Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
mohamed.boucadair@orange.com Fri, 14 October 2022 09:48 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 116F4C1524AA; Fri, 14 Oct 2022 02:48:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Af-QFHs_YiY0; Fri, 14 Oct 2022 02:47:56 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E831C1524A3; Fri, 14 Oct 2022 02:47:56 -0700 (PDT)
Received: from opfedar04.francetelecom.fr (unknown [xx.xx.xx.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar21.francetelecom.fr (ESMTP service) with ESMTPS id 4MphQL3QQzz7thC; Fri, 14 Oct 2022 11:47:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1665740874; bh=C7g34aRZ9QwfcrdVAy/gH4JDIObNz6mwdwH2Yj0chsw=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=XlI53wiQH/qpSYAwwiYWlObRICMa0vBZSy6KcMr1fGmt38BVyW7BOovcDWHU/mQwR h/d5PFVG2Vt58xzn1Y7oPnS+THu3wn2HM+7AjfqnEj2D+8cZre5/47g0ci0MCdvp8r KptWNd6nXls5qVZyyobr+qn0fN9KiPp3Ajz6XLahDRnzmKRK4OrT51fDHii8/bxuXo N3L+BQw2WVX3p6UnrYiIapoVi476C9IVjrkBcL75yugOOwkp/mh+FCKnK7oGolLbGO 2MYX9miyWiwbaOHzA76CoBJ02KWqSTUVKIuwE9Yk0A5Slu6UfEs8BBcQFtx7XpDSLJ 92r98Y3Ol9nbA==
From: mohamed.boucadair@orange.com
To: Alan DeKok <aland@deployingradius.com>, Ben Schwartz <bemasc@google.com>
CC: Joe Abley <jabley@hopcount.ca>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, opsawg <opsawg@ietf.org>, "radext@ietf.org" <radext@ietf.org>, ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
Thread-Index: AQHY3xbIRIpgakfb8k+zvQyuimQtya4NomQw
Content-Class:
Date: Fri, 14 Oct 2022 09:47:53 +0000
Message-ID: <18242_1665740874_6349304A_18242_265_4_dee5101db4734fcd8d7fa7f1f9a49030@orange.com>
References: <28766_1665646855_6347C107_28766_2_1_c61b294eae1742b4bfbf125d0fd0e92f@orange.com> <B6BBABE1-9194-4190-A84A-BA64889FC6E6@hopcount.ca> <CAHbrMsAsC0N2uNpFuiMYEiPgQQQzAwikuiTL0dWZoNhgcPRwNw@mail.gmail.com> <8F15B334-861A-432D-B42A-5C7C8D5FCCEB@deployingradius.com>
In-Reply-To: <8F15B334-861A-432D-B42A-5C7C8D5FCCEB@deployingradius.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-10-14T09:36:13Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=92071637-3654-4190-931d-a680bcb95b43; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.50]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/Arvwn87SU3uPJDpzaqhEK9qDwN8>
Subject: Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 09:48:01 -0000
Re-, Thanks for the feedback. Let's try to exercise this approach and see if there are not hidden complications vs. current design with known limitation. A drafty text (not yet in the main draft) can be seen at: https://github.com/boucadair/draft-ietf-opsawg-add-encrypted-dns/blob/main/draft-ietf-opsawg-add-encrypted-dns-encap.txt A diff is also available at: https://www.ietf.org/rfcdiff?url1=draft-ietf-opsawg-add-encrypted-dns&url2=https://raw.githubusercontent.com/boucadair/draft-ietf-opsawg-add-encrypted-dns/master/draft-ietf-opsawg-add-encrypted-dns-encap.txt The attributes should not be seen as opaque data by the RADIUS server but it should understand the encoding of the enclosed options. The intended behavior should be called out, IMO. For the case of RA-triggered authorization process, some adaptation is needed as the encoding is a little but distinct vs. DHCPv6. The mapping should also be explicated. Cheers, Med > -----Message d'origine----- > De : Alan DeKok <aland@deployingradius.com> > Envoyé : jeudi 13 octobre 2022 17:16 > À : Ben Schwartz <bemasc@google.com> > Cc : Joe Abley <jabley@hopcount.ca>; BOUCADAIR Mohamed INNOV/NET > <mohamed.boucadair@orange.com>; Ben Schwartz > <bemasc=40google.com@dmarc.ietf.org>; Joe Clarke (jclarke) > <jclarke@cisco.com>; opsawg <opsawg@ietf.org>; radext@ietf.org; > ADD Mailing list <add@ietf.org> > Objet : Re: [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for > Encrypted DNS > > On Oct 13, 2022, at 10:50 AM, Ben Schwartz <bemasc@google.com> > wrote: > > Even if longer SvcParams aren't useful in DNR, creating an > encoding that can't carry them introduces a serious compatibility > problem for systems that copy between SVCB, DNR, and RADIUS. What > is such a tool supposed to do when a valid SVCB record or DNR > option is unrepresentable in RADIUS? What is a naive operator to > do, faced with this error message? > > The traditional RADIUS solution for encoding data which can't > fit into an attribute is one of (a) truncation, or (b) dropping > the attribute entirely. The standards are silent on this issue, > so the behavior is entirely implementation-defined. > > As for this issue, it may be best to avoid it entirely with > careful design, so that it's not possible for implementations to > run into the problem. > > > The only solution which entirely avoids the 253 octet limit is > to just define a DHCPv6-Options attribute in RADIUS. It can carry > a blob of DHCPv6 options, encoded as DHCPv6 options. This is > behavior is permitted by https://www.rfc- > editor.org/rfc/rfc6158#section-3.2.4: > > Another exception to the recommendation against complex types > is for > types that can be treated as opaque data by the RADIUS > server. > > So just define a DHCPv6-Options attribute from the 245.X space. > Allow it to contain any DHCPv6 option. Suggest that the switch / > RADIUS client send the options in a DHCPv6 packet. And then it > can carry the options needed here. > > Since the encoding is now DHCPv6 options, all limitations other > than the 4K RADIUS "maximum packet size" limitation disappear. > And many RADIUS implementations support packets larger than 4K, so > that limit is not concrete either. The specification defining > DHCPv6-Options could suggest that implementations SHOULD support > 64K RADIUS packets. > > Alan DeKok. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted… Joe Clarke (jclarke)
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Joe Clarke (jclarke)
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Joe Abley
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Erik Kline
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Michael Richardson
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [radext] [Add] 🔔 WG LC: RADIUS Exten… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [dhcwg] [Add] 🔔 WG LC: RADIUS Extens… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [dhcwg] [Add] 🔔 WG LC: RADIUS Extens… mohamed.boucadair
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] [dhcwg] 🔔 WG LC: RADIUS Extensions f… Bernie Volz
- Re: [OPSAWG] [Add] [dhcwg] 🔔 WG LC: RADIUS Extens… mohamed.boucadair
- Re: [OPSAWG] [Add] [dhcwg] 🔔 WG LC: RADIUS Extens… Bernie Volz