Re: [radext] Server identity and RFC7585bis
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 11 April 2024 13:36 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 544E8C14F708 for <radext@ietfa.amsl.com>; Thu, 11 Apr 2024 06:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yi5OVkuCUpI for <radext@ietfa.amsl.com>; Thu, 11 Apr 2024 06:36:45 -0700 (PDT)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com (mail-db5eur02on2136.outbound.protection.outlook.com [40.107.249.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C74ADC14F706 for <radext@ietf.org>; Thu, 11 Apr 2024 06:36:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eB26BacLVx7LFMESVnfxux09L0hQlRZfbUl3NtIItGoObg8PHY6/BIcTb7clV+S/dkaRgTeoqjKAu0uxo9EYTXzgOjtfKPu8pJUP1JWeeiw0I5wiRFeTa01hwE1g6i6a/6tD9SxoVh5q0eattbFU3zxDTeocFLKHFv54rys2+M//kqlVkJumZSkFkdVkv6czr0xfwBOiV3I1ly+uJzSA1HB1Kw1KqvZggo3UhcBpaXwPGf5H0y/R30zDF3eQwWUnT/bTu/njmX1tNphnKNKPsUxbsKquM30Ki4cUOwHS3z0P9pWxMs6ChWW3UH5Oz5aIJ+qWARwzbC4wA7AwJZpxyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=24kieLxcEz8+6EzYsVjUpPvxqNLvaoEMB0hWs+LQfj0=; b=iPEcqgZ6dj7wEo+C0KMI24ZIxHPrV5qdzNFdaby2v5flS21jEKCAmIhJSfoJUjmL4r4Gq/gvpBnhmXdIZlYHAqWOdgCTq+Hv3QytZd55WFmtHSwLoMGbCpip0eX2TEkARnpyFQYSxjpVK4oTkzGdzIOPVTm0bBbmwjsPc+0/e9Y8Hbf9EDY4lqCAs2xGQjNGn9duRvGKfu8OjA/zbLDO+mgBvLCRcYBrc/idMLjNimACHvkvcCAeGJMbTHPBnYDZXUJD2ktB3DAcrdD94tzreX08/iJrdFCAFDmJUQRz/BavUPWszsNoqt6c6CbB8ZPHXDcwMGfVro6BIeoeCuigsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=24kieLxcEz8+6EzYsVjUpPvxqNLvaoEMB0hWs+LQfj0=; b=PZVW9D9cmoab1wP61dlqZF8Y5IthBbF6NuUaq27/TXqXzf+nDEpiJSMEOdGDvcPA5GTYIi4BrnAMe7yKWVp/mDaQU8jZN0iDIDAARoAz3LCcqmIb8r6PLnaK2EuU8Tqd7/XcwKeCgfL6/0MhpnWDXjUbviikHH7ctxt2So3vBYg0eDwzX7OV93WQFchnwLQ0vArKfcLAtUD6LlTT9vPhSgb4mzhTau7l2Jbd9apWcRYbhybPK56tizcgkIZYL7DKbaTrKh07CUT09IV0KNrophcMcIIJW/9xy9Wq8oHlbvn6PCbprunTHmujfefQ/BcvjsX4SaC9n4EYV027trSRjw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by PR3PR02MB6284.eurprd02.prod.outlook.com (2603:10a6:102:7f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.55; Thu, 11 Apr 2024 13:36:41 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9%7]) with mapi id 15.20.7409.053; Thu, 11 Apr 2024 13:36:41 +0000
Message-ID: <b2e19a20-9ee2-44d0-b032-1b1a266d99ad@cs.tcd.ie>
Date: Thu, 11 Apr 2024 14:36:40 +0100
User-Agent: Mozilla Thunderbird
To: Jan-Frederik Rieckers <rieckers@dfn.de>, radext@ietf.org
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <dfdaac4a-c4b0-4509-93a6-a41805a16e87@app.fastmail.com> <e8cbf8f9-3546-45f2-9014-a119a11eaafe@dfn.de> <23461be4-4414-4698-b1d0-746072dffecd@cs.tcd.ie> <b8b551b7-47d2-4bb8-9d79-ded8938e4cd0@dfn.de>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <b8b551b7-47d2-4bb8-9d79-ded8938e4cd0@dfn.de>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------1Y7BvYAgUEFPH7P8fHC5f0he"
X-ClientProxiedBy: DUZPR01CA0060.eurprd01.prod.exchangelabs.com (2603:10a6:10:469::18) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|PR3PR02MB6284:EE_
X-MS-Office365-Filtering-Correlation-Id: b7107688-ea86-446d-bf6c-08dc5a2c6bc0
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Q7Tuc+vVoXQ+wfxd8f4CY67RVsarlmEggfEIeOL/U5SWZKDD9GYsq72qmRnGH6bt7Qdd2zOQ0gOXPrmFIo8Z+JZKn7KoHVh5tqoq9p3wrWdRrA04vYJh+9DjZhB0OrBRiE1dBZGEQKFOkb47yTAeCzkMVeTSv9X/CY4/paIHGBqKEQdFoNSBd5GjT6a4vgKHGuXo/J0ghu5lY8nyZQ1CbA00rli4hNK77+ARVr+3GO52o9FMMq589pygaT4VOsN1RA2T0M1HgNNDmaNREyqx+bqh6hhrC6QiI5HxPCPERqT0FzrvMU3Y5hpd8hEJIPU3NSH4wxdvPHhKLgqUdIyw2l5CyPkVGiw9UaHq5/UalwZbBZ3jBr6CE/E9x8dVfi1oYUsPKiZP33WZMgF3FS3i0Km2TSy4YcMESDxgeWQuEo5aXPtROJsDPXKYWOD5NF83GKyF26xNWr/uHgK6rtG5IZnqWHKOBoNKHd++HoJpo4OP0Q2RqBlKscNpTqjtzRlGVvo03bdQJF16S3Z9bA6UwTcD1zf1aotDHdL0+Zyq1Hni5D+rhaPIfCHbibS59e1yba0F9itxPjKaeuaB9lBmtQJyHOaaxkwMRokGHK6o+Xmfo7VAGXEku0QNU28FPGs1EM5fMo0g0yh+LUht31iMaQu3Hv+kbBbgtUqwDH55pHs=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: TBi6xwthb3HYKkRrza3ewWa/EWDCr6ApPzwEKg1bgVl6XNfn21UOS8ae+QRs5du6EPFFK6vAUUwtvCZmfbtyGXaiL5lfhyjFjraBSvlHhZaBZOm4HDjGGCHxMVPXBrPKP13c54m1+clPe09LExvAmkL2gKA3RCNorblU7CWRLz7D4D2IQRvjTJqQ2qwK/4YKBWUaAJAW++e9F69NMBuZt5O5lnAk400QwVW1lPFq1FwWY8AS1odb+AY6aGJUOHXfq8CtKyfVE9jqvrKYqYIpBUxt/ZQREUI+jEtYlcWrcZAmHAUMJNTu7lLaiRjnq4wmotXBfCS706Mph1VMOFZqtyd9WU3IqxhCCmsi6ZdozgXAASdyuTup60obdAKOYrkdrsA8/nLs/0sq1cE/oH1VJywXiHM71/gMA43q7G2IhUpzbiSRnstQmHuUscRK4GteV3v1AkYzP0yEuCGo3oNJdRaiZclJrd9LEINGynuy+X3R8/POgjDEggwFX+u1XMLZav0tcIZfzYx6tvMGzZ8avHs37VpWJflMprWKmwrDTIegkPntCMfhFEKdQ3RbPIGrDiliesvdJsk4XuvaHfRecspPZypIw13joPk3F1ponesmZ8UAK8c/p0k5/BqJS9cLJwAkKxyoCiNM+VVoKAJZXt7Nbh7Ss2QyYGcPhsNK66lMlf8ObsLhkKTvgKFvPOWTN6Oz760YJgJ715iX8bc7ShLQ7aI9uSJbBAeLe9Kd1igfNGinvgSY4ccSYORWXhfW8uxYl3jI6dV4i+jRviznE6BcIKvyqUYmw5UA9CFjJ8d1jssiIF7dhfR7zr555pTe7mNTXzDg8mk3P4BI52oEE4slIhUfMSVHcC+8kQ/sfAlkuKkTcSIOz/nE5vTwoXcQAOw2Gyi69/6ofKrnLRcdeCWBBxP3OX/1VkYCCGX5WORyKel02ea8fQIeIBQWrIJMHGYbNEdj8hAr7H5UPXmqJUcZhhhhzhCCI5FScs/4B/Su0fKFlTmuIC7PSJ3S5uzenTCCJrWXbHx6EsVoNw63K+zSIUeO3iMKmoV+QF2gNxuLzpyiZWpSqL86msPFdAsVAm2WhUNHB4aLjwNHVdDMvja9qf98Z+7kjJoOxZidLws4u6nRhjsRzYDhIZ2tNmGby3pKiwuefF5XkOFCt5WtlVMME+FaidRdT+b07KsPu1TKXqM5zt3rpLRxYge8Ql60yfrFy5ZpIiv+j5amuixijJb/ZT2Pj906+PQA5q2HSYUqvUC1ZnDLKuLnTCfW1O6nPw9DuVfgBV3ZmDiauEbbo4VYEyRADm9pYx0FBxCV/Bm+EsbYAqBSn3fSLXJ+gugZYLan1jcOHWFTlFVNtUsp6o8e6kn2Q8RIDZZ2uziYZI3yq4dEmRMa3peWl6yd/EjyNTP1M2C3KSzcQ+Onxh2AYSFHP2u1CiXLMZIRqVb6Hzm0Xa3+IkD+LYUR+GLr/jgTdDBJuEcj42ayivImMglsbaqBVdeD5cwvISIrk2KT208mvTINQ8clBAXWCRZNhgQ5cMNTisrBUGLq/FQ0Dy+mZNfXjRwAMvhLnUG/L2Ok3SQmRjzhWkXYb9EZIu13CULABRRU8xeH2bh9qLzJvGf2k98xxHsasbWOR+njCLteC7Ej6cZ/t/00Ie6FIe03B1R+
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: b7107688-ea86-446d-bf6c-08dc5a2c6bc0
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Apr 2024 13:36:41.7532 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 0bnH+cPUqO1hstghPeS3nHOUIWYjI+f8VBXXTXjTGnNcuqLfRPvV4TWaIFiuuV0a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR02MB6284
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/HM0NgDYUYDrecfLdTAMw8Kf7heQ>
Subject: Re: [radext] Server identity and RFC7585bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 13:36:49 -0000
Hiya, On 11/04/2024 13:21, Jan-Frederik Rieckers wrote: > > I shortly had it in mind when I started writing the text, but good to > raise it explicitly. Ah good. I suspect just verifying that there's no impact will be enough, but anyway... > > I don't think that it would really affect deployments. > > As far as I understand ECH, one use case that can be achieved by ECH is > that a load balancer decrypts the Client Hello and then makes a > forwarding/routing decision based on the data in the "plaintext" Client > hello, and forwards the Client Hello and any subsequent traffic to the > final endpoint. That's possible yes. That's ECH "split-mode" which so far seems less likely to be deployed so much for the web, but could I guess be more useful here, e.g. maybe as part of something like eduroam or similar? Again though, I've not thought it through, but be good if someone did that. > So if an SNI is part of the ECH and we are routing the TLS traffic to > different RADIUS servers in the backend, it should not be a problem that > the endpoint that makes the routing decision is also the ECH-Endpoint. > I can't really picture a scenario where the routing decision based on > SNI is made by an untrusted party. Fair enough. Might be no harm somewhere though to note in the spec that ECH exists and might end up being used, and so it'd therefore be fragile for intermediaries to depend on the visible (possibly "outer") SNI in the ClientHello mapping to the eventual TLS server identity. I'd say a note like that is probably sufficient. Cheers, S.
- [radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- [radext] Certficate and certificate chain selecti… Heikki Vatiainen
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- [radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
- Re: [radext] Certficate and certificate chain sel… Alan DeKok
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
- [radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- [radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Michael Richardson
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
- Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Fabian Mauchle
- Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
- Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
- Re: [radext] Session closure in DTLS Fabian Mauchle
- Re: [radext] Session closure in DTLS Alan DeKok