[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
Valery Smyslov <smyslov.ietf@gmail.com> Mon, 29 July 2024 07:01 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF533C14F6F4 for <radext@ietfa.amsl.com>; Mon, 29 Jul 2024 00:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rs8LXs13s5qj for <radext@ietfa.amsl.com>; Mon, 29 Jul 2024 00:01:32 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CFC9C14F5F9 for <radext@ietf.org>; Mon, 29 Jul 2024 00:01:32 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2ef2c56d9dcso39945211fa.2 for <radext@ietf.org>; Mon, 29 Jul 2024 00:01:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722236490; x=1722841290; darn=ietf.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=PpiFdqaizokXMBA8TQOmkX9OjVGPwKOoYIvr5d79oOo=; b=gSI1Y1FvvL571+G5hylsvDFEMaIZP6mu/KRK9v0TE3d0jlCn0ADdJM4n4/HPbVxT4N UpRRMH0XC2lOjdqWuwgH1U/6DxNv3NhUjH39miCesOMin6KLcrAeUgQGGnMWb5CBoKbF nK2BoqexK/Hc/MX2+y1YDHVAl+UDXTE9CT5FixF3AKKamA3wlcLMXrFcJYnNKDDqzFGB PpJEjtY5sN06Zsd38KIHcohYBmC+/V+tIARH1o9rysC286lNtXmrG17ZxOgPrWfvsKbr Odx5w9x574zC3LwVMdttU25r2RPToIevllWLLDkfhx6kYOlpBu439decJwgNvybF/gpG rwLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722236490; x=1722841290; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PpiFdqaizokXMBA8TQOmkX9OjVGPwKOoYIvr5d79oOo=; b=L8cdwDrbuYh9YeoRJCK3iQsScxAZXR9eIfIC5O7IocyXyiLsyRh3sIAfZbHko+gGGE GPR02hC+qQyXtXkM61oDwj/M+Ul/0FfIU2qRKiR6/WpoXbARLGhmX6odFtG3oF9TADGh 26ItrZif7V4xI6C3o6+XZq1wqwB4VPgpkuN+H439XPgy5YBg6h+H/Kiol6NjmqsJI5Rn lQhAdlfRbV1P/W02NwLpoyXUNc/Utd19EHmXz0C0bGRW2swjLE+qYlwQWq/6y5Bzf3u6 4CS05ERfxHsN0ewNtEqupV+MH5ANijr0YJTbGHCg2MWxiBmjHG0ARYxzJvDiBlEw23SL Ww/w==
X-Forwarded-Encrypted: i=1; AJvYcCUFdaM9KGo66osMpLdgScM5IKsym7ztIyTq08ZQm/pL4aD44+MaVDPOwhZ6OYN7wEJEUkh4piUEtYCZsRkr8EI=
X-Gm-Message-State: AOJu0YwfdD57j4ZbefecLLAVXZl+8xWQvy2Grf82V9Z1hqoEz9eLbEEw lHBmD4AhxyzBdy3SWTNfY7pFga0uwd8XkhTUcRlunpFG8KzB5s6JJjIkxg==
X-Google-Smtp-Source: AGHT+IFfLJsCqc0YiqK9KKMpKm4xExOfTQeh34kgZnyxpQznJLnTIxdu4HF3hYARUjoJCIaGbWKihw==
X-Received: by 2002:a2e:bea7:0:b0:2ef:18ae:5cc2 with SMTP id 38308e7fff4ca-2f12edd674cmr53988471fa.21.1722236489843; Mon, 29 Jul 2024 00:01:29 -0700 (PDT)
Received: from BuildPC ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-2f03d090243sm12263761fa.136.2024.07.29.00.01.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Jul 2024 00:01:29 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Margaret Cullen' <mrcullen42@gmail.com>, 'Bernard Aboba' <bernard.aboba@gmail.com>
References: <CAOW+2dv7ZXMtoEDunM+x7PgT32-KuXt+1kPeB5giGzewFvotng@mail.gmail.com> <FEFA81DA-BE18-4B29-B214-2D05E6DFD933@gmail.com>
In-Reply-To: <FEFA81DA-BE18-4B29-B214-2D05E6DFD933@gmail.com>
Date: Mon, 29 Jul 2024 10:01:28 +0300
Message-ID: <020001dae185$22f3bd70$68db3850$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKe+Ben6xEQTd5C/Qj43MFQIEwcZgLITiSNsG7WiLA=
Content-Language: ru
Message-ID-Hash: FZWQLEZ4IPZC5M25EUC5UUTRPEL3CFB5
X-Message-ID-Hash: FZWQLEZ4IPZC5M25EUC5UUTRPEL3CFB5
X-MailFrom: smyslov.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: 'Fabian Mauchle' <fabian.mauchle=40switch.ch@dmarc.ietf.org>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/FKMvB0zt8TElWtjiet5OUyG1Llc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Hi,
> > On Jul 26, 2024, at 4:44 PM, Bernard Aboba <bernard.aboba@gmail.com>
> wrote:
> >
> > [BA] Does the WG really need to take a position on whether (D)TLS 1.2 provides
> adequate protection (currently or in the future)?
>
> I would say that we _do_ need to take a position on whether TLS 1.2 provides
> sufficient security for RADIUS, whether we say this in the RADIUS/(D)TLS security
> considerations or not.
I think we can rely on RFC 9325 here.
It says (3.1.1):
... when the recommendations in this
document are followed to mitigate known attacks, the use of TLS
1.2 is as safe as the use of TLS 1.3.
Regards,
Valery.
> If running RADIUS over (D)TLS (in all four variants) does not provide sufficient
> security, we should add security (or fix security) at the RADIUS layer to make the
> security sufficient.
>
> Margaret
>
>
> _______________________________________________
> radext mailing list -- radext@ietf.org
> To unsubscribe send an email to radext-leave@ietf.org
- [radext] Lack of Channel Bindings in RADIUS/(D)TLS Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Valery Smyslov
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Peter Deacon
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Stefan Paetow
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell