IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Fri, 05 April 2013 04:39 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D73721F95E6 for <radext@ietfa.amsl.com>; Thu, 4 Apr 2013 21:39:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cIGRiY+KyygO for <radext@ietfa.amsl.com>; Thu, 4 Apr 2013 21:38:59 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 667AB21F95E1 for <radext@ietf.org>; Thu, 4 Apr 2013 21:38:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1584; q=dns/txt; s=iport; t=1365136739; x=1366346339; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Of4nq83vypzsOLAlAWY/dspECNqPsnb1a+Qd5z6/Uyw=; b=G2eFXeHSRobBLgBXe1YxZw9IXHVHNObya6opYj3i6wG5KKZ8B1t4OCjn GZCaw04ZKNesQQFmknru1nnaYFPzmkswju73jEty9PubVVZqm3M0Vrs8n HIInhV7/LuyheujLn/ulDhh9/63JoZpQrm3AxBDin4JvBvulcZk3NWdpq Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag0FAJpUXlGtJV2d/2dsb2JhbABDgwY2wQ+BBxZ0gh8BAQEDAQEBATc0CwULAgEIIhQQIQYLJQIEDgUIh3oDCQYMtx8NiVcEjEmBEIEPAjEHgl9hA5UOjVKFG4MLgXM1
X-IronPort-AV: E=Sophos;i="4.87,412,1363132800"; d="scan'208";a="195085369"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-1.cisco.com with ESMTP; 05 Apr 2013 04:38:58 +0000
Received: from xhc-aln-x04.cisco.com (xhc-aln-x04.cisco.com [173.36.12.78]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id r354cvRg015438 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 5 Apr 2013 04:38:57 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.206]) by xhc-aln-x04.cisco.com ([173.36.12.78]) with mapi id 14.02.0318.004; Thu, 4 Apr 2013 23:38:56 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Jouni <jouni.nospam@gmail.com>
Thread-Topic: [radext] WGLC #2 for draft-ietf-radext-dtls-04
Thread-Index: AQHOMbd6Cx0Qf/Ug8E+/+XqhjvqB8w==
Date: Fri, 05 Apr 2013 04:38:55 +0000
Message-ID: <A95B4818FD85874D8F16607F1AC7C628AEC870@xmb-rcd-x09.cisco.com>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com>
In-Reply-To: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.151]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0E5376CC08510149B03222C309014E25@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<radext@ietf.org>" <radext@ietf.org>, "<radext-chairs@tools.ietf.org>" <radext-chairs@tools.ietf.org>
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 04:39:02 -0000

As I mentioned in the Orlando meeting I am becoming less convinced that multiplexing RADIUS over UDP and RADIUS over DTLS is the appropriate path to take.   It would be better to use multiplexing at the UDP level port instead.   Using UDP ports allows existing network devices to differentiate between encrypted and unencrypted RADIUS and enforce a security policy that allows only encrypted traffic.   Using the same port also increases the probability that there will be more implementation errors that impact the system security.   The overloading of command code 22 is somewhat of a kludge, it is possible that TLS could introduce new message codes that could make new enhancements to TLS incompatible with this specification.    The only argument that I have heard for running insecure and secure on the same port is that you will not have to modify firewall rules, however If you are already using a firewall to filter RADIUS traffic you will want to differentiate between insecure and secure RADIUS.    


Joe


On Apr 2, 2013, at 1:38 PM, Jouni <jouni.nospam@gmail.com> wrote:

> Folks,
> 
> This email starts a quick one week WGLC #2 for draft-ietf-radext-dtls-04;
> "DTLS as a Transport Layer for RADIUS". The WGLC ends on Tuesday, 9th April.
> 
> Post your comments to the list and enter them also into Issue Tracker.
> 
> 
> - Jouni & Mauricio
> 
> 
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.39.1 | Report a Bug | By Email | System Status