IETF Logo Mail Archive

Re: [radext] Extended IDs

"Acee Lindem (acee)" <acee@cisco.com> Wed, 13 December 2017 13:21 UTC

Return-Path: <acee@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E762126B6D for <radext@ietfa.amsl.com>; Wed, 13 Dec 2017 05:21:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7RjRo9klQAP for <radext@ietfa.amsl.com>; Wed, 13 Dec 2017 05:21:27 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2755124319 for <radext@ietf.org>; Wed, 13 Dec 2017 05:21:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3048; q=dns/txt; s=iport; t=1513171286; x=1514380886; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=BJ1qF7rRGI2PpZD4qbdyXCf+vhIp+6dzZl8LAjge1iY=; b=H4E3pEiSkUkaHmwO/2qpDomDdN/lvbQ4TBhK0nZUAZPZQheJf6LHsvbX fhm0wrJI3x65eTHQhEokOBRQmFTfppPXo/oImL6xiyYMpKMkh4gpd9ms4 dzF9gSchNSHX+/7fmJo6vEQw6dCaiglnTqApVZX9Mhxsby+Wb2E4P7aTi 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DGAQB9KDFa/5NdJa1dGQEBAQEBAQEBAQEBAQcBAQEBAYM+ZnQnB4N7mSaBfZcRghUKGAuESU8CGoR5QRYBAQEBAQEBAQFrKIUkAQEBAwEBIRE6GwIBCBgCAiYCAgIlCxUQAgQBEoooEKhogieKXQEBAQEBAQEBAgEBAQEBAQEcBYEPglGCC4M/gyuDLgGBboMVgmMFox8ClSWTaJY5AhEZAYE6ASYIKoFObxU6gimEVXiJMIEVAQEB
X-IronPort-AV: E=Sophos;i="5.45,397,1508803200"; d="scan'208";a="321455345"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Dec 2017 13:21:25 +0000
Received: from XCH-RTP-012.cisco.com (xch-rtp-012.cisco.com [64.101.220.152]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id vBDDLPMD020961 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Dec 2017 13:21:25 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-012.cisco.com (64.101.220.152) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 13 Dec 2017 08:21:24 -0500
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Wed, 13 Dec 2017 08:21:24 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Stefan Winter <stefan.winter@restena.lu>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Extended IDs
Thread-Index: AQHTaFBxQlK83f2iTECUdzRYa7wpJqMsVBUAgAFpdmCAASVyAIAAH4CAgAWDQYCADMOagIAAEIWA
Date: Wed, 13 Dec 2017 13:21:24 +0000
Message-ID: <D65692C4.E13AA%acee@cisco.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <8BD2C2F2-D42E-4B84-8F86-3A803160DD74@cisco.com> <b6ed7a87de434ea4a39f584a92e933b9@XCH-ALN-014.cisco.com> <285C5C94-578E-4293-81A2-9D73E1105ABE@deployingradius.com> <8DE62B3C-D2FA-4467-9CCE-7F8D039B87E2@cisco.com> <alpine.WNT.2.21.1.1712041849350.2252@smurf> <c75160a5-1196-bdbd-f313-108085ea0c37@restena.lu>
In-Reply-To: <c75160a5-1196-bdbd-f313-108085ea0c37@restena.lu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.198]
Content-Type: text/plain; charset="utf-8"
Content-ID: <462EA8928A0B8748834EFB05CCCB543B@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/CgEtWYFu5CeGkvg6U_5N9WcHoig>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 13:21:29 -0000

Stefan, 

I believe you are speaking as a contributor and not as a chair when making
technical contributions to this discussion (last two E-mails).

Thanks,
Acee 

On 12/13/17, 2:22 AM, "radext on behalf of Stefan Winter"
<radext-bounces@ietf.org on behalf of stefan.winter@restena.lu> wrote:

>Hello,
>
>again as a chair:
>
>regarding the question of whether overloading of Request-Authenticator
>should be considered harmful, I think the message from Peter below best
>summarises the deployed reality in RADIUS.
>
>Basically, it makes clear that the decision to overload
>Message-Authenticator or not is not on our table. That decision has been
>taken ages ago, by this working group, and for a good number of RADIUS
>attributes.
>
>So, for the discussion at hand, fears about overloading the
>Request-Authenticator can safely be considered a non-argument.
>
>Greetings,
>
>Stefan Winter
>
>> On Fri, 1 Dec 2017, Jakob Heitz (jheitz) wrote:
>>
>>> What if the quantum computers turn out to live up to their promises?
>>> Then we can throw out all this authentication stuff and decide to not
>>> share our Ethernets with the attackers instead. No more request
>>> authenticator.
>>
>> RADIUS security already lost cause no matter what :(
>>
>> Best practice for many years - use a secure transport and or RADIUS
>> over (D)TLS.  Regardless of selected security option in all cases
>> operation of authenticator is maintained.
>>
>>> The request authenticator is already overloaded. It may be used for
>>> the CHAP challenge. Now, you want another overload?
>>
>> Authenticator currently also used for at least following:
>>
>> Tunnel Passwords
>> Message-Authenticator
>> PAP
>> CHAP
>> MPPE Keys
>>
>> Clearly no possibility of authenticator ever changing in RADIUS
>> protocol without creation of an incompatible replacement.  In event of
>> an incompatible replacement there would be no need for either of these
>> two drafts.
>>
>> I am aware of no practical downside to "Overloading".
>>
>> regards,
>> Peter
>>
>
>_______________________________________________
>radext mailing list
>radext@ietf.org
>https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email