IETF Logo Mail Archive

[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS

Bernard Aboba <bernard.aboba@gmail.com> Tue, 30 July 2024 22:28 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82EFC14F615 for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 15:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CytEmle_P5Vw for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 15:28:25 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13689C15107A for <radext@ietf.org>; Tue, 30 Jul 2024 15:28:25 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1fd9e6189d5so38244625ad.3 for <radext@ietf.org>; Tue, 30 Jul 2024 15:28:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722378504; x=1722983304; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=ZI6cDYWEF6DDutmDin3yfFMK2TG6O3+0fc9g0yCuAMI=; b=guz5igyy7rLzwUg4coNl+kNZ48mGPzS0OSnOWzzYaqgH2EPj90ckIG/mJO9GvP8u8D Vm2xlVhHVyrmhmT8/dwhsOEHKPRVY/MBpeyrS4C7T6juoeWFZJ6ZwFhYzJmKJkx0BkzT CPz4Qviih3jZAkko4EjpVjzjLVMQeCov4YW7Y1sjfJl4usjZMxllAgQvOATKY/TkTOxo O2pBLvZvCVuIpzxCNvqA6uhzWeMYNASdVtombAx8m/OgYkVGN6B876KPcI5WYvz81RB3 0NKDK8q5lhlfAaPA0vM7MglpySoKMV5M5UIQEPE7/RrKCu8uFtLu5lqlshuwFCgxxN0S 7aCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722378504; x=1722983304; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZI6cDYWEF6DDutmDin3yfFMK2TG6O3+0fc9g0yCuAMI=; b=er+CXacH62CkLkTaIVuNorQFamZ1NnpXlO3lWHNQnQvUHa2pwgE+ZAp1Bic7pjJrNI rvHEb9w4YYroAtEbm6vwYCwkfUUyyPns2A9s/sCc0/yCkYmgAIPqGtSw9VotydmQo+UB YWpHKBaYq6nmgAvsHXUnwAI4tSKM/1FbEecdTa4xh/m3VrEFJVEo9v8c7vOqZt/L+LYj +cRgXSSsIuwHx0+pC+RrFJmRPiU8KIUbMBJ+u1DjGOUSuCnHhlujGIcSSf2Orq1qXgF5 /NXmGDqx6/FydkKKigY/JQHlHRCKL7aPEctLNL91S5Tj5kdfUPyuZJVDrMxA7j8lqr3B hrwA==
X-Gm-Message-State: AOJu0YyLJGpAejbkJMLfYtcRo5kuum8znOE6dtfhXJczrCvCs9LtGV4S uUFjITXKSWpPhUfk1EZXAS+bmj14Dac0rhs66zKLFA47G47lQjf5x5+Gpw==
X-Google-Smtp-Source: AGHT+IETUDVohVSVPm6azuG1qbbd7XL4ihoPzjZnF25ddBOSHr+XAEF945rMirMQ9UxCNECzE8tV4A==
X-Received: by 2002:a17:902:ea10:b0:1fb:a2c0:53b1 with SMTP id d9443c01a7336-1ff047dd99emr108850535ad.13.1722378503958; Tue, 30 Jul 2024 15:28:23 -0700 (PDT)
Received: from smtpclient.apple ([67.185.212.183]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fed7c7ffecsm107972445ad.40.2024.07.30.15.28.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 30 Jul 2024 15:28:23 -0700 (PDT)
From: Bernard Aboba <bernard.aboba@gmail.com>
X-Google-Original-From: Bernard Aboba <Bernard.Aboba@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Tue, 30 Jul 2024 15:28:12 -0700
Message-Id: <8FE4D8EA-92E1-43A4-B7D7-A4A0664A9D58@gmail.com>
References: <343079.1722369297@dyas>
In-Reply-To: <343079.1722369297@dyas>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: iPhone Mail (21G80)
Message-ID-Hash: M4ST5TLG5LI34RI4527ZFV5MTMD34A5X
X-Message-ID-Hash: M4ST5TLG5LI34RI4527ZFV5MTMD34A5X
X-MailFrom: bernard.aboba@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/4qd9IGeu_CJ_VQaLqqafsLCREWw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

Alan DeKok <aland@deployingradius.com> wrote:
> 
> For server to server (proxy) situations, that seems quite reasonable to
> mandate 1.3.
> 
> Are the access devices up to this?

[BA] IMHO, yes. Think of yourself or the IETF NOC as the target customer, not an elderly relative with a home router.

Most consumer devices don’t support automated upgrades and few are configured to use legacy RADIUS let alone a future secure version. So we don’t have to worry much about securing “bot farm” participants.

Instead, focus on enterprise or SMORG devices developed and maintained by competent developers that will be tested and certified by WFA or another industry forum and configured by IT professionals (e.g. IETF NOC).

v2.35.0 | Report a Bug | By Email | System Status