Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS

Alan DeKok <aland@deployingradius.com> Wed, 12 October 2022 18:10 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6944AC14CE3B; Wed, 12 Oct 2022 11:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hRUU2DEcWeut; Wed, 12 Oct 2022 11:10:49 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C923C14CF1F; Wed, 12 Oct 2022 11:10:48 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id 5321E7AF; Wed, 12 Oct 2022 18:10:43 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAHbrMsAzQ+W5hyz3QiVJAdnf=cAfzHcDpja3VvBWxyAUbhbqtQ@mail.gmail.com>
Date: Wed, 12 Oct 2022 14:10:42 -0400
Cc: "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "radext@ietf.org" <radext@ietf.org>, "add@ietf.org" <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BFCCA9FC-895B-4960-840B-11AE6DAA377E@deployingradius.com>
References: <BN9PR11MB53717C0ECBFE57C8932F1888B8229@BN9PR11MB5371.namprd11.prod.outlook.com> <BN9PR11MB5371B8A7880B24F4455EE107B8229@BN9PR11MB5371.namprd11.prod.outlook.com> <CAHbrMsAri9uSxfWp28=2o2bCwqoGg_AoqdWk5huduD7E=KoBSw@mail.gmail.com> <1D504D41-55EA-47E4-AD3F-DF90A61E86AF@deployingradius.com> <CAHbrMsAzQ+W5hyz3QiVJAdnf=cAfzHcDpja3VvBWxyAUbhbqtQ@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/vuSas950TSRsgk3PGK0v2vzKp-g>
Subject: Re: [OPSAWG] [Add] 🔔 WG LC: RADIUS Extensions for Encrypted DNS
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2022 18:10:53 -0000

On Oct 12, 2022, at 1:53 PM, Ben Schwartz <bemasc@google.com> wrote:
> 
> A practical limit of around 4000 octets for SvcParams seems likely to be fine.  A hard limit of 250 octets has a real chance of becoming a practical problem.  I would encourage you to reconsider the format.

  There are a number of limitations which all have to be addressed in order for any solution to work.  :(

  This specification requires "grouped" data, which generally means TLVs in RADIUS.  However, it also requires "long" data, which is forbidden to be used in TLVs by https://www.rfc-editor.org/rfc/rfc8044#section-3.16

  As the author of RFC 8044, I can say that there are good reasons for that prohibition.  I can also say that there are good reasons why the prohibited functionality is needed by this standard.

  I'm not sure there are any perfect solutions.  There's only varying amounts of holding your nose, and going with something which is the lesser of two evils.

  Off of the top of my head, one approach is to simply give up on transporting the DHCPv6 data as RADIUS attributes, and instead just define a DHCPv6-Options attribute in RADIUS, which carries raw DHCPv6 options.  This attribute could carry ~4K of data, and be in a format which complies with RFC 8044.

  That would solve the problem not only for this use-case, but for any future one, too.  Just define the DHCPv6 option, and then say "carry it in RADIUS attribute DHCPv6-Options"

  That makes it difficult for administrators to configure, as the RADIUS configuration now has to carry "raw" DHCPv6 data.  But... it's RADIUS.  That's the least of its ugliness.


  There's already something similar in DHCPv4:  https://datatracker.ietf.org/doc/html/rfc4014  i.e. DHCPv4 carries RADIUS attributes.  So there's reasonable precedent.

  Alan DeKok.