Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trust models

Alexander Clouter <alex+ietf@coremem.com> Sun, 13 August 2023 22:36 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA49C14F726 for <radext@ietfa.amsl.com>; Sun, 13 Aug 2023 15:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="uVq85uBZ"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="BVI5LSKM"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CC7j2VSfVBzM for <radext@ietfa.amsl.com>; Sun, 13 Aug 2023 15:36:04 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B3A4C14EB19 for <radext@ietf.org>; Sun, 13 Aug 2023 15:36:04 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 380AD5C0059 for <radext@ietf.org>; Sun, 13 Aug 2023 18:36:01 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Sun, 13 Aug 2023 18:36:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm3; t= 1691966161; x=1692052561; bh=rWQChGsH3koK31sMkUdHQtU7SH+oWio304C FztSqsww=; b=uVq85uBZUeAcEnGJ2udXcjWxKZtzf1gWg8FzNtzz2EP8oTbhMKr 1CJF9qJANPPjBk8hKWdtx24h6NAcs10Vuerx/NrrZcVRHsp2U+tqiklaa3wjECUm 3Ew333nCdDohjoZ1ng0tET7Zah/+kWXZBqvaPkkZ0yTIggwL++3wIkOiaacegGyt /LGL+NWgXH0uzrJMSjQ1zuOHmIArkUcYEOv21RHZ8nbgPd85w3WHy3Y1F+XVeo2E d0XGaIJsz1YsnivWTU0F68ubwYL6jjICDNlf6jioX3ngkBk503J89V7urXyGYIfG P1+Yl5ejdlpDviVaUr8YClTc3AVy/AKYQCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1691966161; x= 1692052561; bh=rWQChGsH3koK31sMkUdHQtU7SH+oWio304CFztSqsww=; b=B VI5LSKMn5RMRhQ01z4WdELJTvJhatwoRZmHuH4p47sC+ZjXjgfKN7l9jHB0tV06b WjiBkZvm8NEDcO1GwWBwPIcxdZFWmTQ7pHuNyMjt4+XUbMPi6HyDcTY2XaFhnG4U /crcQqbGxfUEyxnc8kLN1mUJCbSsehGHLli8nXzwv5ySNyom2LarDfkdKujEYW8H Zkb3gHitiwj0Ex8dw4rmL57oVDB2ZnQVTgk+95x56q0yxnm76gd/bfOdetXoK9PV JhfeH95dGNnwNjSRg6ZKEQjcgZ78N/IiIBLHS0MfvKfIiKhTg1LHciINZ2uTgGiz 1IiDzUTYKmuy0vo2o8bFg==
X-ME-Sender: <xms:0VrZZA9mVj6UTtac4OxQlWNFDqHYhmsXSloNh_QHsGpfsM0c-za7ZA> <xme:0VrZZIsKRYoo_RLzmPxMcbMg-qOQRzVsSXI7vCmVunC0-OyC6AVW6__qzxtZHfNIU 4gO50C44c1oHXgBOg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedruddtfedguddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegr lhgvgidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpefgtd evtdfhleeghfeljeffhfeutddtgfetvdeguefftedtudehtdeifedvgfejkeenucffohhm rghinhepihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomheprghlvgigodhivghtfhestghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:0VrZZGC3YiAWcceJeRua5f9FyUk-n-VLzQrWeqvXsgg23rxuthsCrg> <xmx:0VrZZAfAKwypjos-HauXxP6aiTuswy3kb3MKkwkijQGe5UR56uaCdA> <xmx:0VrZZFPR3tGQIOweiVkT4-DhgKzFKuoRSVRW7KpAgmfN_srA18UBAQ> <xmx:0VrZZLbjAVBfySDgQoCBBgkGezQWrTyFZwuvFXSEprQBtDJXoFnipg>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E8C0D2A2008B; Sun, 13 Aug 2023 18:36:00 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-624-g7714e4406d-fm-20230801.001-g7714e440
Mime-Version: 1.0
Message-Id: <08757003-146e-446e-88b5-7a97ae217f71@app.fastmail.com>
In-Reply-To: <CD310A93-BAEA-47AF-B0F4-F72F59E12E11@gmail.com>
References: <368D0314-E535-4176-A844-1FA378A4A1AA@deployingradius.com> <CD310A93-BAEA-47AF-B0F4-F72F59E12E11@gmail.com>
Date: Sun, 13 Aug 2023 23:35:40 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/EOEMiJCVwwaDby0XLVbCSTzF20c>
Subject: Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trust models
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Aug 2023 22:36:11 -0000

On Sun, 13 Aug 2023, at 18:38, Margaret Cullen wrote:
>> DTLS is a lot more difficult.  I blame some of that on OpenSSL weirdness.  Their DTLS implementation has best been described as "alpha" for a long time.
>
> This is the reason for my concern with mandating that servers implement DTLS.  

OpenSSL is not the only TLS library out there. I would be hesitant steering any decisions based on a single (albeit more widely used) library implementation.

The telephony world though seems to be quite happy using DTLS, after all no one wants to endure voice/video calls over the WAN via TCP.

> I think RADIUS/DTLS is an awful lot to expect, though — especially 
> because I don’t see any evidence that RADIUS/DTLS will ever be widely 
> implemented or used.  Do you?

Personally I really think this is more due to people not knowing TLS-over-UDP is even a thing.

Maybe I am seeing this too simplistically, but the impact of any mandating done here only affects (officially) the labelling available to a vendor?

 * implementors of TLS *and* DTLS: you get to tout 'RFCwxyz compliance'
 * implementors of only TLS: "you do not get this scout badge, sorry"

> Many protocols that run over TLS don’t have a DTLS equivalent defined, 
> at all.  Is there some important advantage that RADIUS/DTLS offers that 
> RADIUS/TLS does not?  Is that advantage sufficient to warrant mandating 
> both in every server implementation?

Head of Line blocking. When a packet is lost, the RADIUS server is unable to do anything but twiddle its fingers until the networking stacks, outside of its control, at both ends figure it out.

This means first the packet drop has to be detected, this can take some time anywhere from one to 1000's of milliseconds (~2xRTT), then retransmitted by the TCP layer until it gets through.

The RADIUS server meanwhile is unable to get involved in the retransmissions its-self.

Making it worse, *all* further authentications are gummed up until the stream starts to flow again.

With datagrams, this simply is not a problem. Recovery is much more application orientated, plus it bubbles up to the application so failover opportunities are made available far sooner.

>>  There's good reason for that, of course.  But I think it's best to document the system we need, rather than the system we have.
>
> I absolutely agree with this when it comes to documenting good protocol 
> behavior, ways to avoid known issues, etc.  I don’t think it extends to 
> mandating the implementation of an entirely separate protocol.

I think the wording makes this seem a bigger deal than it is.

Transport, not protocol.

Trying here to shift the focus that this is about something RADIUS runs *over* and not something that actually has to be implemented by anyone; the TLS libraries do all the work for you.

It may be that an implementor has picked a library that is a pain on the DTLS front to work with, but I do not think this should be a reason to strike "MUST do DTLS".

Afterall, the hard part of the work is already done. RADIUS servers are already expected to have implemented a datagram transport (ie. UDP) and handle retransmissions.

Wiring TLS into that is a lot more straight forward than the hoops an implementator already goes through to handle any of the EAP-TLS method families such as fragments and the need to spoon feed the TLS library *manually*, yikes!

No TLS library supports TLS over EAP, but it still works :)

>> The alternative is to never fix RADIUS, or to give bad implementations a free pass.
>
> Is there a reason that you think a RADIUS/TLS-only server would be a 
> bad implementation, and that it would  become a good implementation if 
> it also implemented RADIUS/DTLS?

The fallout I see is we will never see any DTLS implementations, and the for the most part this would have occurred for no real material reason.

Like Alan said, OSS implementations are able to clear these hurdles without making much of a song or dance about it which leaves the only benefactors of weakening this requirement to those with arguably the resources where implementing this likely to be just a budget rounding error.

I also suspect requiring DTLS will benefit those Internet cafe hotspot owners with their ropey saturated xDSL uplinks trying to authenticate the users to some hodgepodge WAN hosted RADIUS server federation.

For all of these reasons, I really do think servers should be expected to do both. My view is the client can implement whatever it wants...they already do for better or worse...

Cheers

[1] https://mailarchive.ietf.org/arch/msg/radext/5HB6BTgxA_LqgWDdSIE30u_Ckg8/