extended Attributes
RADEXT - IETF 79
Alan DeKokFreeRADIUS
Avi LiorBridgewater
RADEXT - IETF 79
Requirements• More RADIUS Attribute Types
• 256 is too limited
• Standard support for “long” attributes
• > 253 octets
• Better grouping
• RFC 2868 tags are inadequate
RADEXT - IETF 79
Un-Requirements
• Systems which were discussed and rejected
• too complex
• too limited
• which can’t be applied to existing RFCs
RADEXT - IETF 79
Current Attributes
Type
1 octet
Length
1 octet
Value …
1..253 octets
RADEXT - IETF 79
Extended Attributes
Type
1 octet
Length
1 octet
Ext-Type
1 octet
Value …
1..252 octets
RADEXT - IETF 79
That’s pretty much it.
• “Steal” one octet of “value” for extended types
• Allocate 4 attributes of this format
• 241, 242, 243, 244
• Solves the “need more attributes” problem
• Allows for ~1K new attributes
RADEXT - IETF 79
Naming• We need to name the new
attributes types.
• Use OID style “dotted number”
• 241.{1-255}
• 241.1 “This-Is-A-New-attr”
• Versus
• 1 “User-Name”
• Naming applies only for the IANA registry
RADEXT - IETF 79
Grouping
• Better grouping by defining a TLV data type
• Already in WiMAX, 3GPP2, and other SDOs / vendors.
RADEXT - IETF 79
TLV Data Type
TLV-Type
1 octet
TLV-Length
1 octet
Value …
1..253 octets
RADEXT - IETF 79
TLV in Ext-Attribute
Type
1 octet
Length
1 octet = 9
Ext-Type
1 octet
TLV-Type
1 octet
TLV-Length
1 octet = 6
Value …
4 octets
RADEXT - IETF 79
TLVs in Ext-Attribute
Type
1 octet
Length
1 octet = 29
Ext-Type
1 octet
TLV-Type
1 octet
TLV-Length
1 octet = 6
Value …
4 octets
TLV-Type’
1 octet
TLV-Length’
1 octet = 20
Value’ …
18 octets
RADEXT - IETF 79
TLV Properties• Can carry any existing or future data type
• Including TLVs.
• Multiple TLVs can be carried in one Ext-Attr
• Nested or concatenated
• Nesting is limited only by TLV-Length field
• 253 / 3 =~ 80
• Practicalities show a depth of 5 is sufficient
RADEXT - IETF 79
TLV Naming• Leverage the same “dotted number” notation!
• 241.1.2
• RADIUS Attr 241, of type “ext-attr”
• Extended Attr 1, data type “tlv”
• TLV 2, data type “integer”
• Allows for ~250 fields in a struct
• Extends type space past 1K attributes
RADEXT - IETF 79
“Long” Attributes
• Leverage the Ext-Type format
• Allocate 2 attributes of this type
• 245, 246
• Add another field: “flags”
• Standard way to say “more than 253 octets of data”
RADEXT - IETF 79
Long Ext Attributes
Type
1 octet
Length
1 octet
Ext-Type
1 octet
Flags
1 octet
Value …
1..251 octets
RADEXT - IETF 79
Flags• 1 bit of “C” for Continuation
• Same meaning as existing ext-attrs / WiMAX
• 7 bits of “reserved”
• We have no idea what to do with these
• It’s likely that these will never be used
RADEXT - IETF 79
Additional notes• 24{1-6}.26 are VSAs
• Allows for many more VSAs
• 24{1-6}.{241-255} are reserved
• No “experimental” or “implementation-specific”
• They have not been useful
• Detailed instructions for IANA are included
RADEXT - IETF 79
Motivation• RADEXT discussions have been
long
• We need a solution soon (i.e. within 2-3 years)
• All other solutions are more complex
• Attribute audit shows the needs to be simple
Attribute AuditCount Data Type
2257 integer
1762 text
273 IPv4 Address
235 string
96 other data types
35 IPv6 Address
18 date
4 Interface Id
3 IPv6 Prefix
4683 Total
• Public dictionaries
• ~100 vendors
• 55% or more are “short” (<20 bytes)
• ~20 “long” attrs (253+ octets)
• a “simple” solution seems to be best
RADEXT - IETF 79
Implementations• In FreeRADIUS “stable” branch
• http://git.freeradius.org
• Implements TLVs, basic type
• No support for “long attrs”
• IEA Software• http://www.iea-software.com/products/radlogin4.cfm
• Full support
RADEXT - IETF 79
To Do• Define a “VSA” data type
• To be used by the 6 new “VSA” attributes
• Easier than repeating attribute definitions
• More “guideline” recommendations
• Hopefully simple
• More examples
• More clarifications
RADEXT - IETF 79
Summary• > 1K of new attribute space
• With TLVs, potentially many 1000’s
• Grouping via TLVs
• Proven to work in SDO VSAs
• Standard way to have “long” attrs
• No more “ad hoc method”
RADEXT - IETF 79
Questions?
