[radext] Confirmation of discussions on RADIUS/(D)TLS at IETF117
Jan-Frederik Rieckers <rieckers@dfn.de> Wed, 02 August 2023 14:02 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2BB5C1524DE for <radext@ietfa.amsl.com>; Wed, 2 Aug 2023 07:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5atUjser5jVv for <radext@ietfa.amsl.com>; Wed, 2 Aug 2023 07:02:42 -0700 (PDT)
Received: from c1004.mx.srv.dfn.de (c1004.mx.srv.dfn.de [IPv6:2001:638:d:c303:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EC4BC16B5CB for <radext@ietf.org>; Wed, 2 Aug 2023 07:02:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:organization:subject:subject:from:from :content-language:user-agent:mime-version:date:date:message-id :received; s=s1; t=1690984937; x=1692799338; bh=VNjfP8m3YekZTjXO +lWMEoIhC/fyNmoIetpbdg8tOZ4=; b=TOpQysr4q6oQF0oLsqBMhqq/dLeGB5ur vLiDUIZeJtxxodQdAE4+jSxvvT/UD3/zhiv2XGCNDYlZhEyr3ZXR5LU2Z+XU0Fzv oDJ9QTreiGFdqH/U1A/pQPQSwGp+0kvVF81TlU7ItaTSp17cIE9GCgkVIRcwsGdI sDtczhmTku0=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by c1004.mx.srv.dfn.de (Postfix) with ESMTPS id B0AA61200D1 for <radext@ietf.org>; Wed, 2 Aug 2023 16:02:17 +0200 (CEST)
Received: from [IPV6:2a02:8106:57:952a:fb9d:fa6f:404e:b8ba] (unknown [IPv6:2a02:8106:57:952a:fb9d:fa6f:404e:b8ba]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 65A3941C for <radext@ietf.org>; Wed, 2 Aug 2023 16:02:17 +0200 (CEST)
Message-ID: <a401c4c2-3ddd-3d93-3fbc-b3fc02a1d26c@dfn.de>
Date: Wed, 02 Aug 2023 16:02:06 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
Content-Language: en-US
To: radext@ietf.org
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Organization: DFN e.V.
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms010405000702040104090200"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/1zAo0pFb68Ts_4jkI5pFG4IV_yM>
Subject: [radext] Confirmation of discussions on RADIUS/(D)TLS at IETF117
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2023 14:02:48 -0000
Hi everyone, following up on the last IETF meeting I want to go forward with the document. There were some discussion points that were raised during the meeting still waiting for confirmation on this list. I don't know if the chairs want to issue a "formal consensus call" on the list, but I just want to get a feeling of the consensus to start producing text. Arran was so kind to submit a pull request regarding the specification of application layer watchdogs, DTLS heartbeats, Connection closure etc., as agreed in the session. It can be found here: https://github.com/Janfred/draft-janfred-radext-radiusdtls-bis/pull/1 The other questions were: **Mandatory-to-implement Protocol** Should be either RADIUS/TLS or RADIUS/DTLS mandatory to implement or should both be mandatory? The rough consensus in the room was that RADIUS/TLS should be MANDATORY and RADIUS/DTLS is RECOMMENDED. (Side note: I'd really love a "STRONGLY RECOMMENDED" keyword, something in the vicinity of "OUGHT TO" or "WOULD PROBABLY" from RFC6919, /sarcasm off) **Single Port for auth/accounting** Current implementations use 2023/tcp and 2023/udp for both authentication and accounting. For load balancing/traffic engineering reasons it may be good to use different ports as it is with RADIUS/UDP. The rough consensus in the room was that the document should stay with the single port. **Deletion of MIB References** The new document has currently no text regarding the MIBs. Should there be some text about MIBs for RADIUS/(D)TLS. There were no strong opinions in the room, since it is not sure who actually uses these MIBs. So if there are opinions about this on this list, please share :) **Watchdogs** (See PR from Arran) The current spec is ambiguous about the usage of watchdog mechanisms. The rough consensus was to use the same watchdog mechanism for TLS and DTLS, namely Status-Server. **Add ref to RFC9325 (TLS/DTLS BCP)** The old spec has some text about MTI cipher suites, implementation hints, ... Since there is RFC9325 which gives recommendations about secure use of TLS and DTLS, we should just reference this. Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin www.dfn.de Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 1366/23822
- [radext] Confirmation of discussions on RADIUS/(D… Jan-Frederik Rieckers
- Re: [radext] Confirmation of discussions on RADIU… Alan DeKok
- Re: [radext] Confirmation of discussions on RADIU… Bernard Aboba
- Re: [radext] Watchdog behaviour (was: Confirmatio… Jan-Frederik Rieckers
- Re: [radext] Watchdog behaviour (was: Confirmatio… Alexander Clouter
- Re: [radext] Confirmation of discussions on RADIU… Alexander Clouter
- Re: [radext] Watchdog behaviour (was: Confirmatio… Bernard Aboba
- Re: [radext] Confirmation of discussions on RADIU… Heikki Vatiainen
- Re: [radext] Confirmation of discussions on RADIU… Peter Deacon
- Re: [radext] Confirmation of discussions on RADIU… Alan DeKok
- Re: [radext] Confirmation of discussions on RADIU… Michael Richardson
- Re: [radext] Confirmation of discussions on RADIU… Peter Deacon
- Re: [radext] Watchdog behaviour (was: Confirmatio… Mark Grayson (mgrayson)
- Re: [radext] Confirmation of discussions on RADIU… josh.howlett
- Re: [radext] Confirmation of discussions on RADIU… Margaret Cullen
- Re: [radext] Confirmation of discussions on RADIU… Alexander Clouter
- Re: [radext] Confirmation of discussions on RADIU… Michael Richardson
- Re: [radext] Confirmation of discussions on RADIU… Jan-Frederik Rieckers
- Re: [radext] Confirmation of discussions on RADIU… Margaret Cullen
- Re: [radext] Confirmation of discussions on RADIU… Alan DeKok
- Re: [radext] Confirmation of discussions on RADIU… Alan DeKok
- Re: [radext] Confirmation of discussions on RADIU… Heikki Vatiainen
- Re: [radext] Watchdog behaviour (was: Confirmatio… Heikki Vatiainen
- Re: [radext] Watchdog behaviour (was: Confirmatio… Alexander Clouter
- Re: [radext] Confirmation of discussions on RADIU… Alexander Clouter
- Re: [radext] Watchdog behaviour (was: Confirmatio… Jan-Frederik Rieckers
- Re: [radext] Watchdog behaviour (was: Confirmatio… Margaret Cullen
- Re: [radext] Watchdog behaviour (was: Confirmatio… Alan DeKok
- Re: [radext] Watchdog behaviour (was: Confirmatio… Margaret Cullen
- Re: [radext] Watchdog behaviour (was: Confirmatio… Heikki Vatiainen