Re: [radext] RADIUS/TLS with NULL cipher suites

Alan DeKok <aland@deployingradius.com> Thu, 24 August 2023 19:10 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3A6C151530 for <radext@ietfa.amsl.com>; Thu, 24 Aug 2023 12:10:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LojuUi0EDBx2 for <radext@ietfa.amsl.com>; Thu, 24 Aug 2023 12:10:10 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C3F2C15152E for <radext@ietf.org>; Thu, 24 Aug 2023 12:10:10 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id AD35120A; Thu, 24 Aug 2023 19:10:07 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <596f9a16-43fe-2b99-5b2f-73c16825cf20@cs.tcd.ie>
Date: Thu, 24 Aug 2023 15:10:06 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <CDC106CC-0E73-4A9E-AAF5-D8C214160BB0@deployingradius.com>
References: <ACDF13CC-1529-49EE-8251-7BB7AEE9DED3@deployingradius.com> <596f9a16-43fe-2b99-5b2f-73c16825cf20@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/-ir4XRTaMq7pIeTGHiPJJ6W7IvM>
Subject: Re: [radext] RADIUS/TLS with NULL cipher suites
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2023 19:10:15 -0000

On Aug 24, 2023, at 2:55 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> I think it'd be good to do that, esp. if there's a good
> explanation for why RADIUS/pretend-encryption is awful.

  It has all of the worst aspects of UDP (everything in the clear) plus all of the worst aspect of TCP (head of line blocking) plus the ability for anyone to see all of your passwords!

  <arg>

  Alan DeKok.