Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 12 October 2022 17:47 UTC

Return-Path: <prvs=82848039a7=uri@ll.mit.edu>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D227CC14CF0A; Wed, 12 Oct 2022 10:47:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dYiXcZWFv7aF; Wed, 12 Oct 2022 10:47:00 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44AE5C14CF1B; Wed, 12 Oct 2022 10:46:59 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX3.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 29CHkA1j192823 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 12 Oct 2022 13:46:10 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=G479Y7UX0nRoOgyHWz7HuW/pls3+EyV7yiTmwAFlaJ0+TmtIV8PBgEE1Ekeem/I3LtgYBMnUhrS5FdnX+daLLl77AHLrEu7Ou/8xTVBE9CVMqPJxWmATkJvb/rKgvURASz1+thO4NM0osslh3B1lu/cTQdHKyeg/wAXHpQZ1kw2U9TmQjfqrdN2ZQkPUZaA6wRvhRru80oLhtoYnVifApwoDiLST1sTcIibmqnz2NWrwSXVxqNmFtxbiCN7tCt9ITpzjlcQ5828byx/aD8lC81bqtXZuvim21pkVcpgFDCa6mu1L/idjW9WmfIFyP/TYsNlNBpmhPE9QPd/oiBegdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mhSkuFih5Gfu5dxfALJkzp9F+oGXJH7ubm2zQhzlYAY=; b=adR68/vvDccPYF+l/GOcvNqZiC3EXyVZU//nOKPLFKtQgCdbe1GqI1InMjTPG1u+dn7qfXhWxVARRA5NVRCoCWPzJIhzglG9vnbwX3PP/16kulv889kSDyrEDpplQboq2qiky4sfhU6X9k6jY0I3iNowYk7tt+GKDB1Dxs08tYNdExTrS+xdPRN/iBBep/LQai+Nq365ZV6apnXijLBmfNe5JFdkWNMttMXbHWox+hOVrRcQb7qfwBklzZBAlaaQwN7YwBNVVGGj1GDUtoKgKzYLnCteQP6Fhg6Y9wIwCzjzX7vkYvPjCmPtXtskgYuE/xT3gtv4Fx4PWqixtQyttA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Alan DeKok <aland@deployingradius.com>
CC: "opsawg@ietf.org" <opsawg@ietf.org>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
Thread-Index: AQHY3mHYjVfywEQQL0G8fLugT14B/a4KxVMA
Date: Wed, 12 Oct 2022 17:46:41 +0000
Message-ID: <1D197266-A7DD-42D9-8FE3-CBB2207CF22A@ll.mit.edu>
References: <BN9PR11MB53717C0ECBFE57C8932F1888B8229@BN9PR11MB5371.namprd11.prod.outlook.com> <BN9PR11MB5371B8A7880B24F4455EE107B8229@BN9PR11MB5371.namprd11.prod.outlook.com> <CAHbrMsAri9uSxfWp28=2o2bCwqoGg_AoqdWk5huduD7E=KoBSw@mail.gmail.com> <1D504D41-55EA-47E4-AD3F-DF90A61E86AF@deployingradius.com>
In-Reply-To: <1D504D41-55EA-47E4-AD3F-DF90A61E86AF@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.64.22081401
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BN0P110MB0950:EE_
x-ms-office365-filtering-correlation-id: 0255ef3c-8d43-4054-e1d8-08daac79b8e5
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ULoWCP3QeDphGjJvpuIagAXHD+Hf1rfz1Ht7LPS+dCg6JrUj+THu6lv3X4tAV7rErpL0m44LBpTMN+G95kFa7mhl1FSOZDcAllAzwCmIpaxsnAp50EaYu5BMRnMABo0Fz9BDx7TINlyBccllGWR/4Cc8LzDScwf3KnAc3ptPU3c8VT31+mq22hn3Av3vPLcjtcAiNN479sn6MlbZefPrCoqWXxXYyf6FCxpS/w9KWF7738xZr11nixXDZneKgjkVeUFoqS7JrzDOeodYzJgK8Tt05IupMm1la4TGSi28Slkidv3JvMf7/T1fnuh305Db/Cj5K/v6te5Ipxjb8Lkq+sS69WebqXbSJGoDpJL/i4sh7IquiVJDTOqrD8IBNVOazlqSsc5esh6a1FVS20i+JpxC+m5ojR3Lm3E9Rwy2I7/gp+QhxvT9Q75U++Wo+JpySeIEBEa181RgBagA6ggtQxcUB8TdljIapNDlfYTlZiotSZ8j016XwfequssMhgKJ8VQEqRIiwMuUy96IW5nZoAl3VIPkmEBLI6Az7jPk66cPj+tau67G/VXLSLMMfwNXYtZK1Aoa8+sUlv68IxL7FYxz+zT1FJMJtc/q1xvrF7dvup9OVCXO8iCuA7PHRDBRhjtp3ifW8M0ALvFYaCQXKgj0zyi4pKyT5paDqWkFtxVcqqmta3aY/l2AsAKt889dorTqSDGuvjuq2rIAU2bscbTxxQVCbi5bp6q8v3TxkVgB316a+PrZcJP/CM0Ed/SZ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(6916009)(54906003)(8936002)(186003)(122000001)(6512007)(26005)(99936003)(33656002)(5660300002)(2616005)(2906002)(75432002)(4326008)(66556008)(64756008)(66446008)(66476007)(66946007)(76116006)(6506007)(38100700002)(53546011)(71200400001)(38070700005)(6486002)(966005)(83380400001)(498600001)(86362001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Nq66K1u/IIcDhqMzAe7CXJcrXhyHyK3+wQ8byslLv4IbxmMrY2sVfYveSi5r2PTq+qhEPeHV6lm6FeNGYkXN3LH9jViFY7HBn8lQcfebFi98uQOBrAGFN06w/WrJ4E0XLXZ4O4KlS6rRqWOySXp8TAVqzmHom0rzZSjAJYcv6VpWy/Jqtxublm2jFL8lCLfuNJpcsHZJUgLboy2bvKoPOUsb2hSrmgiysgGlJxMt/cDkfDdvY4EcCrlAc0Bjk5/1on9FKiJW3EJYzDMwTUQrVY/CspAPA4okxiocTCmOConGKfiWHR1ZSB0IvQMUmxnzNWD46j1RnqTlElK8BtuGFncXRU29EmUeLzHn/gvDhlnyO5gJZrVk/Yo5WHvgIjS2EMonQw0A3a4Y6NIZIRgAjN3sZb42F6GbgoWsE0KsNRc=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3748427201_3671862782"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0255ef3c-8d43-4054-e1d8-08daac79b8e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2022 17:46:41.9283 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB0950
X-Proofpoint-ORIG-GUID: NfAOvMo8ldMkQR83t5MoNQw7A0DNlSQv
X-Proofpoint-GUID: NfAOvMo8ldMkQR83t5MoNQw7A0DNlSQv
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-12_07,2022-10-12_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 suspectscore=0 bulkscore=0 malwarescore=0 spamscore=0 adultscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210120114
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/m8IpfObF75bYoTRdqb6DWTqG_BI>
Subject: Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2022 17:47:04 -0000

Among other things, it means that Dilithium signature would require fragmentation, or fail to transfer. If 253-octets limitation applies - then no PQ signature can work (without fragmentation)...


On 10/12/22, 13:41, "OPSAWG on behalf of Alan DeKok" <opsawg-bounces@ietf.org on behalf of aland@deployingradius.com> wrote:

    On Oct 12, 2022, at 1:32 PM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
    > 
    > The Encrypted-DNS-SvcParams TLV seems to be limited to 253 octets.  This is a problem, since it is meant to hold a SvcParams object that is allowed to be much larger (up to ~65000 octets in principle).

      The length is less than 253 octets, as it is encapsulated inside of another attribute "wrapper".  So the practical limit is probably 250 or less.

      RADIUS provides for encoding more than 253 octets in an attribute.  See https://www.rfc-editor.org/rfc/rfc8044#section-3.16

      However, this capability exists only for "top level" attributes, and cannot be used here.

      Further, RADIUS packets are generally limited to 4K octets total.  So even if the limits on this attribute are removed, then there's still a practical limit of around 4000 octets.

      Alan DeKok.

    _______________________________________________
    OPSAWG mailing list
    OPSAWG@ietf.org
    https://www.ietf.org/mailman/listinfo/opsawg