IETF Logo Mail Archive

[radext] Confirmation of discussions on RADIUS/(D)TLS at IETF117

Jan-Frederik Rieckers <rieckers@dfn.de> Wed, 02 August 2023 14:02 UTC

Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2BB5C1524DE for <radext@ietfa.amsl.com>; Wed, 2 Aug 2023 07:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5atUjser5jVv for <radext@ietfa.amsl.com>; Wed, 2 Aug 2023 07:02:42 -0700 (PDT)
Received: from c1004.mx.srv.dfn.de (c1004.mx.srv.dfn.de [IPv6:2001:638:d:c303:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EC4BC16B5CB for <radext@ietf.org>; Wed, 2 Aug 2023 07:02:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:organization:subject:subject:from:from :content-language:user-agent:mime-version:date:date:message-id :received; s=s1; t=1690984937; x=1692799338; bh=VNjfP8m3YekZTjXO +lWMEoIhC/fyNmoIetpbdg8tOZ4=; b=TOpQysr4q6oQF0oLsqBMhqq/dLeGB5ur vLiDUIZeJtxxodQdAE4+jSxvvT/UD3/zhiv2XGCNDYlZhEyr3ZXR5LU2Z+XU0Fzv oDJ9QTreiGFdqH/U1A/pQPQSwGp+0kvVF81TlU7ItaTSp17cIE9GCgkVIRcwsGdI sDtczhmTku0=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by c1004.mx.srv.dfn.de (Postfix) with ESMTPS id B0AA61200D1 for <radext@ietf.org>; Wed, 2 Aug 2023 16:02:17 +0200 (CEST)
Received: from [IPV6:2a02:8106:57:952a:fb9d:fa6f:404e:b8ba] (unknown [IPv6:2a02:8106:57:952a:fb9d:fa6f:404e:b8ba]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 65A3941C for <radext@ietf.org>; Wed, 2 Aug 2023 16:02:17 +0200 (CEST)
Message-ID: <a401c4c2-3ddd-3d93-3fbc-b3fc02a1d26c@dfn.de>
Date: Wed, 02 Aug 2023 16:02:06 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
Content-Language: en-US
To: radext@ietf.org
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Organization: DFN e.V.
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms010405000702040104090200"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/1zAo0pFb68Ts_4jkI5pFG4IV_yM>
Subject: [radext] Confirmation of discussions on RADIUS/(D)TLS at IETF117
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2023 14:02:48 -0000

Hi everyone,

following up on the last IETF meeting I want to go forward with the 
document.

There were some discussion points that were raised during the meeting 
still waiting for confirmation on this list. I don't know if the chairs 
want to issue a "formal consensus call" on the list, but I just want to 
get a feeling of the consensus to start producing text.

Arran was so kind to submit a pull request regarding the specification 
of application layer watchdogs, DTLS heartbeats, Connection closure 
etc., as agreed in the session.
It can be found here:
https://github.com/Janfred/draft-janfred-radext-radiusdtls-bis/pull/1



The other questions were:



**Mandatory-to-implement Protocol**

Should be either RADIUS/TLS or RADIUS/DTLS mandatory to implement or 
should both be mandatory?

The rough consensus in the room was that RADIUS/TLS should be MANDATORY 
and RADIUS/DTLS is RECOMMENDED.
(Side note: I'd really love a "STRONGLY RECOMMENDED" keyword, something 
in the vicinity of  "OUGHT TO" or "WOULD PROBABLY" from RFC6919, 
/sarcasm off)



**Single Port for auth/accounting**

Current implementations use 2023/tcp and 2023/udp for both 
authentication and accounting. For load balancing/traffic engineering 
reasons it may be good to use different ports as it is with RADIUS/UDP.

The rough consensus in the room was that the document should stay with 
the single port.



**Deletion of MIB References**

The new document has currently no text regarding the MIBs. Should there 
be some text about MIBs for RADIUS/(D)TLS.

There were no strong opinions in the room, since it is not sure who 
actually uses these MIBs. So if there are opinions about this on this 
list, please share :)



**Watchdogs**

(See PR from Arran)
The current spec is ambiguous about the usage of watchdog mechanisms.

The rough consensus was to use the same watchdog mechanism for TLS and 
DTLS, namely Status-Server.



**Add ref to RFC9325 (TLS/DTLS BCP)**

The old spec has some text about MTI cipher suites, implementation 
hints, ...

Since there is RFC9325 which gives recommendations about secure use of 
TLS and DTLS, we should just reference this.



Cheers,
Janfred

-- 
Herr Jan-Frederik Rieckers
Security, Trust & Identity Services

E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education 
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
www.dfn.de

Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | 
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 1366/23822

v2.23.0 | Report a Bug | By Email