IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Jan-Frederik Rieckers <rieckers@dfn.de> Thu, 24 November 2022 16:24 UTC

Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F2F6C14F728 for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 08:24:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j7IP-D5q7GyA for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 08:23:55 -0800 (PST)
Received: from c1004.mx.srv.dfn.de (c1004.mx.srv.dfn.de [194.95.239.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22851C14CE27 for <radext@ietf.org>; Thu, 24 Nov 2022 08:23:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:subject:subject :organization:from:from:references:content-language:user-agent :mime-version:date:date:message-id:received; s=s1; t=1669307020; x=1671121421; bh=XCCfZERdTqQWK6feAhnVKHXnVr10VwpOFj2T9UNSmU0=; b= dLuo8XohZJfjPdhYukV7RZ8pkpO02PVe7HbutXaL/eearUBwlfh3BkTBQrTccXKk q44RanzpobmJn5hc7NLMTSgAxqkMFfDj1UvDTkRrPaHaTpp1AVNU6YJNx6DEAeRT maXz8dpb7v6IKbcrhoCcxwoFXTHd3VLL1O0n1NSKqfE=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by c1004.mx.srv.dfn.de (Postfix) with ESMTPS id EA61E1200CD for <radext@ietf.org>; Thu, 24 Nov 2022 17:23:38 +0100 (CET)
Received: from [IPV6:2001:638:708:304:71d8:a4e6:755e:db61] (unknown [IPv6:2001:638:708:304:71d8:a4e6:755e:db61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.srv.dfn.de (Postfix) with ESMTPSA id 67DBD103 for <radext@ietf.org>; Thu, 24 Nov 2022 17:23:37 +0100 (CET)
Message-ID: <05f4711f-4f9f-7bb6-e04f-b3c9ebc73202@dfn.de>
Date: Thu, 24 Nov 2022 17:23:36 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
Content-Language: en-US
To: radext@ietf.org
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <CAOW+2dsKg_H9f3zRUnanCpgGO+G=VPyxzWa9hsrCJCpsnoBsxA@mail.gmail.com> <7CB701B8-BD8F-4ADC-9265-12FC7EBE8FB6@deployingradius.com> <CAOW+2dtDkN3Hvk1vmuyJYGP9KS5WaGDenwQBb7-g12e6SxvEzw@mail.gmail.com>
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Autocrypt: addr=rieckers@dfn.de; keydata= xjMEYS90/RYJKwYBBAHaRw8BAQdAWXYFYTJZD1YR1SztUNqHenPGnf+gdQe/9LjiHlr2XATN J0phbi1GcmVkZXJpayBSaWVja2VycyA8cmllY2tlcnNAZGZuLmRlPsKWBBMWCAA+AhsDBQsJ CAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE/fv7DCp4WBOrb8RyDYuiXSS+ypYFAmMXdJkFCQNL 9JwACgkQDYuiXSS+ypYZhQD+IvXSlzMB632TceTFUZ66vWijHZA9TymKjM27QzxjCcQA/ilb zGnQRFxRvpqGeJCwK/9MP9CZyyUjgAPQBaZNoTcOzjgEYS90/RIKKwYBBAGXVQEFAQEHQBxo 6esD49rxn4d3su5fJJL79XjfKNy26LiFE9Gpg38+AwEIB8J+BBgWCAAmAhsMFiEE/fv7DCp4 WBOrb8RyDYuiXSS+ypYFAmMXdKIFCQNL9KUACgkQDYuiXSS+ypY8IwEA5hkI+oA2pFmD6zXj rULCT+G9o8A5xSkMZBiw6U6yKcMBAMpTki1h4qCwaQR+hvt1rNjJr4ISUtd+ErlHlPWsxIgI
Organization: DFN e.V.
In-Reply-To: <CAOW+2dtDkN3Hvk1vmuyJYGP9KS5WaGDenwQBb7-g12e6SxvEzw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------H7N8gYni1nEkdvDsxwXheHr3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/CVG_cQNZ5GYpYHsmhqk8TpYR5qs>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 16:24:00 -0000

On 24.11.22 16:14, Bernard Aboba wrote:
> For backwards compatibility, servers probably need to support RADIUS and 
> the existing RADIUS over (D)TLS anyway.  So really we're talking about 
> an "SRADIUS" configuration flag.  If a site requires FIPS, why can't it 
> flip the SRADIUS flag and run its SRADIUS server on port 2083?  If some 
> devices can't connect to an SRADIUS-configured server, then those 
> devices don't support SRADIUS and presumably the site wants to point 
> them at another server (one without the SRADIUS flag set), and 
> eventually replace them with devices that support SRADIUS.
But without negotiation of "RADIUS or SRADIUS" we have a huge 
compatibility issue.
Of course you can do this locally if you have control over all involved 
servers, but if you don't then this is not possible without a flag day 
where everyone switches to SRADIUS or you have to configure each 
possible connection individually (which might not even be possible if 
you have federated services, because you don't have a list of all 
possible peers)

I honestly don't see the harm in finishing rfc6614bis simply as update 
to RFC6614 with the traditional RADIUS with MD5-usage inside (along with 
the static shared secret "radsec") and having a separate work item 
adding SRADIUS with a new TCP and UDP port that reference the RADIUS/TLS 
RFC6614(bis) and RADIUS/DTLS RFC7360(bis) specs for definition on how to 
use the TLS layer.

If people are worried about being FIPS compliant, they can choose to use 
SRADIUS with the new port. The implementation overhead for SRADIUS (if 
you already support RADIUS/TLS or RADIUS/DTLS) should be minimal, so 
vendors should be able to implement it quickly and admins may switch to 
SRADIUS at their discretion once their software supports it.

It is not much different than having a "please use SRADIUS" switch, but 
it keeps backwards compatibility and has a good upgrade path for people 
who want to gradually upgrade their RADIUS connections.

Cheers,

Janfred

-- 
E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education 
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
www.dfn.de

Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | 
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 1366/23822

v2.23.0 | Report a Bug | By Email