[Gen-art] Re: Genart last call review of draft-ietf-radext-radiusv11-08
Alan DeKok <aland@freeradius.org> Thu, 27 June 2024 12:23 UTC
Return-Path: <aland@freeradius.org>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61A86C14CF1F; Thu, 27 Jun 2024 05:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsfOEX5s-hxZ; Thu, 27 Jun 2024 05:23:18 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5E0EC14F5E5; Thu, 27 Jun 2024 05:23:16 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 9F140303; Thu, 27 Jun 2024 12:23:12 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=fail (p=reject dis=none) header.from=freeradius.org
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@freeradius.org>
In-Reply-To: <171948905930.103301.17409672529059778215@dt-datatracker-656cd57b4c-lk2kk>
Date: Thu, 27 Jun 2024 08:23:10 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <8FF7563D-2A9A-41F4-908E-D161B8488E51@freeradius.org>
References: <171948905930.103301.17409672529059778215@dt-datatracker-656cd57b4c-lk2kk>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: H4EEULXAZAJDGGUHVIBGL4T2K6BOMDKZ
X-Message-ID-Hash: H4EEULXAZAJDGGUHVIBGL4T2K6BOMDKZ
X-MailFrom: aland@freeradius.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-gen-art.ietf.org-0; header-match-gen-art.ietf.org-1; header-match-gen-art.ietf.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: gen-art@ietf.org, draft-ietf-radext-radiusv11.all@ietf.org, last-call@ietf.org, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Gen-art] Re: Genart last call review of draft-ietf-radext-radiusv11-08
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/wD-PP7i7snyFwhJd8Z2I3oubd0Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Owner: <mailto:gen-art-owner@ietf.org>
List-Post: <mailto:gen-art@ietf.org>
List-Subscribe: <mailto:gen-art-join@ietf.org>
List-Unsubscribe: <mailto:gen-art-leave@ietf.org>
On Jun 27, 2024, at 7:50 AM, Christer Holmberg via Datatracker <noreply@ietf.org> wrote:
> Major issues:
>
> Q_MAJ_01:
>
> Section 7.3 says that future standards can "inherit" the RADIUS/1.1 procedures,
> but they do not need to mention RADIUS/1.1 explicitly.
>
> What exactly is meant by "inherit"? If RADIUS/1.1 is not mentioned, does that
> mean that the future standards need to copy/paste the RADIUS/1.1 procedures?
Perhaps instead:
Future work may define new attributes, packet types, etc. It is important to be able to do such work without requiring that every new standard mention RADIUS/1.1 explicitly. This document defines RADIUS/1.1 as having functional overlap with legacy RADIUS: the packet header Code field is unchanged, and the attribute format is largely unchanged. As a result, any new packet Code or attribute defined for RADIUS is explicitly compatible with RADIUS/1.1: the field contents and meanings are identical. The only difference between the two protocols is that obfuscated attributes in RADIUS are not obfuscated in RADIUS/1.1, and this document defines how that mapping is done.
> ----
>
> Q_MAJ_02:
>
> Section 7.3 specifies rules for defining RADIUS extensions.
>
> Is this specification (especially since it is Experimental) the right place to
> define such generic RADIUS extension procedures? Can the WG e.g. reject future
> extension proposals purely because they do not comply to this specification?
I'll weasel out of this one by saying (a) the WG consensus is OK with this statement, and (b) the document is experimental. If the WG later decides to create future proposals, it still can.
But I suspect it won't. TLS transport is 10+ years old, and has proven to work well. There is no need for additional cryptographic work in RADIUS over UDP.
> Q_MAJ_03:
>
> Section 9 says: "All the insecure uses of RADIUS have been removed".
>
> I don't think that is true, as no changes are done to RADIUS/UDP and
> RADIUS/TCP, i.e. they are still as unsecure as before.
Perhaps:
This specification requires secure transport for RADIUS. RADIUS/1.1. has all of the privacy benefits of RADIUS/TLS {{RFC6614}} and RADIUS/DTLS {{RFC7360}}, and none of the privacy or security issues of RADIUS/UDP {{RFC2865}} or RADIUS/TCP {{RFC6613}}.
> Minor issues:
>
> Q_MIN_01:
>
> It is stated that RADIUS/1.1 is not a new protocol, but rather a transport
> profile. In my opinion it is more than a transport profile, but I will respect
> the decision of the community.
It likely fits in between a new protocol and transport profile.
The key thing for implementors is that it's a ~2k LoC patch to RADIUS/TLS implementations. The protocol state machine doesn't change. The packet encoding has only trivial changes. The attribute encoding as only trivial changes.
As a result, implementations can tweak their transport layer, and change almost nothing else. So it's closer to a transport profile than a brand new protocol, packet encoding, state machine, etc.
> Q_ED_1:
>
> I think the Abstract is too long. Any explanations, clarifications and details
> should be removed.
Fixed.
Alan DeKok.
- [Gen-art] Genart last call review of draft-ietf-r… Christer Holmberg via Datatracker
- [Gen-art] Re: Genart last call review of draft-ie… Alan DeKok