Re: [radext] RADIUS/TLS with NULL cipher suites

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 24 August 2023 18:55 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2131C14CEFC for <radext@ietfa.amsl.com>; Thu, 24 Aug 2023 11:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YfoaE3fRj_cT for <radext@ietfa.amsl.com>; Thu, 24 Aug 2023 11:55:31 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2110.outbound.protection.outlook.com [40.107.20.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 671CFC14F693 for <radext@ietf.org>; Thu, 24 Aug 2023 11:55:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BW/R4A5N1nQGJDoLv75+cVfA2Db6WQVMePykkRZfN7RFClifHAkO4LUkvxlGymdfhbjfk8puxyusS8DyvSmf+oIpCjCG8Svlmo57Fi6VsSc0hS0Fkb6hSqv7uzI09rWtfG5AieE246gyoLm4H+SCHTUB+t5IgtJfZwEKsOerJ1kcYMnVLa3yqVzhmAHYC7nmYEfRR4g43cZfksg6gvYKgTZgZsCo9HUQdWQm8iLjK2X+LrZcnuhurQFgMJSJ75jlYm1UR7VuNaiVm4ybjjTIVAaaAOHjjHSPhW6A8BVcxGGftYySgjTh9lSY9lIMA/spfbMIXJ6589+rEGAjY6utmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DV8Kcan95qy0Evw4P95wPncl2WMmhVilI1uZStnpcIE=; b=hlLL6w8h6MQtN/6AH84FSvKp0cej0dQiUWswvqKJ2gryJ3noX9Gdqvo1XCpPzd3moZ8IdrNLVQQXn+A+X8LmWfY9/5Rj6rWH40SQpiHZsEevjBeBuzRLx5jNF4vlnYVIPVt8dAlL58yAWnN9C0YA3FPqj9GFUBFf4SHCNPPry6hjnJ70+4r/iA93QMEkAjqf/Rd4U8fW38z82A0V1bZba9iww3MWeAkO1OFqXb/y6C+iigLaDKEyfDgpgVyauic3gu0dyv96I/SUM7y9FhIlbrE3C0RAijcsWRVspWusg/3HBiP1GWgZUDVpsYVQUF4HNvDt1kSEd4Ccpsl1Kr1Rhw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DV8Kcan95qy0Evw4P95wPncl2WMmhVilI1uZStnpcIE=; b=nXPI+t3eY9Hgpc51Cz/tRn/vs62VC4LTnJJrE5MiHCZ+9wVWGCrB5UKUQzmX2Q6O4Eqhr0DOK4wgeEMsVtqqXc3dW3SXgCGIGViT7+LL5HPPkW1vrUwr1+xnf7GJjUec9UsaNMuNasMHXGPTT/bcqZO+Q9Qg/AGDCpyJDhPMfcInDqJVfRHMKFMl3kOwuBkJppVdHYwhDGCY/3jSSWzTMQ2ovVaDLLQYmudlMF4IGDPEB2Vn0Sj6GhyzyPXbzfAJsF9SjPS6ha2SJmJhb/BfaXfa0rrFUtso/J73RYi/PS7X85/87ZmaCjRmOIDzmR6iJhEiqRf7MKgDm3GEGLNh8w==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AS4PR02MB8597.eurprd02.prod.outlook.com (2603:10a6:20b:588::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.27; Thu, 24 Aug 2023 18:55:28 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::6f9b:8179:a7bc:c19c]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::6f9b:8179:a7bc:c19c%6]) with mapi id 15.20.6699.027; Thu, 24 Aug 2023 18:55:28 +0000
Message-ID: <596f9a16-43fe-2b99-5b2f-73c16825cf20@cs.tcd.ie>
Date: Thu, 24 Aug 2023 19:55:26 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
Content-Language: en-US
To: Alan DeKok <aland@deployingradius.com>, radext@ietf.org
References: <ACDF13CC-1529-49EE-8251-7BB7AEE9DED3@deployingradius.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <ACDF13CC-1529-49EE-8251-7BB7AEE9DED3@deployingradius.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------uJYhSiUCxVjUQMP40vxo29uy"
X-ClientProxiedBy: DUZPR01CA0353.eurprd01.prod.exchangelabs.com (2603:10a6:10:4b8::16) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|AS4PR02MB8597:EE_
X-MS-Office365-Filtering-Correlation-Id: e7b98c46-28b8-4799-be73-08dba4d3af0c
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: VCDi6HuGS1RK3kGnaNt+R+3UBQ3qWtkeUffWTwBwXUiaDw2ZMQ4fqnhZNY/lTxA2x9Ee1K7mRVnTk7R+8Hw7ep9Ci+zzS6b+akidFyLbM10QcfLWj2i/9K6WZ3BjcbdpK/YhzZFni9jdBKfuWHBd82RlO9oEnt8+GmDotSfFuBF5x2yLlh3kWkY97rBkDQWFhmQ/+14DXdtq+mrOkqPwSuX1B/vGPk/PzR7Jwiy+EO9XTnPsB6EhVI2JTwS8GE1U+HQluBB8hm6/0S+E3c7vvHAnjw0xSWmsu99jKYSgL1DDogRd28LK68PwFE6hmdsbvoi9SAlWCdzGVHaok960/L/+fq/L6pofNgtOZztzuKAZrT/H2WmykLxAvBSelIvpOpM8SW6cR1HVot7a6QmYYLbthiZ4IlvoEcr0nQq13qpMs6hCM2Aro+rixztRHkntmI8KU7486EMholjkpHQUzX48MV2iTXPPS0Yjo8ilvYVppRihyvvhnPrcVDmiYLc3Xu0rPKv5plJlbm/s3vRBnHfzxSw2gSKW8sjXj8qxd38tRl+hjkOuW8di7rsbHh03TYnOmh1mPWyKE1zBUSppJzrLyz2r78HBz/dpmzcAm6jJJVVo4j0fFvUqVUrKG+RePwt5sNdeCuhhf9EiwwiMmw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(366004)(396003)(346002)(376002)(39860400002)(451199024)(1800799009)(186009)(2906002)(235185007)(5660300002)(8936002)(8676002)(44832011)(26005)(6506007)(53546011)(41300700001)(786003)(316002)(66946007)(66476007)(66556008)(478600001)(31686004)(33964004)(6512007)(21480400003)(564344004)(2616005)(36756003)(83380400001)(6486002)(31696002)(86362001)(38100700002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: IKoIer8l9ztdNxUeraehXTuRr/HokLJ7VoXCs/G3dPV/zA1HHdRBrp8ncjjd3X1BCAS1vwsHPUwu3mbMnZSk4IQF33bCjjbSU01HhdxetFO+GhV4pqacw7BJe0Gv0B5GdYM3JEEWHHIh6WcldsIICgiFUG5K02/+2emY4R53cEi43uXYHGeOftYZuU83tDA4siozpchCo2CZBU8oidshIyLLs80Kj6xzm1iPdtm0z/6jEeGwEO1VFwzfGWUCwCWdiJynTRv/+fJlItLU0WDv0i71/441uIjor11ND0QyItE9fxiRFPKou4MWwIWarRvC8+MfzRkdORaRZozmrGZbJTHYfySmfWK9q/jKHS+86TpzwvCWxZcoOYQ9ctMKr6teJ6Mg0YPJpDGZLJkGtNnFPfbOenc37T8+amQ/BgOPZAdrmtrj3DIsYf51w474TeONZ1ugrc3ivwbF5QYqVG0eXuGcKdZ0jUZ81iofYLZpQT9ixFJXjR3lPoV6wejA9Rvl/sboWkmkgkWefQ8c6EdQoGXN37d7Q0H43FrhSLuEDTUiZQChE0BDEP5QFKY8GQoBquXoxCZ2P1K20K/SlxQka+dbZMr8Ms8ig2AEjhVSmmxKbBVLjzY/FnDdQMIEx3cInzNVIZtL8PzEQpLL0VxGiSfuu/kVfJdFrhNTPt35YvzRnd7yLkj72Yd+oqCTMM9mUWAgMDyAaJhjrqqbaefJe5CyMINowrePCkJmdyMW0vsBPRT/Yj3bj9hDX1s4ZGTaVCVBqUrBDCEnJIuoJYBKPUn44oQC5TnhsQtS/VPWDRF2yrT2fecasFby8AJtNO+FBi8mSbnmF+f4LX8tS8GVyhORhUEYj1bBQ1fUYMPe1eUoEqPm79CsTQcL25/ToDHdzGGSMx4HhBKuzttCP2v9nNhod8HSB58UfePOYbIIOdRNx3e1nK7KDh+qsV1xgzCpfdrWs52NC25pWXiH6M/0ecGibs53tzsdwvxjrDcofDjzX532QpA6IZDAim7POryQfK6Rh0ikVSb8SSEU1s2JKJEjXto7/AX39RkQ6REeG+1//9djm3EbvVYE+BQBj9IdsZ++EQ3D2XBchmWEt8lRf4FrI9ZXJZyToN6b4jCEEtZZMTb6DzHRIx5nFbVOPVYsRRS2P0a494EFjkXdOXkAwtPU/zO/eNoRgXRxkNqxYRVPvC9DGgXXcB8Ow32xaFmrQDWL9CfYIY/QXqjPZz+zxz49WkwAjOC/34pCJxR6quExV7F4WYComH8ltYQREWONPyCOVqmOCviDdG+vLwh54cfWqvNNu5mbo+PlDyMa2Gs/2d+p1KVFYL1sEkjM+SgznmEr34zi14AqFvI27SH24xvatZXewUyJ9HYfDGTm+AvtEXBix7M4yQDXR702+O5w8r/ZU1cLAGU44OtILicJEYDzg4ZKsAkKEvgvQlBRxY+KteGvETlAMITi/hgjO7fYBXd2haKOzn4h4aj5FDzm7JKkKPTSYQ9G7Yz+0r7CitlwlLpqd46pxnCaO7hJaeDp/UCnZGIESP/OxD4ri3hm0wNwzqVyfCH+PM/u4VWoIQwfplk/qhoMnIG63yfvLUuj
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: e7b98c46-28b8-4799-be73-08dba4d3af0c
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Aug 2023 18:55:28.6194 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 5BztdvUuxQh7yYsQfyqxSPlmtNurRGuHOjrMWlaKxbsJEgx7Xhs3wiQ8xmUy77ei
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR02MB8597
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/BSazgD5WuxjEuqb9uP3F5_IOkoQ>
Subject: Re: [radext] RADIUS/TLS with NULL cipher suites
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2023 18:55:35 -0000


On 24/08/2023 15:47, Alan DeKok wrote:
> We can't fix this specification.  But we can issue our own
> counter-specification which goes "WHAT?  WHY WOULD YOU DO THAT?"
I think it'd be good to do that, esp. if there's a good
explanation for why RADIUS/pretend-encryption is awful.

Cheers,
S.