[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS

Margaret Cullen <mrcullen42@gmail.com> Sat, 27 July 2024 02:12 UTC

Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01BDAC1CAE9B for <radext@ietfa.amsl.com>; Fri, 26 Jul 2024 19:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VqOdfQQBU2aA for <radext@ietfa.amsl.com>; Fri, 26 Jul 2024 19:12:07 -0700 (PDT)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95437C1CAE96 for <radext@ietf.org>; Fri, 26 Jul 2024 19:12:07 -0700 (PDT)
Received: by mail-pg1-x536.google.com with SMTP id 41be03b00d2f7-79b530ba612so1096091a12.2 for <radext@ietf.org>; Fri, 26 Jul 2024 19:12:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722046326; x=1722651126; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=TNk1+D6Do6kRrnPxoqvvn/i1uYsacFDJYePOYniSOMk=; b=a2NMexUGpJOJ+u+OuSPTmKbHpdASxISwwshfw+nF5XubE77oeTkHvR3QNFM5TFC+5T anSJKuWyaJjyGtSgCxpXq9dPvoVhbIosQty/BC//RAc76EtUEDliJqDTZQn48ytk/7D9 IwAvN04jAcJXD8+tf83E5NTLMN6MnhmC/1N/gjTE5J6QVHEJq99XtdMyg/c4m26X/yOh FR4hM4iWbZROxCQDxyBkFq6BkqzCpeKHYhsEHOxIlXNaoJUx1z6Sf5htzQ19gSWB6OI6 NswQ9V5q41A7WIWJltTVniJD2r/Qda0W/jCI177N9AiQ6eVI/dN9ACqKVq1+6DeTdqd+ PRRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722046326; x=1722651126; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TNk1+D6Do6kRrnPxoqvvn/i1uYsacFDJYePOYniSOMk=; b=eDiZvGk4DlNa3yk+Lk6mEekxmmhie4m6EOJlYyRRIwDRXj0t5oHy1o5qYntAx/wZc6 UYKRBsMpmWYy2p1sc4z/Rd8Hs/N+ioGcK0RA5ySYuWEHLUsFCK4JhiGdDoLE9rrEOsvt 4FQtoupDUqhFMkbwQ3hcVAqm9PbRMzLmGB+ngpR1xnyL5tCNuf6SGhNyVjp8au7dJQM8 mzM/ADEoQ7CVteWEQl3uifdw+q72aGoM4mzin/CwtjoVjtGvkfuRtIrtz9xLTIQB0t7N caZA+d63jlYwN4LYf1cSiChZRO2MTpm1Cw4kM9NMYrskKKeSilrlI8sSjpAWmX3vJizM n3qQ==
X-Forwarded-Encrypted: i=1; AJvYcCXhy5Z3ehDIJlMhH6vaAj1omHl/6xyOjo54v2gpw8cdvf6iZyH9MU/AywpLdGwDGpMXppgnxHamnzcpK+EUpF4=
X-Gm-Message-State: AOJu0Yz2beUlS34Bzq35WuxVenzldlhBfom35rU0JFMpU6QtqW1aLGIa z+Nxi/Dq9d43zUlEwP0IMFWse4RtAJ55RY56nohEovxNLPPADJJqxf+13vntj2o=
X-Google-Smtp-Source: AGHT+IFKdg2hLH1EZ3NkE4q4mlpNgty4DfEtDILxEddknnX7VKriuPcIfSbCvac7nMf4DuVPCKEzkg==
X-Received: by 2002:a05:6a21:6daa:b0:1c4:8293:76db with SMTP id adf61e73a8af0-1c4a12f65eemr1712551637.29.1722046326224; Fri, 26 Jul 2024 19:12:06 -0700 (PDT)
Received: from smtpclient.apple ([172.58.27.180]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2cf28c55a2dsm4158096a91.7.2024.07.26.19.12.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 Jul 2024 19:12:05 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Margaret Cullen <mrcullen42@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 26 Jul 2024 19:11:52 -0700
Message-Id: <FEFA81DA-BE18-4B29-B214-2D05E6DFD933@gmail.com>
References: <CAOW+2dv7ZXMtoEDunM+x7PgT32-KuXt+1kPeB5giGzewFvotng@mail.gmail.com>
In-Reply-To: <CAOW+2dv7ZXMtoEDunM+x7PgT32-KuXt+1kPeB5giGzewFvotng@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: AW2H7WHIY63POPD6WVKOYZCMUXPBLR57
X-Message-ID-Hash: AW2H7WHIY63POPD6WVKOYZCMUXPBLR57
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Fabian Mauchle <fabian.mauchle=40switch.ch@dmarc.ietf.org>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/01XgvsxNkqZO1CkmW455qIf2GrM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>


> On Jul 26, 2024, at 4:44 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> 
> [BA] Does the WG really need to take a position on whether (D)TLS 1.2 provides adequate protection (currently or in the future)? 

 I would say that we _do_ need to take a position on whether TLS 1.2 provides sufficient security for RADIUS, whether we  say this in the RADIUS/(D)TLS security considerations or not.

If running RADIUS over (D)TLS (in all four variants) does not provide sufficient security, we should add security (or fix security) at the RADIUS layer to make the security sufficient.

Margaret