Re: [radext] Server identity and RFC7585bis
Fabian Mauchle <fabian.mauchle@switch.ch> Fri, 12 April 2024 15:01 UTC
Return-Path: <fabian.mauchle@switch.ch>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7C8C1D8760 for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 08:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=switch.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s4JCgsdASlbj for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 08:01:53 -0700 (PDT)
Received: from mx4.switch.ch (mx4.switch.ch [85.235.88.35]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 396E3C15153C for <radext@ietf.org>; Fri, 12 Apr 2024 08:01:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; l=3544; s=selector1; t=1712934069; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=N6MAR081frR8j+4XplW6v9g/2xlnDCawjJ0s5Vc2Vds=; b=Wp40N6iW+MbPaLqZeuYwsUknGbyB+4FKM30XudJ7jZpYwKi6c16MOUCo 83jMOkuFaYGDkYGw8UyjJhMUovG8y+Vjlhj+pvQ0wSKpjRxmo6UXT407U IasIvTt31maXZ2cdeIFqEGSFxzlCOC5AfTH0tqPCEuGlg7TfCsatRSTon XqF0GwV4+73x69SkwB6IDVXBSjzzgyxJVO2FQzyF+CD3XlpXhCdU3M1YR jPE8JNs+lLof1lVO/knKaYJKFCcUdhN8qsOjsP0stFHkuAmnbc2Up04yj +5fOgLCWtFhLGk3mGguWA/x/q7pASm7JC34o7nUlGRlZ+p2hygoHekhEN g==;
X-IronPort-MAIL-FROM: fabian.mauchle@switch.ch
X-IronPort-AV: E=Sophos;i="6.07,196,1708383600"; d="scan'208";a="7711891"
Received: from unknown (HELO SWH-S02-EXC1.swd.switch.ch) ([172.16.60.11]) by mx4int.switch.ch with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Apr 2024 17:01:06 +0200
Received: from [130.59.116.137] (172.16.60.33) by SWH-S02-EXC1.swd.switch.ch (172.16.60.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.32; Fri, 12 Apr 2024 17:01:06 +0200
Message-ID: <f6280546-4fab-4714-be39-114337d6f73d@switch.ch>
Date: Fri, 12 Apr 2024 17:01:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <10347.1712778967@obiwan.sandelman.ca> <7D282A57-B68E-43DA-A6A2-7E14A8C09119@deployingradius.com> <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de>
Content-Language: en-US, de-CH
From: Fabian Mauchle <fabian.mauchle@switch.ch>
In-Reply-To: <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.16.60.33]
X-ClientProxiedBy: SWH-S05-EXC3.swd.switch.ch (172.16.60.14) To SWH-S02-EXC1.swd.switch.ch (172.16.60.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/33MeBuMBhpJqyOUsfRAv_kym64w>
Subject: Re: [radext] Server identity and RFC7585bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 15:01:57 -0000
On 12.04.2024 10:35, Jan-Frederik Rieckers wrote:> We should make sure why we need to identify a client and a server. Reading the many comments, I think this is the most important question to answer first. > From my perspective, identifying a server has two reasons: > 1. Make sure that redundancy mechanisms work (as described above) In my view, this part is really easy, as it is local to the client. A client might open multiple connections to (what it considers) A server (e.g. to mitigate the id-space limitation pre-RADIUS/1.1), and would only start sending requests to another server if all connections to the active one are dead. But in that case, the client has perfect knowledge which connections represent a single server in its view. > 2. Prevent opening unnecessarily many open connections to a server with > dynamic discovery, just because the client is not sure if it's the same, > while keeping deployment options open (i.e. different policies hidden > behind different Server Names, but with the same certificate) I think this would be the main use-case - if done at all. As Alex pointed out, TCP connections aren't that expensive (not computationally at least, but they occupy file descriptors, and I have seen servers running out of those). But if it is done, a client needs to figure out if a new connection should be opened, or if it can reuse an existing one (or an existing set of connections, see above) - meaning that to routes (to different NAI realms) use the same connection. I can think of two scenarios: 1. Configuration by an admin. Then again it's no issue: two connections are the same because the admin said so. 2. Dynamic discovery: which parts of the discovery process needs to match for the result to be considered the 'same' server such that it can share a (set of) connection(s). At first glance, this could be the DNS name and port in the SRV record, plus maybe the IP address the DNS name resolves to (i.e. reuse an existing connection only if its IP address is in the set the DNS name resolves to). All of this is not to be confused with multiple routes to different NAI realms - a single route can use multiple connections, and many routes can share a single connection (or any combination of the above) > I'm not entirely sure, why we need to identify a specific client in the > way the specification in RFC6614 was written > (i.e. "What is the problem we solve by having a way to identify a > client" or more specifically "what are the consequences of identifying > that two connections come from the same client") TLS-PSK might be a good starting point: identify a client to provide peer authorisation and different policies. - with UDP and TCP it was the IP address (and maybe port) - with TLS-PSK it's the PSK Identity - with TLS Certificates, it could be any identifying element in the certificate. Maybe the CN or some subjectAltName - there's virtually no limit. But in the end, its only to apply the desired policy (and maybe logging). Any incoming connection needs to be treated separately anyway (to send responses, handle duplicates etc.), and it's perfectly fine for two separate clients having the same identity (thought it's probably still advisable to provide distinguishable identities, if only for logging/auditing purposes). -- Fabian Mauchle Network NOC: +41 44 268 15 30 Direct:+41 44 268 15 39 Switch Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
- [radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- [radext] Certficate and certificate chain selecti… Heikki Vatiainen
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- [radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
- Re: [radext] Certficate and certificate chain sel… Alan DeKok
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
- [radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- [radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Michael Richardson
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
- Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Fabian Mauchle
- Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
- Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
- Re: [radext] Session closure in DTLS Fabian Mauchle
- Re: [radext] Session closure in DTLS Alan DeKok