Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
mohamed.boucadair@orange.com Thu, 13 October 2022 11:53 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB54EC1524B5; Thu, 13 Oct 2022 04:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6V4PraB_Ax1; Thu, 13 Oct 2022 04:53:04 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.35]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67414C14F6EC; Thu, 13 Oct 2022 04:53:04 -0700 (PDT)
Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr21.francetelecom.fr (ESMTP service) with ESMTPS id 4Mp7FB2dmbz5w1c; Thu, 13 Oct 2022 13:53:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1665661982; bh=IETzNCTY0XwAKU/ELyBQWEQ8q+4BI6ESNM/y+GPe8Os=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=dRuCwYwLdOkIjn/4BzMM8VKg6ccDtKBDrRH7lrFCzRuTltH1wqrROt64FMxHYZ3rC GMMZjihKh1w+tGWsNs5S8xiSKaQ+hibV9QlVPUflCiFAYaJ847vErcBH9S4/+sVUql Ns5LbZCixsUR1UDvvuL9GcooJMxmxPP0RrkMt2cGr4nuNRVNxDg5uV3M+yERc1/kqu j5Lp3hrr8hFSAFkscuuWTCRcRMaa2MQ1HULJNepGjhE0rNP08YLkyochlbXAWOY4hd Rj/NHk2m/IFd9B4sGW4ktSa3WgkRFcyRO2jn2fuanTOTFpvPU5O1//b22a4g96hCRn 9isuv8usbhJNw==
From: mohamed.boucadair@orange.com
To: Alan DeKok <aland@deployingradius.com>
CC: Ben Schwartz <bemasc@google.com>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "radext@ietf.org" <radext@ietf.org>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
Thread-Index: AQHY3viFE/0kVyRxZEytjhkhnYnKtq4MNN7g
Content-Class:
Date: Thu, 13 Oct 2022 11:53:01 +0000
Message-ID: <25447_1665661982_6347FC1E_25447_243_1_6a3d202a666d4526b12611fb744bb8b5@orange.com>
References: <BN9PR11MB53717C0ECBFE57C8932F1888B8229@BN9PR11MB5371.namprd11.prod.outlook.com> <BN9PR11MB5371B8A7880B24F4455EE107B8229@BN9PR11MB5371.namprd11.prod.outlook.com> <CAHbrMsAri9uSxfWp28=2o2bCwqoGg_AoqdWk5huduD7E=KoBSw@mail.gmail.com> <1D504D41-55EA-47E4-AD3F-DF90A61E86AF@deployingradius.com> <CAHbrMsAzQ+W5hyz3QiVJAdnf=cAfzHcDpja3VvBWxyAUbhbqtQ@mail.gmail.com> <BFCCA9FC-895B-4960-840B-11AE6DAA377E@deployingradius.com> <18256_1665648691_6347C833_18256_484_1_41a902658c604d619e7b829fb62f4441@orange.com> <A9E7BE15-398E-43C7-BA01-8C3D7AE88F5D@deployingradius.com>
In-Reply-To: <A9E7BE15-398E-43C7-BA01-8C3D7AE88F5D@deployingradius.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-10-13T11:50:05Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=f6bf2e75-4ad5-4acf-883c-6a4434cc8211; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.52]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/st3OnopWsQQL5vj9YXs2lx8554g>
Subject: Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 11:53:08 -0000
Re-, Please see inline. Cheers, Med > -----Message d'origine----- > De : Alan DeKok <aland@deployingradius.com> > Envoyé : jeudi 13 octobre 2022 13:40 > À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com> > Cc : Ben Schwartz <bemasc@google.com>; Joe Clarke (jclarke) > <jclarke@cisco.com>; opsawg@ietf.org; radext@ietf.org; > add@ietf.org > Objet : Re: [Add] [OPSAWG] 🔔 WG LC: RADIUS Extensions for > Encrypted DNS > > On Oct 13, 2022, at 4:11 AM, mohamed.boucadair@orange.com wrote: > > > > Hi Alan, all, > > > > FYI, we do already have the following in the draft to pass > RADIUS attributes in DHCPv6: > > > > In deployments where the NAS behaves as a DHCPv6 relay agent, > the > > procedure discussed in Section 3 of [RFC7037] can be followed. > To > > that aim, Section 6.3 updates the "RADIUS Attributes Permitted > in > > DHCPv6 RADIUS Option" registry ([DHCP-RADIUS]). > > I was thinking of the other way around: allowing DHCPv6 options > inside of a RADIUS attribute. [Med] Yes, I got that. But I wanted to highlight that, as we are already allowing to encapsulate radius attributes in dhcp, if we encapsulate dhcp in radius, then for the case in 7037, we will end up with dhcp_option(radius(dhcp_option)) encapsulation. > > > For the typical target deployment in the draft, I don' think we > have a valid case for long data. That's said, we may include a > provision to allow for multiple TLVs; each carrying self-contained > key=value data. > > If that's the target deployment, then that works. I'd suggest > updating the draft to explicitly mention this limitation, and > describe why it's acceptable. [Med] Yes, that's exactly what I have in mind. > > I'd also suggest changing the RADIUS attribute space from 241.X > to 245.X. See https://www.rfc-editor.org/rfc/rfc8044#section-3.16 [Med] Agree. Will fix that. Thanks. > > With 241.X, the maximum amount of data which can be carried is > 252 octets. This space has to encapsulate all child attributes, > including headers and contents. Which means that each individual > child attribute can carry much less than 253 octets. > > With 245.X, the maximum amount of data which can be carried is > limited only by the RADIUS packet length. Each child attribute > can then carry a full 253 octets of data. And there are no limits > on the number of child attributes which ca be carried. > > Alan DeKok. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encrypted… Joe Clarke (jclarke)
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Joe Clarke (jclarke)
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Joe Abley
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Ben Schwartz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Erik Kline
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Michael Richardson
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [radext] [Add] 🔔 WG LC: RADIUS Exten… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [dhcwg] [Add] 🔔 WG LC: RADIUS Extens… Alan DeKok
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… mohamed.boucadair
- Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for… Bernie Volz
- Re: [OPSAWG] [dhcwg] [Add] 🔔 WG LC: RADIUS Extens… mohamed.boucadair
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] 🔔 WG LC: RADIUS Extensions for Encry… Joe Clarke (jclarke)
- Re: [OPSAWG] [dhcwg] 🔔 WG LC: RADIUS Extensions f… Bernie Volz
- Re: [OPSAWG] [Add] [dhcwg] 🔔 WG LC: RADIUS Extens… mohamed.boucadair
- Re: [OPSAWG] [Add] [dhcwg] 🔔 WG LC: RADIUS Extens… Bernie Volz