Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS

Alan DeKok <aland@deployingradius.com> Thu, 13 October 2022 15:16 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBD54C14CE35; Thu, 13 Oct 2022 08:16:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FoCiwKkCEBJ2; Thu, 13 Oct 2022 08:16:36 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71C69C14CE20; Thu, 13 Oct 2022 08:16:34 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 61B21898; Thu, 13 Oct 2022 15:16:27 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAHbrMsAsC0N2uNpFuiMYEiPgQQQzAwikuiTL0dWZoNhgcPRwNw@mail.gmail.com>
Date: Thu, 13 Oct 2022 11:16:25 -0400
Cc: Joe Abley <jabley@hopcount.ca>, Mohamed Boucadair <mohamed.boucadair@orange.com>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, opsawg <opsawg@ietf.org>, radext@ietf.org, ADD Mailing list <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8F15B334-861A-432D-B42A-5C7C8D5FCCEB@deployingradius.com>
References: <28766_1665646855_6347C107_28766_2_1_c61b294eae1742b4bfbf125d0fd0e92f@orange.com> <B6BBABE1-9194-4190-A84A-BA64889FC6E6@hopcount.ca> <CAHbrMsAsC0N2uNpFuiMYEiPgQQQzAwikuiTL0dWZoNhgcPRwNw@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/tjJSCaQz3koQ7KMBZGeDfX3xMos>
Subject: Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 15:16:39 -0000

On Oct 13, 2022, at 10:50 AM, Ben Schwartz <bemasc@google.com> wrote:
> Even if longer SvcParams aren't useful in DNR, creating an encoding that can't carry them introduces a serious compatibility problem for systems that copy between SVCB, DNR, and RADIUS.  What is such a tool supposed to do when a valid SVCB record or DNR option is unrepresentable in RADIUS?  What is a naive operator to do, faced with this error message?

  The traditional RADIUS solution for encoding data which can't fit into an attribute is one of (a) truncation, or (b) dropping the attribute entirely.  The standards are silent on this issue, so the behavior is entirely implementation-defined.

  As for this issue, it may be best to avoid it entirely with careful design, so that it's not possible for implementations to run into the problem.


  The only solution which entirely avoids the 253 octet limit is to just define a DHCPv6-Options attribute in RADIUS.  It can carry a blob of DHCPv6 options, encoded as DHCPv6 options.  This is behavior is permitted by https://www.rfc-editor.org/rfc/rfc6158#section-3.2.4:

     Another exception to the recommendation against complex types is for
     types that can be treated as opaque data by the RADIUS server.

  So just define a DHCPv6-Options attribute from the 245.X space.  Allow it to contain any DHCPv6 option.  Suggest that the switch / RADIUS client send the options in a DHCPv6 packet.  And then it can carry the options needed here.

  Since the encoding is now DHCPv6 options, all limitations other than the 4K RADIUS "maximum packet size" limitation disappear.  And many RADIUS implementations support packets larger than 4K, so that limit is not concrete either.  The specification defining DHCPv6-Options could suggest that implementations SHOULD support 64K RADIUS packets.

  Alan DeKok.