IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Alan DeKok <aland@deployingradius.com> Thu, 24 November 2022 19:05 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3AD6C14CE59 for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 11:05:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fiy3NnABtkNX for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 11:05:25 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2398C14CE4A for <radext@ietf.org>; Thu, 24 Nov 2022 11:05:24 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id B8C4A319; Thu, 24 Nov 2022 19:05:17 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOW+2dtDkN3Hvk1vmuyJYGP9KS5WaGDenwQBb7-g12e6SxvEzw@mail.gmail.com>
Date: Thu, 24 Nov 2022 14:05:15 -0500
Cc: Peter Deacon <peterd@iea-software.com>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <945FDD6C-FE70-4897-9DDA-EFCE4C834894@deployingradius.com>
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <CAOW+2dsKg_H9f3zRUnanCpgGO+G=VPyxzWa9hsrCJCpsnoBsxA@mail.gmail.com> <7CB701B8-BD8F-4ADC-9265-12FC7EBE8FB6@deployingradius.com> <CAOW+2dtDkN3Hvk1vmuyJYGP9KS5WaGDenwQBb7-g12e6SxvEzw@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/-LoGzS84LljzQXf3rW6362e6ulA>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 19:05:30 -0000

On Nov 24, 2022, at 10:14 AM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> [BA] I'm wondering why negotiation is needed. Installations know whether they want to conform to FIPS or not. If they do, then failure of MD5 operations is not a bug, it's the desired outcome. 
> 
> For backwards compatibility, servers probably need to support RADIUS and the existing RADIUS over (D)TLS anyway.  So really we're talking about an "SRADIUS" configuration flag.  If a site requires FIPS, why can't it flip the SRADIUS flag and run its SRADIUS server on port 2083?  If some devices can't connect to an SRADIUS-configured server, then those devices don't support SRADIUS and presumably the site wants to point them at another server (one without the SRADIUS flag set), and eventually replace them with devices that support SRADIUS. 

  Pretty much, yes.  It would be very preferable to re-use port 2083.

  I looked into Alex's suggestion of TLS extensions, and the good news is that application layer protocol negotiation (ALPN) is defined in RFC 7301 [1], and is supported by OpenSSL [2].

  So we could require that SRADIUS is used (a) either via static configuration, or (b) signalled via ALPN.  If a both ends signal support for SRADIUS via ALPN, then that could be used.

  We don't have to worry much about down-bidding attacks, as there is no change in security when using RADIUS with MD5, or without MD5.  Everything is still protected by TLS.

  A server which accepts either kind of packet can signal support for both standard RADIUS and SRADIUS.  A server which only supports SRADIUS must necessarily signal that to the client, but can refuse to accept connections which don't signal SRADIUS support via ALPN.

  The benefit here is that there is no need for a "flag day".  People can upgrade (or not) their systems as they wish.  There's also no need to change RFC 7585 (dynamic peer discovery).

 
 I think that addresses all of the concerns around signalling, "new" protocols, and flag days.

  For me, the only thing left is the name.  If we're re-using port 2083, then the name "SRADIUS" is misleading.  It should instead be labelled as a variant of RADIUS, such as "RADIUS+" or "RADIUS2".  Or even "RADIUS+FIPS".

  Vendors supporting this variant can simply set a flag (required / allowed) to use RADIUS without MD5. 

  I would lean towards naming it something like "RADIUS+FIPS", in order to solve the political-layer problem of FIPS compatibility.  "See?  It's FIPS compatible, the name says so!"


  Alan DeKok.

[1] https://datatracker.ietf.org/doc/html/rfc7301

[2] https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_alpn_select_cb.html

v2.23.0 | Report a Bug | By Email