Deprecate the X-Ascend-* attributes in dictionary.ascend?

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Deprecate the X-Ascend-* attributes in dictionary.ascend?

Bjørn Mork
The dictionary.ascend file contains both Ascend VSAs and some historical
Ascend specific extensions in the lower (1-255) RADIUS attribute space.
These are prefixed with "X-Ascend-".

But nowadays, quite a few of these collide with official standard
attributes.  Although this is not a problem for the RADIUS server or
other applications mapping from name to value, it does pose a problem
for applications mapping from value to name.  E.g. radclient, which will
happily believe that 123 is X-Ascend-Call-Attempt-Limit instead of the
RFC 4818 defined Delegated-IPv6-Prefix:


~$ radclient -x localhost:1812 auth foo -f test
Sending Access-Request of id 237 to 127.0.0.1 port 1812
        User-Name = "[hidden email]"
        Password = "bar"
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=237, length=100
        Framed-IP-Address = 192.168.3.4
        Framed-IPv6-Prefix = 2001:db8:2:1::/64
        Framed-Interface-Id = 8765:5678:abcd:1234
        X-Ascend-Call-Attempt-Limit = 0x003020010db8000300000000000000000000
        ERX-Ipv6-Primary-Dns = 2001:db8::53


Even worse, I believe rlm modules like rlm_perl which also map from
value to name for their internal representation of the attributes, will
do the same.  I.e., if you write a script for rlm_perl, expecting a
Delegated-IPv6-Prefix, you'll be up for a surprise...

My suggestion is splitting dictionary.ascend in two separate dictionary
files, keeping only the VSA part included by default.  Or at least split
out all attributes colliding with standard attributes.



Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Deprecate the X-Ascend-* attributes in dictionary.ascend?

Bjørn Mork
Stupid me.  Remember to check whether your great ideas are already
implemented... They usually are when it comes to FreeRADIUS :-)

bjorn@canardo:/usr/local/src/git/freeradius$ git log share/dictionary.ascend.illegal
commit 27b18889c932129ea758eff3232c254980124eb7
Author: Alan T. DeKok <[hidden email]>
Date:   Tue Sep 29 10:10:59 2009 +0200

    Moved Ascends illegal attributes to their own file



Thanks,
Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html