IETF Logo Mail Archive

Re: [radext] CUI comments in "deprecating insecure transports"

josh.howlett@gmail.com Wed, 26 July 2023 12:58 UTC

Return-Path: <josh.howlett@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34DEBC16B5B1 for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 05:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fh9PLvYD5Vcz for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 05:58:32 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 484A3C16B5B0 for <radext@ietf.org>; Wed, 26 Jul 2023 05:58:32 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-3fbc59de009so56997825e9.3 for <radext@ietf.org>; Wed, 26 Jul 2023 05:58:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690376310; x=1690981110; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :from:to:cc:subject:date:message-id:reply-to; bh=FTLfds2bJH+u+4KqOJNkKdojcbQvMGQN6XfiMHlq1ko=; b=XuKLvT24+XDuLHImHzzEdU6FceiBtPxaH9aeaF9nSpKpsZ7gkDEzisJ+bsGsOddoa5 KHN4PdDGdeGwRABdPbrEK2TcZsWo/fDvkB93e9TClHKZt7uNNTIqfIW+WGjxQAwciGSX ry4NaJFOgWtXG7YPyePFEtYrDT/eeedbSh/AXcdys5Mv9V4mMea0rSQ7ceSve0P6GPDX ErNszYgsEz2RTSC4l3xAbZ4q26vrefrLJmSe891AoLMqzdGdccb2nl118JhpgKnBmO+X NlKxa3+AnNpVKWCt0aN5ikYy2UzWubQNi2HtvazecC+G27xXk/2OYvL/5TNqfn8C6/JO 3fJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690376310; x=1690981110; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FTLfds2bJH+u+4KqOJNkKdojcbQvMGQN6XfiMHlq1ko=; b=Z1f1HM88nOUeJepNVcBV5CVuyFXG0QtwKEZ+DvxmSkGw7gyb/nZN/bxBgGDqT/pnYP 6uH0RdgmJe89ggRdjq0UHnlQvGyRAJtOVGzVoG2rTHeZyrOhcDOQ0Oc9KQS8RuXCC0KJ r8oxbjWziNOzBJmznXr3WemUb0KqF1lopnyOZVz88n9ho/ASfFh+skxzhEb3A6og6qRx EH/7NMDjIzSQBG0SpPnqljqFV7VJpSY3FVE1M93hBzZGOcKhlH+Q5sm7Q2ixFPSsudqT aq2kbxKTdvRHMl3WOkKLSGQfVmSrdewXIVSIsZLMmAeT7TL5CzRSTIZDxU5JQaC1dbL4 cmgw==
X-Gm-Message-State: ABy/qLbbt80wttUkdBW7GGEhUCOBuuZqomzu5jPlq+AYEuSp7sOH2edF 22Nkd+6KWmP/KW0AnyYbuzwmsnjOqw8=
X-Google-Smtp-Source: APBJJlHMeZpiXkArqCf1sZ2Hr9y/fg19u1J2jhNVVZ6RP2EE3W5CqwhBxhw4YCs8zZ1AVHXaFPFuuA==
X-Received: by 2002:a7b:c3cb:0:b0:3fb:e189:3532 with SMTP id t11-20020a7bc3cb000000b003fbe1893532mr1184110wmj.20.1690376309750; Wed, 26 Jul 2023 05:58:29 -0700 (PDT)
Received: from TABLET7VKS5QAO (host81-142-222-159.in-addr.btopenworld.com. [81.142.222.159]) by smtp.gmail.com with ESMTPSA id h4-20020a05600c260400b003fa999cefc0sm1906977wma.36.2023.07.26.05.58.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Jul 2023 05:58:29 -0700 (PDT)
From: josh.howlett@gmail.com
To: 'Alan DeKok' <aland@deployingradius.com>, radext@ietf.org
References: <BC530A34-D348-44D0-886E-DB1ECF3A5010@deployingradius.com>
In-Reply-To: <BC530A34-D348-44D0-886E-DB1ECF3A5010@deployingradius.com>
Date: Wed, 26 Jul 2023 13:58:29 +0100
Message-ID: <06c301d9bfc0$e07154d0$a153fe70$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIBqSARJf2XQAc9qzFdlz1hN+o8z698LhiA
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/GIRxgCjqEm4jTsRFgvGwvDFRZtA>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 12:58:33 -0000

There are good reasons for the CUI value to be persistent, provided that it
is targeted to each network access provider. In this way, different
providers cannot collude to track users. However, they still maintain the
ability to *recognise* (but not identify) the same user that they saw
previously.

There are legitimate reasons to track and, if necessary, identify users,
including troubleshooting and prevention of service abuse.

Josh

> -----Original Message-----
> From: radext <radext-bounces@ietf.org> On Behalf Of Alan DeKok
> Sent: Tuesday, July 25, 2023 1:32 AM
> To: radext@ietf.org
> Subject: [radext] CUI comments in "deprecating insecure transports"
> 
>   I've been adding text to the "deprecating insecure transports" document
> based on feedback from Margaret.  In addition to deprecating UDP/TCP in
> certain situations, the document should also discuss best practices for
securing
> RADIUS, and minimizing personally identifying information.
> 
>   To that end, in Madinas today Warren Kumari gave a presentation on
testing
> OpenRoaming  One of the outcomes was that the identity provider returned a
> CUI. However, that CUI was unchanged over multiple sessions, and over long
> periods of time.
> 
>   The CUI RFC (4372) implies that the CUI should change regularly:
> 
>    When the home network assigns a value to the CUI, it asserts that
>    this value represents a user in the home network.  The assertion
>    should be temporary -- long enough to be useful for the external
>    applications and not too long such that it can be used to identify
>    the user.
> 
>   And
> 
>       The
>       binding lifetime of the reference to the user is determined based
>       on business agreements.  For example, the lifetime can be set to
>       one billing period.
> 
>   However, this text allows the CUI to remain unchanged based on "business
> agreements".
> 
>   It is perhaps useful to update this document to suggest more strongly
that
> the CUI change on every session.  This could be done as part of a "best
> practices" section for increasing RADIUS security.
> 
>   Alan DeKok.
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.35.0 | Report a Bug | By Email | System Status