IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Bernard Aboba <bernard.aboba@gmail.com> Tue, 22 November 2022 04:08 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF4DC14CE24 for <radext@ietfa.amsl.com>; Mon, 21 Nov 2022 20:08:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7uQwmp-2f8qz for <radext@ietfa.amsl.com>; Mon, 21 Nov 2022 20:08:05 -0800 (PST)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5915BC14CF1A for <radext@ietf.org>; Mon, 21 Nov 2022 20:08:05 -0800 (PST)
Received: by mail-ej1-x634.google.com with SMTP id n21so32944548ejb.9 for <radext@ietf.org>; Mon, 21 Nov 2022 20:08:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=y2swJPUOqodGhTxV8euxU5CGUjYfg3DzphK6uVmuDQI=; b=J+58LR/ltCXW3qwG3269lqSJwyuWWyZxKcQkjnF+RBlSJbAbfYbMwisf/9vL2Rfgua qeFMQ8NhvtMAcg2lnRVYfLTCEPCUim8G9qEGklXUmLRYD6KiI3HYyQUuWQTfqSdVShMO /1z1Py06Lb89lN0l1HpbSOwIaSALGHItpt5oWnKk76T7G5Z5GchVHqSrLFOZN47dA+tU VfDI8dThESrey2p9DB7TImzvm/4S6dxisJJfx65z9J9inNXDfiQ9V+9vulEmQgRR3erp /bOFwP1lsppgdwhxJrKKov6eYxXPziXA0aYJnvJsXjSCB0gJgxbzg5Fd/jYp0NNc2JAL UqNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=y2swJPUOqodGhTxV8euxU5CGUjYfg3DzphK6uVmuDQI=; b=A44Vs0mvZxpjl82n1KWGpFjJWE8jTqbPZcDhW3q9SOniXjxEm6CgiY32BJmPW/kKMg nTCjOaIl6GPu7SdCy0ggpHffSZcGoYwbNLeA1z0Y4Payf9+xAbSbdpP/BVDy8sZ+EVGo DVWo8hSCPrnTR4avOfqYU9Pi/3T5Zk5QVjl3+bx9ig5yhcNfj4nw+33Ie43FtOoSpXoZ nXrpi3fC6SHnZOnY2nZEJchClzBWF/qqytsL+Wrl59/tCZ++LH+DDdbzMVJLkvE/3mXG RFTcqOvESczk9b/zsoknM05bKMJLLfT6GOX2iWUGDSvdlENuIqVNULP7+OiNGjSzHsbC stzw==
X-Gm-Message-State: ANoB5pk3ryS+TowTldF7DpDrSol2Jy4cXqLYiR4z5L4fFYOnigOFRSqw 3lFZmSb8zmUoQmDRJxDyqHPlQ5YdywWGPeCvGr7IXbsikLofLQ==
X-Google-Smtp-Source: AA0mqf4Cr5RyCdfdzQuMKSHJCd3TNSGrUrthXg7MUvHlLZIJUKWwy9Fb582w9lvYZjV47/WBwK/DVfs/vdsnIuhxvYM=
X-Received: by 2002:a17:906:924e:b0:782:2d3e:6340 with SMTP id c14-20020a170906924e00b007822d3e6340mr18104331ejx.234.1669090083096; Mon, 21 Nov 2022 20:08:03 -0800 (PST)
MIME-Version: 1.0
References: <CAGL5yWYTzvN1SgL8ordMvenhDGMs-EZw32+U32_4jeR9mqGciQ@mail.gmail.com>
In-Reply-To: <CAGL5yWYTzvN1SgL8ordMvenhDGMs-EZw32+U32_4jeR9mqGciQ@mail.gmail.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Mon, 21 Nov 2022 20:07:52 -0800
Message-ID: <CAOW+2dsSDXX=gdrXtnViNP88KMtFH2BiBfNhP5AQw_K+mDg+hQ@mail.gmail.com>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Cc: radext@ietf.org
Content-Type: multipart/alternative; boundary="000000000000804e4e05ee0751c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/-w9vVU71-xbE3n47udW_BEmgB7M>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 04:08:10 -0000

A few comments on the Charter:

"- Deprecate the use of insecure transports outside of secure
networks. This work updates RFC 6421
<https://datatracker.ietf.org/doc/rfc6421/> where possible."

[BA] RFC 6421 is the document that governs the process and requirements for
promotion of secure versions of RADIUS to Proposed Standard.  As was
discussed at the BOF, RFC 6421 requires that for publication as a Proposed
Standard, secure successors meets requirements for security as well as for
deployment and interoperability of independent implementations.  Until
RADIUS over (D)TLS can meet the requirements for publication as a Proposed
Standard, it would not be appropriate to deprecate the RADIUS protocol, and
the Charter should not lower the bar established in RFC 6421.

"- Defining a secure variant of RADIUS which can be used in a FIPS-140
compliant environment"

[BA] As was discussed at the BOF, RADIUS over IPsec, defined in RFC 3579,
has been deployed for more than 20 years in environments requiring FIPS-140
compliance. To enforce FIPS-140 compliance, RADIUS servers are configured
in "FIPS mode", which leaves them capable of using only FIPS-compliant
cryptographic primitives. As a result, attempts to utilize MD5 in transport
security such as IPsec or (D)TLS, EAP methods, or within the RADIUS
authenticator will fail. Rather than "defining a secure variant of RADIUS",
it is only necessary for the RADIUS over (D)TLS documents to describe how
implementations should behave in the absence of MD5 or other
FIPS-prohibited cryptographic primitives. For example, this would preclude
negotiation of (D)TLS ciphersuites utilizing MD5 or other prohibited
cryptographic operations.





On Mon, Nov 21, 2022 at 12:03 PM Paul Wouters <paul.wouters=
40aiven.io@dmarc.ietf.org> wrote:

> Hi all,
>
> Based on the inputs and discussions during the BoF at IETF-115 we have
> updated the proposed charter text. It can be found at
> https://datatracker.ietf.org/doc/charter-ietf-radextra/submit//
>
> I've included it below.
>
> Thanks to Stephen Farrell, Alan deKok and Margaret Cullen and everyone at
> the BoF (local and remote!) for their help.
>
> Please let us know of any issues but also let us know if you believe the
> proposed charter is ready
>
> Paul
>
>
> charter-ietf-radextra-00-00
>
> The RADIUS Extensions (RADEXT) Working Group is chartered to carry
> out specific maintenance tasks for the RADIUS protocol as described
> below.
>
> To ensure backward compatibility with existing RADIUS implementations,
> all documents produced must specify means of interoperation with legacy
> RADIUS and, if possible, be backward compatible with existing RADIUS
> RFCs, including RFCs 2865-2869, 3162, 3575, 3579, 3580, 4668-4673, 4675,
> 5080, 5090, 5176, 5997, 6158, 6613, 6614, 6929, 7360, 7585, 8044, and 8559.
>
> The WG may revisit the status of existing RADIUS RFCs, possibly changing
> document track categories with minor changes in the documents as needed.
>
> Work Items
>
> The immediate goals of the RADEXT working group are to address the
> following issues:
>
> - Deprecate the use of insecure transports outside of secure
>   networks.  This work updates RFC 6421 <https://datatracker.ietf.org/doc/rfc6421/> where possible.
>
> - Bring RFC 6614 <https://datatracker.ietf.org/doc/rfc6614/> (RADIUS/TLS), and RFC 7360 <https://datatracker.ietf.org/doc/rfc7360/> (RADIUS/DTLS) to
>   Standards track.
>
> - Define best practices for RADIUS roaming, and roaming consortia
>   based on experience with RADIUS/TLS.
>
> - Improve operations for multi-hop RADIUS networks: e.g. loop detection
>   and prevention, a multi-hop Status-Server equivalent with ability to
>   Trace the proxy steps a RADIUS message will follow.
>
> - Extend the 8-bit RADIUS ID space to allow more than 256 "in flight"
>   packets across one connection.
>
> - Allow for CoA / Disconnect packets to be sent in "reverse" down a
>   RADIUS/TLS or RADIUS/DTLS connection.  This functionality assists with
>   transit of NATs.
>
> - Defining a secure variant of RADIUS which can be used in a FIPS-140
>   compliant environment.
>
> There is an external timeline that affects this work: completion by 2024
> would enable WG outputs to be included in the planned WiFi 8 release. The
> WG will aim to meet that deadline.
>
> Adopting work items not described above will require a re-charter.
>
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
>

v2.23.0 | Report a Bug | By Email