Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS

mohamed.boucadair@orange.com Thu, 13 October 2022 08:11 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0E7C14F739; Thu, 13 Oct 2022 01:11:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NPr-QeMG_Grk; Thu, 13 Oct 2022 01:11:33 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44E55C14F72F; Thu, 13 Oct 2022 01:11:33 -0700 (PDT)
Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr23.francetelecom.fr (ESMTP service) with ESMTPS id 4Mp2Kb6tCSz5vdW; Thu, 13 Oct 2022 10:11:31 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1665648692; bh=V40z9J6AEevDFd3M/lT0znw2WFbqyFb3pbto1PhCU6s=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=xNBzYrnImqS2MKAigv5yzvGEIzRz7gLo86M08X4QZxFF50yySGpS1AVp8CKypIe/+ 7zXS66vtSg1uvT4ncys1crdWrLJhpV4U1xofcaeScAT4KFD9niBnADu/TWxiG8aQQv uA8bnKyF31fTjezxjchIIRVCr/I6JQICdTVHRyxABRrlOROERoco5biJSzjBbWYMpJ oEh08QLqQOzpHB6uQM/tVm7fnsP9tWuLJKZnk7ZTSSJsnwGctTG3KeNVHO7jXrYw7t ZbeNqfDKPU7FwqyiCHlpFw553ykYuquePO88esf6KNJy5jmUt22FOH8uqjXRGyTr4B Vfp/m7IbmDhqw==
From: mohamed.boucadair@orange.com
To: Alan DeKok <aland@deployingradius.com>, Ben Schwartz <bemasc@google.com>
CC: "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "radext@ietf.org" <radext@ietf.org>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
Thread-Index: AQHY3mOfE/0kVyRxZEytjhkhnYnKtq4K7ZMAgAEA4sA=
Content-Class:
Date: Thu, 13 Oct 2022 08:11:31 +0000
Message-ID: <18256_1665648691_6347C833_18256_484_1_41a902658c604d619e7b829fb62f4441@orange.com>
References: <BN9PR11MB53717C0ECBFE57C8932F1888B8229@BN9PR11MB5371.namprd11.prod.outlook.com> <BN9PR11MB5371B8A7880B24F4455EE107B8229@BN9PR11MB5371.namprd11.prod.outlook.com> <CAHbrMsAri9uSxfWp28=2o2bCwqoGg_AoqdWk5huduD7E=KoBSw@mail.gmail.com> <1D504D41-55EA-47E4-AD3F-DF90A61E86AF@deployingradius.com> <CAHbrMsAzQ+W5hyz3QiVJAdnf=cAfzHcDpja3VvBWxyAUbhbqtQ@mail.gmail.com> <BFCCA9FC-895B-4960-840B-11AE6DAA377E@deployingradius.com>
In-Reply-To: <BFCCA9FC-895B-4960-840B-11AE6DAA377E@deployingradius.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-10-13T07:31:25Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=9f3c1c62-fe78-43f1-af0c-5a8624052580; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.52]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/IhmRi4W-_Kkx7TuzUYusVOU7UcE>
Subject: Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 08:11:38 -0000

Hi Alan, all,

FYI, we do already have the following in the draft to pass RADIUS attributes in DHCPv6: 

   In deployments where the NAS behaves as a DHCPv6 relay agent, the
   procedure discussed in Section 3 of [RFC7037] can be followed.  To
   that aim, Section 6.3 updates the "RADIUS Attributes Permitted in
   DHCPv6 RADIUS Option" registry ([DHCP-RADIUS]).

For the typical target deployment in the draft, I don' think we have a valid case for long data. That's said, we may include a provision to allow for multiple TLVs; each carrying self-contained key=value data. 

Cheers,
Med

> -----Message d'origine-----
> De : Add <add-bounces@ietf.org> De la part de Alan DeKok
> Envoyé : mercredi 12 octobre 2022 20:11
> À : Ben Schwartz <bemasc@google.com>
> Cc : Joe Clarke (jclarke) <jclarke@cisco.com>; opsawg@ietf.org;
> radext@ietf.org; add@ietf.org
> Objet : Re: [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for
> Encrypted DNS
> 
> On Oct 12, 2022, at 1:53 PM, Ben Schwartz <bemasc@google.com>
> wrote:
> >
> > A practical limit of around 4000 octets for SvcParams seems
> likely to be fine.  A hard limit of 250 octets has a real chance
> of becoming a practical problem.  I would encourage you to
> reconsider the format.
> 
>   There are a number of limitations which all have to be addressed
> in order for any solution to work.  :(
> 
>   This specification requires "grouped" data, which generally
> means TLVs in RADIUS.  However, it also requires "long" data,
> which is forbidden to be used in TLVs by https://www.rfc-
> editor.org/rfc/rfc8044#section-3.16
> 
>   As the author of RFC 8044, I can say that there are good reasons
> for that prohibition.  I can also say that there are good reasons
> why the prohibited functionality is needed by this standard.
> 
>   I'm not sure there are any perfect solutions.  There's only
> varying amounts of holding your nose, and going with something
> which is the lesser of two evils.
> 
>   Off of the top of my head, one approach is to simply give up on
> transporting the DHCPv6 data as RADIUS attributes, and instead
> just define a DHCPv6-Options attribute in RADIUS, which carries
> raw DHCPv6 options.  This attribute could carry ~4K of data, and
> be in a format which complies with RFC 8044.
> 
>   That would solve the problem not only for this use-case, but for
> any future one, too.  Just define the DHCPv6 option, and then say
> "carry it in RADIUS attribute DHCPv6-Options"
> 
>   That makes it difficult for administrators to configure, as the
> RADIUS configuration now has to carry "raw" DHCPv6 data.  But...
> it's RADIUS.  That's the least of its ugliness.
> 
> 
>   There's already something similar in DHCPv4:
> https://datatracker.ietf.org/doc/html/rfc4014  i.e. DHCPv4 carries
> RADIUS attributes.  So there's reasonable precedent.
> 
>   Alan DeKok.
> 
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.