IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Heikki Vatiainen <hvn@radiatorsoftware.com> Tue, 29 November 2022 18:10 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A18D3C14CEEA for <radext@ietfa.amsl.com>; Tue, 29 Nov 2022 10:10:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcIhCjp6Ba7E for <radext@ietfa.amsl.com>; Tue, 29 Nov 2022 10:10:40 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5B7FC14F73D for <radext@ietf.org>; Tue, 29 Nov 2022 10:10:40 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id d3so18241092ljl.1 for <radext@ietf.org>; Tue, 29 Nov 2022 10:10:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=5sMCH4eNqqqE60tzc43oKg43xwmFXWTZstCMS03pnyM=; b=Y0WcW77Jz+mPZmeB7OFQmZZ7uXTB/IM5WBV7jheg5Oja1cjW/Lava/c+vVBXRHAJMH WOIr+WDQSr4fjfG1ZVNDIYHnE/PK7Hsok/lUhNMV4cfSs7a5om/eUAHu2bqzBpZaB51S nm8gxoViStCai6WHTNRQYg2tpwyjdmqqN/wdvNvto/SR1oGlYUwrKkwKOf3AgM3a+5jE plMzq05gcELEVL2SfCrAC8oo9S6wWUdI/GCge3jZ/+bW4WxuBW5BybjKj5DULRB1VTil vAo7LQSqM9r/v40t/900gytGRXkPmUHPnAt0A2rDcSS0Hnp+sPwMB4FJF+G6vFR4EZBi GapQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5sMCH4eNqqqE60tzc43oKg43xwmFXWTZstCMS03pnyM=; b=nYZKTYU/CABioYekZPIwnMM8Abs8P+LHfITc/fWHFhqlHAkLy9RfzIe9LCX6/ODTZS jwf6ZEJ96j20Ih1n2HB1PZYT1FL0oecr4aY9cvz4s+ij+TPz7IS9qkYx4RQKWU1UU0zT 33BkqiR/nTnc6YPoDHWI58M91pT/hU41VNYIMa1c/NwQ9AEteMKorr00xYhJ8VfDhTAH 9U+6os+kmLa6lRJEys4/6GxM/oxtqtMJsKhymlZxbdLl9LEpyVavoCST5BXHRqpJE0Xz BHVeNKaaP3nu8ESuqcBjOOf6XVMGhBKx2A30seWSX0ZGJwpfxLo/BfpKg1znf5UfdlaH T9Bw==
X-Gm-Message-State: ANoB5pn7JmB0Nx0+i9NkurgcOudAPQBV9F0P+G1pujKSqHL6GXvh8o16 CpjYOt6kVLSXE+jv3hN5dBsJRNpxIQPa64iv4y0GdJUjj26mNQ==
X-Google-Smtp-Source: AA0mqf7sNSCnpMP2x9EV6Id4JycoStbMtgggsiEE0FPr0IMg0EWsKzccq7h9BvmxCAEox5TjjZsqSxVaBbh3eoefBqc=
X-Received: by 2002:a2e:a224:0:b0:277:309:f1ad with SMTP id i4-20020a2ea224000000b002770309f1admr12856329ljm.244.1669745438684; Tue, 29 Nov 2022 10:10:38 -0800 (PST)
MIME-Version: 1.0
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <CAOW+2dsKg_H9f3zRUnanCpgGO+G=VPyxzWa9hsrCJCpsnoBsxA@mail.gmail.com> <7CB701B8-BD8F-4ADC-9265-12FC7EBE8FB6@deployingradius.com> <CAOW+2dtDkN3Hvk1vmuyJYGP9KS5WaGDenwQBb7-g12e6SxvEzw@mail.gmail.com> <05f4711f-4f9f-7bb6-e04f-b3c9ebc73202@dfn.de> <9e24bb0f-b12b-8235-3e88-65d4c59f205c@newtoncomputing.co.uk> <e94b8273-6189-efc4-dfa5-3ab3bacbdac6@dfn.de> <7cdb23d1-1d91-71ed-14ee-157315beb278@newtoncomputing.co.uk> <7604703a-075f-7ad6-9c85-24e9a0f845fb@dfn.de> <CAA7Lko9wSP0E8tSQwQ4uhud-f+OBZf6Nw-EGf0XqLPkg8vpN8A@mail.gmail.com> <6D8C428B-D837-4FFE-9739-99C7C20FF64D@deployingradius.com> <CAOW+2dvxo0cpg5+1W-Tyo=s3Ee7EGWFnn+GgW6juEous+6+dug@mail.gmail.com> <9388DD9A-7E92-4C52-8ED8-C36B6282820F@deployingradius.com> <CAOW+2dvc7mKbtzXb_SxBQDarTP_=GrOATvi-dui=giN6jn=ffA@mail.gmail.com> <A4EE4471-92C9-4A7A-AD0B-E2C56EFF8249@deployingradius.com> <cc61da67-e756-de20-aafa-e9485ae9ef57@uni-bremen.de>
In-Reply-To: <cc61da67-e756-de20-aafa-e9485ae9ef57@uni-bremen.de>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Tue, 29 Nov 2022 20:10:22 +0200
Message-ID: <CAA7Lko_bbpdVnfS6x3k56W0MnfQkfBxGTbVrViw4Td2J-0H_Nw@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bd147005ee9fe724"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/0wZcUy3fjnWeKQSG-pGp9Wcc7To>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2022 18:10:44 -0000

On Tue, 29 Nov 2022 at 01:19, Jan-Frederik Rieckers <rieckers@uni-bremen.de>
wrote:

> On 28.11.22 23:19, Alan DeKok wrote:
> >    Stefan pointed out that we should probably add a flag saying "require
> secure transport".
> >
> >    i.e. SRADIUS has 8 octets of unused data in the packet header.  It
> would be good to define one as a flags field: "require secure transport".
> >
> >    Then if a proxy receives SRADIUS packets with that flag set, it will
> refuse to proxy the packets over plain UDP / TCP.  RADIUS/TLS is fine, as
> TLS will take care of securing the data.
>
> Allowing forwarding with RADIUS/TLS has the downside that the flag would
> be lost and it could result in RADIUS/UDP at some point if it is proxied
> further.
> Unless we find a way to include the Flag in "plain" RADIUS, but that
> would also require all proxies to honor the new flag.
>

There's also the possibility that IPsec or some other method is used to
securely forward RADIUS/UDP. This may not be easily visible for a Radius
proxy. This could lead to a situation that the potential newly added flag
is honoured while there's secure transport available.

Regarding secure transport: The revised Diameter RFC says:
https://www.rfc-editor.org/rfc/rfc6733.html#section-1.1.3
   o  Simplified security requirements.  The use of a secured transport
      for exchanging Diameter messages remains mandatory.  However, TLS/
      TCP and DTLS/SCTP have become the primary methods of securing
      Diameter with IPsec as a secondary alternative.  See Section 13
      for details.  The support for the End-to-End security framework
      (E2E-Sequence AVP and 'P'-bit in the AVP header) has also been
      deprecated.

The obsoleted RFC 3588 defined 'P'-bit as:
      The 'P' bit indicates the need for encryption for end-to-end security.

A quick search didn't tell why the above changes were done, but if secure
transport flag is considered, it might be useful to see what happened in
Diameter's case.

Thanks,
Heikki

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.23.0 | Report a Bug | By Email