[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
Margaret Cullen <mrcullen42@gmail.com> Wed, 24 July 2024 20:03 UTC
Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7E7DC14F5F3 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 13:03:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2F9va3SlVTLX for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 13:03:28 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F271C14F5E0 for <radext@ietf.org>; Wed, 24 Jul 2024 13:03:28 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-79f014a53b7so5968885a.1 for <radext@ietf.org>; Wed, 24 Jul 2024 13:03:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721851407; x=1722456207; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=J0LndFhctvCNJkRDGYS5oTIGipGQqGIQAs118DZrhr8=; b=cMzkxB9AMxXydgDnmhrAQ+PNY4xMbj2SXL2FvPfCmDbCWxLBURd4VdmuNt8rNE+5TG b3x7Vecl7f7yFpGqWtL5kKBrFDevMyJfJC3bz6eNliqENBkR/IOh8lWR2GzYZHJUHvb2 okWdrmL2pC/iZWnlafzERdLhU+w+ghs8Qg5GZFnqrwqtSgltQ77+YZqr1MRVEtJGO8tA s10gu9Chawyi2s966qqzVOTT3VdSZDr/ffaDHkaEHG0PKe71+jUgJQgcS+xOHl/LE+Ot urzJBSoGiUg6QqDOcMHAiUDWNX2wb7AoBzy5z+Fz2qGW2pqnGnckyftj7H21vyrUm5Hn 1cRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721851407; x=1722456207; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=J0LndFhctvCNJkRDGYS5oTIGipGQqGIQAs118DZrhr8=; b=EC+7yB2fMC++2NHUaTxBafSkoBr8TLPK/hWR00xQcefBPLoEqtgoN6i1mCshlv5zLB uby/VViGPZIhjZDOnrEqoSrGfEhoOtnOZ88uj4fGJl7rmLZlNdWARBHUCQrsgaFt7xWJ NY6KSY4B1DBLbZgZMXgD7BWtC3st4g8LiTNgDAFdu6Zgo98zrnmLmgBc6FCvoNc7YVw6 9084OB56jfm7+Vo0Z+fEzx0kVL8bK1vIWrpEnka4Ld5hOaLzNDg7OOyqJX0FMNUZktI0 A2/0kiV8UZVVoWZRjng5h0R9gRzfJwdCRWOHZfBxg9jBBCgwE+qvA5HISSnPYOFjSKjL DsOQ==
X-Gm-Message-State: AOJu0YzADCzK/ykFPPATZHd8TB3WIF9bWcu68Tfb3sao/aYiRCrPpfIq SC5uKfC+PqKkEuMcZd9MCOjRvv8EXOuNcWvuNTi2+T6GSyH+KHvw4jhpTw==
X-Google-Smtp-Source: AGHT+IF8t9cU8B6fVpET2zvvG0kvdSiwRjz4bWnS5IjkXGRLrcDvUoOXt3i2Nqz7RQCil6KCdKdMMg==
X-Received: by 2002:a05:620a:4448:b0:79f:1139:cd6c with SMTP id af79cd13be357-7a1d4546a9dmr115216085a.43.1721851406553; Wed, 24 Jul 2024 13:03:26 -0700 (PDT)
Received: from smtpclient.apple ([2607:fb91:1413:972d:bd4b:5693:a2f6:4972]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-44f9cdce190sm56383301cf.95.2024.07.24.13.03.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 24 Jul 2024 13:03:26 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Margaret Cullen <mrcullen42@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 24 Jul 2024 16:03:15 -0400
Message-Id: <F7C6D142-EFBC-4920-8F4A-D1B067200E88@gmail.com>
References: <A122D999-6A09-4E16-8E91-8154F6EA1A91@deployingradius.com>
In-Reply-To: <A122D999-6A09-4E16-8E91-8154F6EA1A91@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: 6QQ36NEJQNYVZH62BD4MK54D7HI4ZZYN
X-Message-ID-Hash: 6QQ36NEJQNYVZH62BD4MK54D7HI4ZZYN
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Atz3SimfipI9Gk3NZI8cui7YlkU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
> With RADIUS/TLS, both ends are authenticated, just as with EAP-TLS. > > This is covered in RFC 8446: > > https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.5 > > i.e. unauthenticated systems need channel binding. Thank you for the pointer — I’ll look into this. Is it your understanding that mutually authenticated TLS 1.2 sessions are also sufficiently protected against MITM attacks of the “session hijacking” variety? About to get on a plane… Margaret
- [radext] Lack of Channel Bindings in RADIUS/(D)TLS Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Valery Smyslov
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Peter Deacon
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Stefan Paetow
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell