Re: [radext] Extended IDs
"Acee Lindem (acee)" <acee@cisco.com> Wed, 13 December 2017 13:21 UTC
Return-Path: <acee@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E762126B6D for <radext@ietfa.amsl.com>; Wed, 13 Dec 2017 05:21:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7RjRo9klQAP for <radext@ietfa.amsl.com>; Wed, 13 Dec 2017 05:21:27 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2755124319 for <radext@ietf.org>; Wed, 13 Dec 2017 05:21:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3048; q=dns/txt; s=iport; t=1513171286; x=1514380886; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=BJ1qF7rRGI2PpZD4qbdyXCf+vhIp+6dzZl8LAjge1iY=; b=H4E3pEiSkUkaHmwO/2qpDomDdN/lvbQ4TBhK0nZUAZPZQheJf6LHsvbX fhm0wrJI3x65eTHQhEokOBRQmFTfppPXo/oImL6xiyYMpKMkh4gpd9ms4 dzF9gSchNSHX+/7fmJo6vEQw6dCaiglnTqApVZX9Mhxsby+Wb2E4P7aTi 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DGAQB9KDFa/5NdJa1dGQEBAQEBAQEBAQEBAQcBAQEBAYM+ZnQnB4N7mSaBfZcRghUKGAuESU8CGoR5QRYBAQEBAQEBAQFrKIUkAQEBAwEBIRE6GwIBCBgCAiYCAgIlCxUQAgQBEoooEKhogieKXQEBAQEBAQEBAgEBAQEBAQEcBYEPglGCC4M/gyuDLgGBboMVgmMFox8ClSWTaJY5AhEZAYE6ASYIKoFObxU6gimEVXiJMIEVAQEB
X-IronPort-AV: E=Sophos;i="5.45,397,1508803200"; d="scan'208";a="321455345"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Dec 2017 13:21:25 +0000
Received: from XCH-RTP-012.cisco.com (xch-rtp-012.cisco.com [64.101.220.152]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id vBDDLPMD020961 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Dec 2017 13:21:25 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-012.cisco.com (64.101.220.152) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 13 Dec 2017 08:21:24 -0500
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Wed, 13 Dec 2017 08:21:24 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Stefan Winter <stefan.winter@restena.lu>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Extended IDs
Thread-Index: AQHTaFBxQlK83f2iTECUdzRYa7wpJqMsVBUAgAFpdmCAASVyAIAAH4CAgAWDQYCADMOagIAAEIWA
Date: Wed, 13 Dec 2017 13:21:24 +0000
Message-ID: <D65692C4.E13AA%acee@cisco.com>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <8BD2C2F2-D42E-4B84-8F86-3A803160DD74@cisco.com> <b6ed7a87de434ea4a39f584a92e933b9@XCH-ALN-014.cisco.com> <285C5C94-578E-4293-81A2-9D73E1105ABE@deployingradius.com> <8DE62B3C-D2FA-4467-9CCE-7F8D039B87E2@cisco.com> <alpine.WNT.2.21.1.1712041849350.2252@smurf> <c75160a5-1196-bdbd-f313-108085ea0c37@restena.lu>
In-Reply-To: <c75160a5-1196-bdbd-f313-108085ea0c37@restena.lu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.198]
Content-Type: text/plain; charset="utf-8"
Content-ID: <462EA8928A0B8748834EFB05CCCB543B@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/CgEtWYFu5CeGkvg6U_5N9WcHoig>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 13:21:29 -0000
Stefan, I believe you are speaking as a contributor and not as a chair when making technical contributions to this discussion (last two E-mails). Thanks, Acee On 12/13/17, 2:22 AM, "radext on behalf of Stefan Winter" <radext-bounces@ietf.org on behalf of stefan.winter@restena.lu> wrote: >Hello, > >again as a chair: > >regarding the question of whether overloading of Request-Authenticator >should be considered harmful, I think the message from Peter below best >summarises the deployed reality in RADIUS. > >Basically, it makes clear that the decision to overload >Message-Authenticator or not is not on our table. That decision has been >taken ages ago, by this working group, and for a good number of RADIUS >attributes. > >So, for the discussion at hand, fears about overloading the >Request-Authenticator can safely be considered a non-argument. > >Greetings, > >Stefan Winter > >> On Fri, 1 Dec 2017, Jakob Heitz (jheitz) wrote: >> >>> What if the quantum computers turn out to live up to their promises? >>> Then we can throw out all this authentication stuff and decide to not >>> share our Ethernets with the attackers instead. No more request >>> authenticator. >> >> RADIUS security already lost cause no matter what :( >> >> Best practice for many years - use a secure transport and or RADIUS >> over (D)TLS. Regardless of selected security option in all cases >> operation of authenticator is maintained. >> >>> The request authenticator is already overloaded. It may be used for >>> the CHAP challenge. Now, you want another overload? >> >> Authenticator currently also used for at least following: >> >> Tunnel Passwords >> Message-Authenticator >> PAP >> CHAP >> MPPE Keys >> >> Clearly no possibility of authenticator ever changing in RADIUS >> protocol without creation of an incompatible replacement. In event of >> an incompatible replacement there would be no need for either of these >> two drafts. >> >> I am aware of no practical downside to "Overloading". >> >> regards, >> Peter >> > >_______________________________________________ >radext mailing list >radext@ietf.org >https://www.ietf.org/mailman/listinfo/radext
- [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Robert Raszuk
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Astrid Smith
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stig Venaas
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Arran Cudbard-Bell
- Re: [radext] Extended IDs peter
- Re: [radext] Extended IDs Bernard Aboba
- Re: [radext] Extended IDs Alan DeKok
- [radext] FW: Extended IDs Albert Tian
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs David Carrel
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Jun Zhuang
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alexander Clouter