IETF Logo Mail Archive

Re: [radext] BoF request for IETF 115

Alan DeKok <aland@deployingradius.com> Sat, 24 September 2022 13:13 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5C88C14CE44 for <radext@ietfa.amsl.com>; Sat, 24 Sep 2022 06:13:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rn6MUZQYxMs2 for <radext@ietfa.amsl.com>; Sat, 24 Sep 2022 06:13:41 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA3DC14CE3A for <radext@ietf.org>; Sat, 24 Sep 2022 06:13:40 -0700 (PDT)
Received: from smtpclient.apple (unknown [216.185.91.122]) by mail.networkradius.com (Postfix) with ESMTPSA id 39D75218; Sat, 24 Sep 2022 13:13:35 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <788eea99-21ab-4cc7-8e3e-67a2f8f480d6@www.fastmail.com>
Date: Sat, 24 Sep 2022 09:13:33 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <F773A4A3-99C3-4216-8813-45DA5606B8C9@deployingradius.com>
References: <CAOW+2ds134ZJ+somFXsL=27=pvtUT2hNU6G9_8cpM3VoWEcN9Q@mail.gmail.com> <ab874879-3cdd-6cdb-e9a0-07a405272088@iea-software.com> <788eea99-21ab-4cc7-8e3e-67a2f8f480d6@www.fastmail.com>
To: Alexander Clouter <alex+ietf@coremem.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/8iBf_PG2PnlmW8j2ZBPZDEQ1mBo>
Subject: Re: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2022 13:13:45 -0000

On Sep 24, 2022, at 2:12 AM, Alexander Clouter <alex+ietf@coremem.com> wrote:
> Trying to make bullet proof an environment where someone wants to use their pets name as a PSK is probably a battle we are going to lose. In fairness, it is also a choice the user made for reasons that make sense to them and their local environment...it may not be correct but I am not sure there is anything anyone can do there.

  Many moons ago Bob Moscowitz and I had a "client kickstart" draft at IETF 58 (draft-moskowitz-RADIUS-Client-Kickstart-02.txt).  That may have addressed the issue, but it never got traction.

  Any new automated method to provision secure PSKs could require substantial changes to RADIUS system workflows and UIs.  That rules out most ideas.

  In the end, the issue of securely provisioning PSKs is too often a human issue.  Which makes it very difficult to solve.

  So we can give advice on what to do.  It's the only thing which we know isn't wrong, and which can be implemented.

  e.g. "get 80+ bits of randomness, base32-encode it, and take 16 characters".  That gets you 80 bits of entropy, which should be enough.  Plus it's ASCII.  And small enough that most NAS equipment will support 16-character strings.

  TBH, we should just deprecate PSKs.  Perhaps allow the use of a PSK, but mark it as NOT RECOMMENDED.  And require that all implementations MUST support client certificates.  That won't solve the problem, but it will at least embarrass insecure implementations.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email