Date: Wed, 30 Jun 1999 16:27:58 -0700 (PDT) From: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com> To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Cc: Doug@gorean.org (Doug), jkh@FreeBSD.ORG (Jordan K. Hubbard), cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc services Message-ID: <199906302327.QAA12865@gndrsh.aac.dev.com> In-Reply-To: <74394.930775050@zippy.cdrom.com> from "Jordan K. Hubbard" at "Jun 30, 1999 01:37:30 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > radius 1812/tcp RADIUS
> > radius 1812/udp RADIUS
>
> Actually, they didn't claim that 1812/1813 were the bogus numbers,
> they claimed that the quoted RFCs were bogus. In any case, I think
> this is a firm case of a defacto standard colliding with an official
> one and not so much a matter of "right" and "wrong" in any truly
> boolean sense. I'd still like to hear more about who uses the new
> assignments as defaults - so far I've checked the defaults on our
> local cisco 2501 and Livingston PM2er [ick] and they both use
> 1645/1646. Any ISP plugging along with the defaults on that equipment
> is going to hit a wall with a radius that has gotten its port
> assignments properly through /etc/services and that's just bogus
> too.
>
> If I were writing radius authentication daemons then I'd probably have
> mine listen on both points, but happily I'm not writing any of those
> these days. :-)
You can actually make almost all of them do that now, you just run
2 copies, one with a -p 1645 and one -p 1812. I had to do that during
the migratation from non-IANA to IANA compliancy.
>
> Assuming that you are intent on keeping this quirk, the least that
> > should be done is a PROBLEMS! note added to the file at both locations.
> > AFAIAC, there is justification for keeping the broken behavior, but not
> > commenting it will only cause confusion down the road.
>
> I could certainly live with (and even enthusiastically support) such a
> compromise. Perhaps the 1812/1813 entries still in there but
> commented out with a notation as to why, along with uncommented
> 1645/1646 entries which also point to the other entries as the
> "official but not often used" ones? Would that make you and Rod
> happy? :-)
Not really, since it would still cause boxes for those expecting
the 1812 to fall over. I would say just comment out all 4, I am
going around to all our boxes right now and changing things so that
it does not even depend on /etc/services for where it should run
at. That way I won't get bit by the change you just made to the
/etc/services file should I update something before I forget to
fix this new buglet...
Most radius installation manauls tell you to go check /etc/services,
and/or add them anyway. How about something like:
# PROBLEM
# Ports 1645/1646 are the traditional radius usage that was used
# by many vendors without obtaining official IANA assignment. An
# official assignment is now in conflect with these and one is
# incorraged to migrate to the official ports 1812/1813.
#radius 1645/udp #RADIUS authentication protocol (RFC 2138)
#radacct 1646/udp #RADIUS accounting protocol (RFC 2139)
{Official stuff that belong on 1645 here, also commented out, I
just don't have it handy}
# PROBLEM
# Ports 1812/1813 are the official IANA assigned radius ports,
# though many vendors have not adopted these as thier defaults
# it is what has been assigned.
#radius 1812/udp #RADIUS authentication protocol (RFC 2138)
#radacct 1813/udp #RADIUS accounting protocol (RFC 2139)
NOTE: The citing of RFC2138/2139 is the protocol specification, not
what puts them on these ports. I think it is RFC2058 that has
the official port numbers and the comments about the bogus use
of 1645/1646.
--
Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906302327.QAA12865>