extended attributes
DESCRIPTION
Extended Attributes. RADEXT - Interim. Alan DeKok FreeRADIUS. Requirements. More RADIUS Attribute Types 256 is too limited Standard support for “long” attributes > 253 octets Better grouping RFC 2868 tags are inadequate. Un-Requirements. Systems which were discussed and rejected - PowerPoint PPT PresentationTRANSCRIPT
Extended Attributes
RADEXT - Interim
Alan DeKokFreeRADIUS
RADEXT - Interim
Requirements• More RADIUS Attribute Types
• 256 is too limited• Standard support for “long”
attributes• > 253 octets
• Better grouping• RFC 2868 tags are inadequate
RADEXT - Interim
Un-Requirements• Systems which were discussed
and rejected• too complex• too limited• which can’t be applied to
existing RFCs
RADEXT - Interim
Current Attributes
Type
1 octet
Length
1 octet
Value …
1..253 octets
RADEXT - Interim
Extended Attributes
Type
1 octet
Length
1 octet
Ext-Type
1 octet
Value …
1..252 octets
RADEXT - Interim
That’s pretty much it.
• “Steal” one octet of “value” for extended types
• Allocate 4 attributes of this format• 241, 242, 243, 244
• Solves the “need more attributes” problem
• Allows for ~1K new attributes
RADEXT - Interim
Naming• We need to name the new attributes types.
• Use SNMP / IP Address style “dotted number”
• 241.{1-255}• 241.1 “This-Is-A-New-attr”
• Versus• 1 “User-Name”
• Naming applies only for the IANA registry
RADEXT - Interim
Grouping
• Better grouping by defining a TLV data type
• Already in WiMAX, 3GPP2, and other SDOs / vendors.
RADEXT - Interim
TLV Data Type
TLV-Type
1 octet
TLV-Length
1 octet
Value …
1..253 octets
RADEXT - Interim
TLV in Ext-AttributeType
1 octet
Length
1 octet = 9
Ext-Type
1 octet
TLV-Type
1 octet
TLV-Length
1 octet
Value …
4 octets
RADEXT - Interim
TLVs in Ext-Attribute
Type
1 octet
Length
1 octet = 29
Ext-Type
1 octet
TLV-Type
1 octet
TLV-Length
1 octet
Value …
4 octets
TLV-Type’
1 octet
TLV-Length’
1 octet
Value’ …
18 octets
RADEXT - Interim
TLV Properties• Can carry any existing or future data type• Including TLVs.
• Multiple TLVs can be on in one Ext-Attr• Nested or concatenated
• Nesting is limited only by TLV-Length field• 253 / 3 =~ 80
• Practicalities show a depth of 5 is sufficient
RADEXT - Interim
TLV Naming• Leverage the same “dotted number”
notation!• 241.1.2
• RADIUS Attr 241, of type “ext-attr”• Extended Attr 1, data type “tlv”• TLV 2, data type “integer”
• Allows for ~250 fields in a struct• Extends type space past 1K attributes
RADEXT - Interim
“Long” Attributes• Leverage the Ext-Type format• Allocate 2 attributes of this type
• 245, 246• Add another field: “flags”• Standard way to say “more than
253 octets of data”
RADEXT - Interim
Long Ext Attributes
Type
1 octet
Length
1 octet
Ext-Type
1 octet
Flags
1 octet
Value …
1..251 octets
RADEXT - Interim
Flags• 1 bit of “M” for More (or
continuation)• Same meaning as existing ext-
attrs / WiMAX• 7 bits of “reserved”
• We have no idea what to do with these
• It’s likely that these will never be used
RADEXT - Interim
Additional notes• 24{1-6}.26 are VSAs
• Allows for many more VSAs• 24{1-6}.{241-255} are reserved• No “experimental” or
“implementation-specific”• They have not been useful
• Detail instructions for IANA are included
RADEXT - Interim
Motivation• RADEXT discussions have been
long• We need a solution soon (i.e.
within 2-3 years)• All other solutions are more
complex• Attribute audit shows the needs to
be simple
Attribute AuditCount Data Type
2257 integer
1762 text
273 IPv4 Address
235 string
96 other data types
35 IPv6 Address
18 date
4 Interface Id
3 IPv6 Prefix
4683 Total
• Public dictionaries
• ~100 vendors• 55% or more
are “short” (<20 bytes)
• ~20 “long” attributes
RADEXT - Interim
Summary• > 1K of new attribute space
• With TLVs, potentially 10’s of 1000’s
• Grouping via TLVs• Proven to work in SDO VSAs
• Standard way to have “long” attrs• No more “ad hoc method”
RADEXT - Interim
Implementations
• In FreeRADIUS “stable” branch• http://git.freeradius.org
• Implements TLVs, basic type• No support for “long attrs”
RADEXT - Interim
Questions?