IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-01.txt

Alan DeKok <aland@deployingradius.com> Thu, 01 December 2022 19:30 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9CA4C14F613 for <opsawg@ietfa.amsl.com>; Thu, 1 Dec 2022 11:30:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raHC-SqkLIx2 for <opsawg@ietfa.amsl.com>; Thu, 1 Dec 2022 11:30:04 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BB83C14F612 for <opsawg@ietf.org>; Thu, 1 Dec 2022 11:30:03 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 16EF6EE; Thu, 1 Dec 2022 19:29:59 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <43ee82a3-c554-a4c3-cbb0-4525dee143b0@web.de>
Date: Thu, 01 Dec 2022 14:29:58 -0500
Cc: opsawg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D734BC8F-77F9-4772-A081-057780113BE7@deployingradius.com>
References: <166987104468.50685.985158519755735069@ietfa.amsl.com> <Y4g8SzupPkBSLotd@shrubbery.net> <43ee82a3-c554-a4c3-cbb0-4525dee143b0@web.de>
To: Marc Huber <Marc.Huber@web.de>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/spOOLkBz1ECziT7VHuzHTg19LbY>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-01.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 19:30:06 -0000

On Dec 1, 2022, at 1:14 PM, Marc Huber <Marc.Huber@web.de> wrote:
> I've the gut feeling that
> 
>    Peers MUST NOT use Obfuscation with TLS.
> ...
> isn't the best approach. This would break the transition process compatibility for devices that don't encrypt on their own which move TLS to an intermediate system (a reverse proxy, essentially).

  We're just going through this with RADIUS.  We defined RADIUS over TLS 10 years ago, and left the MD5 obfuscation in.

  We're now updating it to remove MD5.  In hindsight, it was a mistake.  Among other things, leaving MD5 in means that it's difficult to run implementations in a FIPS environment.

  Plus, what key do you use for the MD5 obfuscation?  Do you leave the old one in the admin interfaces?  And add TLS?

  I think that the current approach is best.  Drop the 20+ year-old obfuscation.  Just use modern crypto.

  I'd suggest requiring TLS-PSK.  It's likely easy to update implementations / interfaces to add a PSK.  In contrast, certificates are more complex.

  Plus, operational experience with RADIUS shows that certificate management is a big problem.  There are many issues with certificates:

* do the client / server use Web CAs for certificate valdation?  Are these web CAs shipped with the product?  How are they updated?

* If a private CA is used, then the implementations have to be updated to allow for configuration of CAs in addition to client certs

* certificate expiry is rare enough that people forget how to renew them, but often enough that they have to be renewed regularly

* web CAs won't issue certs for non-web use.  So to get a cert, you have to claim you're putting it on a web server, and add id-kp-serverAuth in order to pass web CA validation

* How are the certificates validated?  There is a long list of things which can be done to validate the certificate.  Some RFCs have guidance, but implementation experience shows that those aren't enough.


  I'd suggest checking the certificate validation rules in RFC 5216 and RFC 9190  (EAP-TLS), and RFC 6614 (RADIUS/TLS).  The operational issues are similar.  It may also be useful to look at RFC 7585 (dynamic server discovery via DNS).

  I'd suggest also looking at the TLS configuration in FreeRADIUS here:  https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/eap#L177

  It's for EAP-TLS, but the requirements for TACACS+ with TLS would be similar.  There are a large number of options for configuring certificates, validation methods, CAs, PSKs, etc.  Nearly all of these would be required when TACACS+ is used with TLS.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email