ietf
[Top] [All Lists]

AW: Last Call: draft-ietf-geopriv-radius-lo (Carrying LocationObjects in RADIUS

2007-05-22 12:27:27
Hi Bernard, 

Thank you for your review comments. Please find my response below. 

Review of draft-ietf-geopriv-radius-lo-10.txt

Overview comments:

Overall, this document includes many normative statements relating
to privacy in a number of sections.   As it stands, this makes it very
difficult to understand exactly what privacy support will be provided
in various scenarios.   I would strongly urge that these statements
be consolidated into a single section.

In terms of RADIUS protocol usage, there are a few problems
(violation of a MUST NOT provision in RFC 3576, use of non-standard
RADIUS data types, inappropriate use of complex attributes)

There are also a lot of editorial issues that need to be cleaned up.

Given everything, this  document requires substantial  work before
it would be suitable for publication as an RFC.

Section 1

   Wireless LAN (WLAN) access networks are being deployed in public
   places such as airports, hotels, shopping malls, and 
coffee shops by
   a diverse set of operators such as cellular network operators (GSM
   and CDMA), Wireless Internet Service Providers (WISPs), and fixed
   broadband operators.

As noted later on, these attributes are not limited to use with WLAN
networks, but the relationship to user location is probably stronger
with WLAN or LAN access than other access types.  I think you need
to talk about this.

From a certain point of view the location determination techniques
determine the location corresponding to some sort of device. The type of
device is different depending on the environment. 

I could mentioned this fact and that there does not necessiarly need to
be a 1:1 relationship between the device and the user. For example, I
was told that in certain places in Africa it is very common to share
your mobile phone with a bunch of people (since the costs for a mobile
phone itself are rather high compared to the income there). 


   When a user executes the network access authentication procedure to
   such a network, information about the location and 
ownership of this
   network needs to be conveyed to the user's home network to 
which the
   user has a contractual relationship.

The use of the term "need" seems wrong here, since
one of the goals of the document is to guard the privacy of location
information, only providing it where there is "need to know".

What about 

"
   When a user executes the network access authentication procedure to
   such a network, information about the location and ownership of this
   network may be conveyed to the user's home network to which the
   user has a contractual relationship.
"


   This document describes AAA attributes, which are used by a AAA
   client or a AAA proxy in an access network, to convey location-
   related information to the user's home AAA server.

The use of the term "AAA" here is a bit confusing.  If the attributes
are applicable to both RADIUS and Diameter, this should be explicitly
stated. 


I'll use RADIUS instead of AAA throughout the document, and I'll make a
statement here, as well as in section 7, that the attributes are
applicable to Diameter.



   Although the proposed attributes in this draft are intended for
   wireless LAN deployments, they can also be used in other types of
   wireless and wired networks whenever location information is
   required.

I'd suggest this paragraph be combined with the first paragraph.

Ok


   Location information needs to be protected against unauthorized
   access and distribution to preserve the user's privacy. 
[10] defines
   requirements for a protocol-independent model for the access to
   geographic location information.  The model includes a Location
   Generator (LG) that creates location information, a Location Server
   (LS) that authorizes access to location information, a Location
   Recipient (LR) that requests and receives information, and a Rule
   Maker (RM) that provides authorization policies to the LS which
   enforces access control policies on requests to location 
information.

I would talk a bit more about the privacy model in general terms, such
as what protections it is designed to provide.

I don't think I should write too much in the introduction itself since
we have other sections dealing with these issues. 


Section 2

   Based on today's protocols we assume that the location 
information is
   provided by the access network where the end host is attached.  As
   part of the network attachment authentication to the AAA server
   location information is sent from the AAA client to the AAA server.

Earlier, the document refers to use by a AAA proxy.  Could you say
a few words about where the information originates (e.g. may originate
on the NAS, or may be added a proxy).  Somewhere it is also worth
stating that existing RADIUS attributes may also provide location
information (e.g. NAS-Identifier).

I should add "AAA proxy" to the above paragraph.

It depends on the deployment where location information is added. 



   The authenticated identity might refer to a user, a device or
   something else.  Although there might often be a user 
associated with
   the authentication process (either directly or indirectly; 
indirectly
   when a binding between a device and a user exists) there is no
   assurance that a particular real-world entity (such as a person)
   triggered this process.

Is the distinction between a user, device or machine identity
relevant for the purposes of a privacy discussion?  This paragraph
leaves me wondering whether there is a legal distinction that
is relevant to the protocol design.


This document does not attempt to make distinctions for any purpose
among the end-user (a person), a device or something else, any of which
trigger authenticated identity in RADIUS and which may be the target of
location information.  For the purpose of discussions of location
privacy, it is not necessary that a means of determining an end-user
presence is found nor that an end-user be bound and present.


   Since location based authorization is
   executed based on the network access authentication of a particular
   "user" it might be reasonable to talk about user's privacy within
   this document even though scenarios exist where this might 
not apply
   (and device or network privacy might be the better term).

Maybe you need to define the term "user" in the document as being
either a user, device or machine identity in order to clarify this.

Does my comment above help?


   Furthermore, the authors believe that there is a 
relationship between
   the NAS (or other nodes in the access network) and the location of
   the entity that triggered the network access 
authentication, such as
   the user.

Why? If the NAS is a VPN server, then the user might be 
located halfway
around the world.  Might make more sense to say "depending on the
type of access being provided, there may be a close relationship...."

I agree with deleting.


You might give examples:

1) WLAN has limited range when deployed with an omni-directional
antenna, so user is probably close to the NAS in geospatial
(but not necessarily civil) terms.  Also, some WLAN
access points can use "time of arrival" or other processing
techniques to determine user location accurately;
2) In LAN access, the user can't be further away from the switch
than cable length will permit.
3) Dialup or VPN user could be very far away from the NAS;

Agree



If you talk about this a bit, it might help clarify why the document
is mostly for WLAN/LAN access.

Let's not make our document only on WLAN/LAN


   The NAS might in many cases know the location of the end
   host through various techniques (e.g., wire databases, wireless
   triangulation).  Knowing the location of a network (where 
the user or
   end host is attached) might in many networks also reveal enough
   information about the location of the user or the end host.  A
   similar assumption is also made with regard to the location
   information obtained via DHCP (see for example [4]).

The DHCP case might be analagous to WLAN/LAN, but it is not analagous
to the case of VPN or dialup access where the NAS and user could be
separated by thousands of miles.

True. You raised this point in one of your previous comments. 



   This
   information might be used by applications in other 
protocols (such as
   SIP [11] with extensions [12]) to indicate the location of a
   particular user even though the location "only" refers to the
   location of the network or equipment within the network.  This
   assumption might not hold in all scenarios but seems to be 
reasonable
   and practicable.

I think you need to say that the assumption can be presumed to hold
for certain values of the NAS-Port-Type attribute (e.g. LAN or
WLAN access).  In others it may not hold.

Okay so can we say for which values of NAS-Port-Type?


Note that I modified the introduction somewhat to address your comments.



Section 3

   Location Objects, which consist of location information and privacy
   rules, are transported via the RADIUS protocol from the 
AAA client to
   the AAA server.  A few attributes are introduced for this 
purpose, as
   listed in Section 5, whereby delivery to the RADIUS server 
can happen
   during the authentication/authorization phase (described in
   Section 3.1), or in the mid-session using the dynamic authorization
   protocol framework (described in Section 3.2).  This section
   describes messages flows for both delivery methods.

To me, it makes more sense to talk about what packets the location
information can be delivered in, rather than "phases".  For example,
location is delivered in Access-Request or Accounting-Request packets.
Whether the Access-Request was triggered by dynamic authorization or
a new user login is not important.  Also, this paragraph 
seems to suggest
that dynamic authorization is required to obtain mid-session location
information.  Since location can be provided interim 
accounting packets,
this is not really true.  Perhaps the point is that dynamic 
authorization
allows the information to be provided on demand.

The information about location information being carried in
Access-Requests, Accounting-Requests, etc. is in the text. 

I can add your statement about dynamic authorization. 


Section 3.1

   Figure 1 shows an example message flow for delivering location
   information during the network access authentication and
   authorization procedure.  Upon a network authentication 
request from
   an access network client, the NAS submits a RADIUS Access-Request
   message that contains location information attributes among other
   required attributes.  These attributes are added based on various
   criteria (such as local policy, business relationship with
   subscriber's home network provider and in case of location
   information also by considering privacy policies).

Even though Figure 1 mentions "out of band agreement" the text doesn't
elaborate on what this means.

Out-of-band refers to some deployment environments where you send
location information right away. For example, in your enterprise network
the AAA server requests location information from the NASes all the
time. 

Since Figure 1 shows location information provided in
an Accounting-Request, the first sentence isn't quite right.

Good catch.

Given the privacy issues, I think you need to qualify what
"location information" means in the second sentence. Do you
mean that the user location is being supplied by the NAS?

Location information might be added by the NAS or by the AAA proxy,
depending on the deployment. 
Depending on the location determination techniques available in the
network there might not be an option to provide the location information
of the end device. 

I think you need to say something about the default settings
(e.g. location provided, or not?)

I said something about the default settings in the document. 
Per-default you don't sent location information (if no other information
is known). 


 Backward compatiblity issues
also probably deserve some discussion here. You might say
a few words about when this flow might occur (e.g. challenge-incapable
NAS).

We cover this case. The challenge-incapable NAS does not send the hint
that it is challenge-capable and hence the RADIUS server understands
that it cannot challenge the NAS for location information. 


Figure 1 uses the term "Network Access Client" which isn't
defined in terminology or used in other RADIUS RFCs.  I would change
all uses of this term to "User".

OK.


   If the AAA server needs to obtain location information also in
   accounting messages then it needs to include a Requested-Info
   attribute to the Access-Accept to express that is desired 
(if privacy
   policy allow it) and the Network Access Server SHOULD then include
   location information to the RADIUS accounting messages .

I think you should say something about the packets within which the
location information can be delivered in Section 1.  Something like:
"This document enables a RADIUS server to request the delivery of
location information within Access-Request packets, or additionally,
within Accounting-Request packets."

OK



Section 3.2

This section is problematic since it specifies RADIUS attribute
usage prohibited by RFC 3576 Section 3, which states:

   Where a Service-Type Attribute with value "Authorize Only" is
   included within a CoA-Request or Disconnect-Request, attributes
   representing an authorization change MUST NOT be included; only
   identification attributes are permitted.


This is correct.  And the violation is that we have included the
Requested-Info attribute.  And in fact, in the Requested-Info attribute
section we
says that the attribute MAY appear in Access-Accept or Access-Challenge.


If the desire is to change the location information being provided
(e.g. to turn on location in accounting packets, or deliver different
types of location) why couldn't a CoA-Request be sent without an
"Authorization-Only" Service-Type?  If the desire is to request
location immediately, couldn't this be encoded in the Request-Info
attribute?  There seem to be ways to achieve the goal without
violating RFC 3576.

The other reason or intent of this section is to make sure that
when the client upon receiving a COA (Authorize-Only) responds back with
an Access-Accept it include location information if it did so in a
previous Access-Request.  This is to cover the case where the AAA server
will need the location information to respond back in an Access-Accept
or Access-Reject.

It is true that the functionality can be accomplished without providing
the Requested-Info in the COA. 


Later on in the section, it is stated:

   Since location information can be sent in accounting records
   (including accounting interim records), RFC 3576 [5] is only needed
   for authorization changes.

Given this, it would appear that the need to obtain location 
mid-session
is best met by another technique, and that use of CoA-Request packets
is only a corner case.  Given that RFC 3576 is not widely implemented,
I'd expect the accounting approach to be more applicable, at least
without an explanation about why this isn't a good idea (e.g. might
not need location info with each interim accounting update).

Agreed.  The intent of using COA etc was NOT to get a location
information mid session.  But rather to make sure that if the AAA client
is sending an access request then it should include the location
information so that the AAA server can compute the authorization
decision based on location if need be.


Also, this section doesn't talk about when a RADIUS server can
send a CoA-Request containing a Request-Info attribute.  Wouldn't
this be restricted to cases where the NAS has previously included
a Location-Information or Challenge-Capable attribute?

The statement is true and obvious so I am not sure we would have
to address it.


Section 4

I'm not clear this section should exist as a standalone 
entity. It might
be best to delete Section 4.2 entirely and integrate Section 4.1 with
Sections 1 or 2.

I do not have a big preference. I can do that.


Section 4.1

   The home network operator requires location information for
   authorization and billing purposes.  The operator may deny 
service if
   location information is not available, or it may offer limited
   service only.  The NAS delivers location information to 
the home AAA
   server.

   The location of the AAA client and/or the end host is transferred
   from the NAS to the RADIUS server (based on a pre-established
   agreement or if the RADIUS server asks for it under 
consideration of
   privacy policies).  The NAS and intermediaries (if any) are not
   allowed to use that information other than to forward it 
to the home
   network.

Are the terms "NAS" and "AAA client" used interchangeably 
here?  If so,
can we primarily use one term (NAS seems best)?

Ok. I can avoid the usage of AAA client.



   The NAS and intermediaries (if any) are not
   allowed to use that information other than to forward it 
to the home
   network.

Intermediaries (e.g. AAA proxies) sometimes log Accounting-Request
packets, since they may need them for billing purposes.  
Since billing is
one of the uses of location information, I don't think you 
can prohibit
that.  Also, what does it mean for the NAS to "use" location 
information?

I think I should change that sentence. From a technical point of view,
you cannot prevent the NAS from doing anything. 
Intermediaries might indeed use Accounting-Request information for
billing purposes. 
They must, however, not use the information for non-intented purposes,
such as making the information available for marketing purposes. 
 

Some NASes have stable storage, so they might write Accounting-Request
packets to stable storage prior to delivery.  Or they might retain
location information in memory.  Do you mean that that the 
NAS or proxies
can't provide the location information to unauthorized 
parties?

Unauthorized parties is a good term here and they must not use the
information other than for the intended purpose. 

 Or do you
mean that proxies MUST respect the privacy policies they 
receive from the
RADIUS server?

Yes. That's stated later in the document. 


   The RADIUS server authenticates and authorizes the user requesting
   access to the network.  If the user's location policies 
are available
   to the RADIUS server, the RADIUS server MUST deliver those policies
   in an Access Accept to the RADIUS client.  This information MAY be
   needed if intermediaries or other elements want to act as Location
   Servers (see Section 4.2).  If the NAS or intermediaries do not
   receive policies from the RADIUS server (or the end host 
itself) then
   they MUST NOT make any use of the location information other than
   forwarding it to the user's home network.

I would name the specific attributes rather than just saying "location
policies".  You are essentially saying that some attributes MUST be
included in an Access-Accept packet.  The last sentence is somewhat
more specific than just saying "allowed to use that information".

Ok. I can replace the term "location policies" with the specific
attribute list, namely Basic-Policy-Rules and Extended-Policy-Rules. The
latter one is only relevant if there are indeed extended policies
available. 


   Location Information may also be reported in accounting messages.
   Accounting messages are generated when the session starts, 
stops and
   periodically.  Accounting messages may also be generated when the
   user roams during handoff.  This information may be needed by the
   billing system to calculate the user's bill.  For example, 
there may
   be different tariffs or tax rates applied based on the location.
   Unless otherwise specified by authorization rules, location
   information in the accounting stream MUST NOT be 
transmitted to third
   parties.

Most of this paragraph probably belongs in Section 1 of the document.
I'm unsure what the last sentence means.  I think that the part of
the last sentence from "location..." should probably be combined with
the next sentence, to clarify it:

   Location information in the accounting stream MUST only be sent in
   the proxy chain to the home network (unless specified otherwise).

For example, you might say "Location attributes contained within
Accounting-Request packets MUST only be made available to entities
on the proxy chain between the NAS and the home accounting
server."

Section 4.2

   Location Servers are entities that receive the user's location
   information and transmit it to other entities.  In this second
   scenario, Location Servers comprise also the NAS and the RADIUS
   server.  The RADIUS servers are in the home network, in the visited
   network, or in broker networks.

   Unless explicitly authorized by the user's location 
policy, location
   information MUST NOT be transmitted to other parties outside the
   proxy chain between the NAS and the Home RADIUS server.

   Upon authentication and authorization, the home RADIUS server MUST
   transmit the ruleset (if available) in an Access-Accept.  
The RADIUS
   client, intermediate proxies are allowed to share location
   information if they received ruleset indicates that it is allowed.

Is a "Location Server" somehow different from an entity eligible
to receive location information as described in the previous section?
I'm unclear whether this section is saying anything different from
Section 4.1 with respect to handling of user location information.


In a previous paragraph you mentioned that you would like to see Section
4 and Section 1 or 2 being merged. 
I can look at that. 


Section 5.1

   The Operator-Name attribute SHOULD be sent in Access-Request, and
   Accounting-Request records where the Acc-Status-Type is 
set to Start,
   Interim, or Stop.

Is this attribute only sent in these packets?  If so, I would say:
"MAY only be sent in Access-Request and Accounting-Request..."

The Value type is restricted to use with Integers.  I think that we
are talking about a String here, no?

That's supposed to be a string. 
From a format point of view I just looked one of your documents, namely
RFC 4675 http://tools.ietf.org/html/rfc4675, and  assumed that it would
be fine. 



Section 5.2

   The Location-Information attribute SHOULD be sent in Access-Request
   and in Accounting-Request messages.  For the Accounting-Request
   message the Acc-Status-Type may be set to Start, Interim or Stop.

Is the intent that these attributes are only sent in Access-Request
and Accounting-Request messages?  If so, say "MAY only be sent in..."

Yes; this attribute is only sent in Access-Request and
Accounting-Request messages



I think you are talking about a String type attribute, not an integer,
right?

Yes, this is a String type attribute. 



       The 16-bit unsigned integer value allows to associate
       the Location-Information attribute with
       Location-Info-Civic and Location-Info-Geo
       attributes.

This is not a complete sentence. I think you need to explain that
this attribute is used to provide information relating to the
information included in the Location-Info-Civic and
Location-Info-Geo attributes to which it refers (via the Index).

Ok. 


You should probably also state that this attribute is largely treated
as an opaque blob, like the Location-Info-Civic and Location-Info-Geo
attributes to which it refers.  As a result, it is not expected that
RADIUS servers will need to change code to receive this attribute
(although location applications would have to parse it).

I indicated elsewhere in the document. I could, however, repeat it with
each attribute or put it in Section 1. 


Section 5.3

   Location-Info-Civic attribute SHOULD be sent in 
Access-Request and in
   Accounting-Request messages.  For the Accounting-Request 
message the
   Acc-Status-Type may be set to Start, Interim or Stop.

Change to "MAY only be sent..." if that is the intent.

Please change "Value" to "String".

The token 'Value' in the packet format has nothing todo with the data
type.
Still, the intention was to use the string data type. 


       The 16-bit unsigned integer value allows to associate
       the Location-Info-Civic attribute with the
       Location-Information attributes.

Is there an implication that multiple Location-Information attributes
will have the same Index value?  That doesn't make sense to me.

The relationship is as follows: 

The Location-Information attribute is associated with one or multiple
Location-Info-Civic / Location-Info-Geo attributes via the index.
Different Location-Information attributes will have a different index
value. 



Section 5.4

   Location-Info-Geo attribute SHOULD be sent in Access-Request, and
   Accounting-Request records where the Acc-Status-Type is 
set to Start,
   Interim or Stop if available.

Change to "MAY only be sent" if that is the intent.

Change "Value" to "String"


See response from above. 


Section 5.5

Should the title be "Basic-Policy-Rules Attribute"?

   Policy rules control the distribution of location location
   information.  In some environments the the AAA client 
might know the
   privacy preferences of the user based on pre-configuration or the
   user communicated them as part of the network attachment.

This seems somewhat unlikely.  Do any existing access 
protocols support
user-provided privacy policies?  Or are we talking about generic
NAS privacy settings here?

I agree that it is somewhat unlikely. Still, it would be possible to
enhance network access authentication protocols to support this
functionality. 



   Basic-Policy-Rules attribute SHOULD be sent in an an 
Access-Request,
   Access-Accept, an Access-Challenge, an Access-Reject and an
   Accounting-Request message.

I think you mean "MAY be sent in an Access-Request..."


Why do you think it is a "MAY"?

   o  The AAA client SHOULD NOT attach location information in the
      initial Access-Request message but should rather wait 
for the AAA
      server to receive a challenge for location information.

I think you mean "for the AAA server to send an Access-Challenge..."

Correct. 


I think you are instead saying that "absent NAS settings
to the contrary, the default is..."  This probably should be 
clarified.

With the bugfix the sentence should be clear. 


   o  If a roamig agreement or legal circumstances require the AAA

roamig -> roaming

OK.


      client to transfer location information in the initial Access-
      Request message to the AAA server (even though user specific
      policies are not available to the AAA client) then the access
      network attaches default authorization policies.

Are you saying that a Basic Policy Rules attribute MUST accompany
a Location-Information, Location-Info-Geo or Location-Info-Civic
attribute?

Policies travel with location information. 

The Location-Information attribute points to the Location-Info-Geo
or/and the Location-Info-Civic attribute(s). 
(Note that I changed the name of the attribute in the latest draft.)

      The 'retransmission-allowed' flag MUST be set to '0' meaning
      that the location must not be shared with other parties 
(other than
      forarding them to the user's home network).

Are we saying that sharing of location information is 
controlled by the
're-transmission-allowed' flag and that parties MUST respect the flag?

Yes. That's the idea with these type of policies. 

This seems to contradict earlier MUST statements (which seem to imply
that sharing is not permitted, regardless of the flag value).

I will try to spot these earlier statements and fix them if there are
contraditory statements. 


      In case the home
      network knows the user's privacy policies then these policies
      SHOULD be sent from the RADIUS server to the RADIUS client in a
      subsequent response message and these policies will be 
applied to
      further location dissemination and in subsequent RADIUS
      interactions (e.g., when attaching location information to
      Accounting messages).

What kind of response message?  Do you mean Access-Challenge here
or Access-Accept? 

Access-Challenge & Access-Accept

Is there a reason why a RADIUS server would refuse
to disclose the user's privacy policies?  Should those policies
ever be considered private?

There is no reason not to send the privacy policies. 
But if the RADIUS server does not want to retrieve location information
from the NAS then there is no value in sending the privacy policies from
the RADIUS server to the NAS. 


      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |  Flags                        | Retention Expires      
      ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Retention Expires                                      
      ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Retention Expires             | Note Well              
      ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Note Well                                              
      ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The design of this attribute is problematic.  It is different from
other complex attributes in that it is sent by the RADIUS server,
and the inclusion of timestamps implies that it needs to be computed
dynamically, rather than treated as an opaque blob.

No. The Retention Expires field is not dynamically computed. 

The statement "NTP timestamp" might have confused you. 

This field specifies an absolute date at which time the Recipient is no
longer permitted to possess the location information. 

Do you see a problem? 


Also, there is an implication elsewhere in the document that the
retransmission bit needs to be respected by RADIUS proxies.  Most
existing RADIUS proxies cannot be configured to look at a specific
octet in an attribute, so this will not be possible.

The retransmission bit is not supposed to be inspected by the proxy
unless it wants to distribute the location for means other than
forwarding to the NAS or to the RADIUS server. In the case where the
proxy wants to make use of location information for some reasons (e.g.,
marketing purposes) then it is not expected too much to also consider
this flag when it already processes the location information parts of
the attributes. 



Is there a reason that this could not be split into separate
unitary attributes, say, one for Retransmission, one for
Retention-Expires and another for Privacy-Policy?  The 
"Retention Expires"
attribute would a 64-bit
Long Integer, the Flags would be a 32-bit integer
and the Note Well would be a string.

This would be much more compatible with the design of existing
RADIUS servers and proxies and would enable privacy policies to
be respected.

See above. 


Section 5.6

   The Extended-Policy-Rules attribute SHOULD be sent in an Access-
   Request, an Access-Accept, an Access-Challenge, an 
Access-Reject and
   in an Accounting-Request message whenever location information is
   transmitted.

Do we mean "MAY be sent" here?

Why do you think it should be a MAY?


I think "String" should be used here instead of "Value"

See my other comments regarding the attribute format. 


Why is Length >=4 (rather than 3)?

Does not make a difference since the URI in the Extended-Policy-Rules
attribute is much longer than one or two octets anyway? 




Section 5.7

Why is the Challenge-Capable attribute defined if it is always
set to 0?  Is the presence of the attribute sufficient to indicate
that the NAS is capable of being challenged so that the value
is irrelevant?

It would make more sense for this to be a 32-bit integer value
that only has a single value defined (1) indicating that the
NAS is capable of being challenged.

Wouldn't that be exactly the same functionality? 

Defining the value as 32-bit integer instead of a string is fine for me.


Are you suggesting to define a registry to manage the value range?  


Section 5.8

   The Requested-Info attribute allows the RADIUS server to indicate
   whether it needs civic and/or geospatial location 
information of the
   NAS or the end host (i.e., the entities that are indicated in the
   Entity field of the Location-Information attribute).

Can't the RADIUS server ask for both NAS and end host information?

The RADIUS server can ask for NAS and end host location information. 
I will change the sentence to "...location information of the NAS and /
or end host..."



      2.  If the RADIUS server does not receive the requested
          information in response to the Access-Challenge 
(including the
          Requested-Info attribute) then the RADIUS server 
responds with
          an Access-Reject with an Error-Cause attribute 
(including the
          "Location-Info-Required" value).  Note that an Access-Reject
          message SHOULD only be sent if the RADIUS server MUST use
          location information for returning a positive access control
          decision.

The combination of SHOULD and MUST is confusing.  I think you mean to
say that an Access-Reject MUST only be sent if the RADIUS server
requires location information, but does not receive it, right?

Correct. 



      This is typically the case when location
      information is used for inclusion to the user's bill only.

Rephrase to "is used only for billing".


Ok. 


   If the RADIUS server does not send a Requested-Info attribute then
   the RADIUS client MUST NOT attach location information to 
messages to
   the RADIUS server.  The user's authorization policies, if 
available,
   MUST be consulted by the RADIUS server before requesting location
   information delivery from the RADIUS client.

But earlier it is said that the NAS may send location information by
default,
correct?  Or is an exception being made?

Only if an out-of-band agreement is in place. 



Figure 11 probably belongs earlier in the document.

   The Requested-Info attribute MUST be sent by the RADIUS 
server if it
   wants the RADIUS client to return civic and/or geospatial
   information.  This Requested-Info attribute MAY appear in 
the Access-
   Accept or in the Access-Challenge message.

Earlier it seems to imply that the NAS could sent location information
by out-of-band agreement.  So do you mean to say "in the absence of
an out-of-band agreement..."?

Yes. 


     Requested-Info (64 bits):

       This text field contains an integer value that encodes the
       requested information attributes.
       Each capability value represents a bit position.

It would be clearer to just say that the Requested-Info attribute
defines a bit field, where the information on CIVIC_LOCATION,
GEO_LOCATION, USERS_LOCATION, and NAS_LOCATION can be requested.

BTW, why is a 64-bit value required?  wouldn't 32-bits do as well?

Just wanted to be future-proof. 



Section 6

   If multiple
   Location-Information attributes are sent then they MUST NOT contain
   the same information.

Does this mean "must not have the same Index field?" Or does it mean
that they must not be identical in all respects?

Maybe it is too obvious to mention but if the location information is
the same then you might not want to repeat it. 
Maybe I should just delete the second part of the sentence since it is
common sense. 




Section 8.2

   o  The visited network is able to learn the user's identity.

I think you need a reference to NAI privacy (e.g. RFC 4282 or 
4372) here.

I could do that. 



Section 8.3

This section interrupts the document flow; it would better belong in
an Appendix.


Fine with me.

 


Section 9

   Two entities might act as Location Servers as shown in 
Section 4, in
   Figure 16 and in Figure 17:

I think the sentence should end with a period, not a colon, right?

Yes. 



Section 9.1

   In this scenario it is difficult to obtain authorization policies
   from the end host (or user) immediately when the user 
attaches to the
   network.  In this case we have to assume that the visited network
   does not allow unrestricted distribution of location information to
   other than the intended recipients (e.g., to third party entities).
   When the AAA messages traverses one or more broker networks, the
   broker network is bound by the same guidelines as the 
visited network
   with respect to the distribution of location information.

Are you just saying that proxies need to respect the 
'retransmission' bit?
In practice, they won't be able to do that because their 
policy engines
operate at the attribute, not bit level.  You'll need to have an
individual attribute for retransmission if you want this to work.


You mentioned this issue already previously. 

If the proxy (or an associated entity) wants to use the location
information for some other purpose then it needs to consider the
policies. 
Hence, proxies are going to need to look at the bit, they will need to
be fully location aware and it will be ok to ask them to deal with the
bit.


   The visited network MUST behave according to the following
   guidelines:

   o  Per default only the home network is allowed to receive location
      information.  The visited network MUST NOT distribute location
      information to third parties without seeing the user's privacy
      rule set.

Are you saying that the lack of distribution is the default, absent
receipt of privacy policies to the contrary?  I'd suggest that this
be stated earlier on.

Lack of distribution of geoloc is default and policy bits enable it,
that's how this stuff works.


   o  If the RADIUS client in the visited network learns the 
basic rule
      set or a reference to the extended rule set by means outside the
      RADIUS protocol (e.g., provided by the end host) then it MUST
      include the Basic-Policy-Rules and the Extended-Policy-Rules
      attribute in the Access-Request message towards the home AAA
      server.  Furthermore, the visited network MUST evaluate these
      rules prior to the transmission of location information 
either to
      the home network or a third party.  The visited network MUST
      follow the guidance given with these rules.

This seems quite unlikely.  Is there a reference to a specification
where this is proposed?

Currently, there is no such protocol support available. 
This is a forward-looking statement. 


   o  If the RADIUS client in the visited network receives the Basic-
      Policy-Rules attribute with Access-Accept or the 
Access-Challenge
      message then the Basic-Policy-Rules MUST be attach in subsequent
      RADIUS messages which contain the Location-Information attribute
      (such as interim accounting messages).

attach -> attached

OK.

You need to include this statement in the Attribute Table section 6.
Doesn't it apply to all NASes, not just a visited network?

I could add a sentence to Section 6 that states this fact. However,
there is no way to express this in the table itself. 



   o  If the RADIUS client in the visited network receives 
the Extended-
      Policy-Rules attribute with Access-Accept or the 
Access-Challenge
      message then the Basic-Policy-Rules attribute MUST be attach in
      subsequent RADIUS messages which contain the 
Location-Information
      attribute (such as interim accounting messages).

attach -> attached

OK.


I think this needs to be included in the Attribute Table section 6.
Doesn't it apply to all NASes, not just a Visited network?

Same as above. 
I could add a sentence to Section 6 that states this fact. However,
there is no way to express this in the table itself. 


Section 10

   If no authorization information is provided by the user
   then the visited network MUST set the authorization 
policies to only
   allow the home AAA server to use the provided location information.

This seems to contradict Figure 1 which shows location
information sent by out-of-band agreement without any policy 
attributes.

That's indeed an incomplete sentence. 



   It is necessary to use authorization policies to limit the
   unauthorized distribution of location information.  The security
   requirements which are created based on [10] are inline 
with threats
   which appear in the relationship with disclosure of location
   information as described in [33].  PIDF-LO [21] proposes S/MIME to
   protect the Location Object against modifications.  S/SIME 
relies on
   public key cryptography which raises performance, 
deployment and size
   considerations.  Encryption would require that the local AAA server
   or the NAS knows the recipient's public key (e.g., the 
public key of
   the home AAA server).

So are we saying that the location information attributes can 
be encrypted
in some cases, so that the privacy concerns are not 
applicable? But the
attributes don't support this, right?

   Knowing the final recipient of the location
   information is in many cases difficult for RADIUS entities.

Specifically, RADIUS clients only deal with RADIUS servers 
that are one
hop away.


Maybe the discussion about PIDF-LO S/MIME protection is a bit out of
context. 


Here is the updated document: 
http://www.tschofenig.com/svn/draft-ietf-geopriv-radius-lo/draft-ietf-ge
opriv-radius-lo-11.txt


Ciao
Hannes

PS: I merged the civic and the geospatial location information attribute
into a single attribute since I noticed a problem in the extensibility
mechanism. One would have to define new attributes with new location
formats even though location information is opaque for the RADIUS
protocol. 




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>
  • AW: Last Call: draft-ietf-geopriv-radius-lo (Carrying LocationObjects in RADIUS, Tschofenig, Hannes <=