Re: [radext] CUI comments in "deprecating insecure transports"
Arran Cudbard-Bell <a.cudbardb@freeradius.org> Wed, 26 July 2023 19:32 UTC
Return-Path: <a.cudbardb@freeradius.org>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 058DEC15198D for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 12:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Amr44-z5pGZP for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 12:32:45 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E2CEC15155A for <radext@ietf.org>; Wed, 26 Jul 2023 12:32:45 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.104.106.170]) by mail.networkradius.com (Postfix) with ESMTPSA id C22E4268; Wed, 26 Jul 2023 19:32:37 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=fail (p=reject dis=none) header.from=freeradius.org
Content-Type: multipart/signed; boundary="Apple-Mail=_85EAAEDB-5D21-4844-ABB3-0DBA98E5E83A"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
In-Reply-To: <6e9100c1-9be2-4526-9283-e3e5f21c38e3@app.fastmail.com>
Date: Wed, 26 Jul 2023 12:32:19 -0700
Cc: Arran Cudbard-Bell <a.cudbardb=40freeradius.org@dmarc.ietf.org>, Alan DeKok <aland@deployingradius.com>, Margaret Cullen <mrcullen42@gmail.com>, "josh.howlett" <josh.howlett@gmail.com>, radext@ietf.org
Message-Id: <B6E8FDC6-53D7-4FA1-BE39-9228F5BC4253@freeradius.org>
References: <06c301d9bfc0$e07154d0$a153fe70$@gmail.com> <5390176A-A8D1-40E5-AA3B-9008328650F9@gmail.com> <0D326753-2295-4FA9-B14E-06FE55C9AFB4@deployingradius.com> <61776FFB-7C8B-4234-8B1F-C4F33150106D@deployingradius.com> <3752E2C9-D184-4C0F-9474-6FAE1204C107@freeradius.org> <6e9100c1-9be2-4526-9283-e3e5f21c38e3@app.fastmail.com>
To: Alexander Clouter <alex+ietf@coremem.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/9CN_6plfA6A3ArieNTnoRxsdY9Y>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 19:32:48 -0000
> Of course the server could punt a new ticket each time to the client effectively making them single use; as long as it has the smarts to know to burn previous used tokens but that can be an exotic deployment for some sites. Not that exotic in EAP land, and the server doesn't _need_ to be able to burn old tickets, the supplicant just needs to be smart about using the freshest ones. I'd say finding server software that could decode a TLS handshake for a TLS session it wasn't terminating would be considerably rarer. > That said, there is likely to be a stable mapping of Calling-Station-Id to this ticket, making it questionable if this effort would even be worth it when a ticket is valid for a short period and the MAC address is likely stable for a given network across sessions. Apparently private macs change every 24hrs as of iOS 14, so that's something. Max ticket lifetime is 7 days as per 8446. -Arran
- [radext] CUI comments in "deprecating insecure tr… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Mark Grayson (mgrayson)
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Margaret Cullen
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Margaret Cullen
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Heikki Vatiainen
- Re: [radext] CUI comments in "deprecating insecur… Heikki Vatiainen
- Re: [radext] CUI comments in "deprecating insecur… Michael Richardson