IETF Logo Mail Archive

Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04

Alan DeKok <aland@deployingradius.com> Sat, 06 April 2013 13:38 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63EAC21F8A4F for <radext@ietfa.amsl.com>; Sat, 6 Apr 2013 06:38:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZ082C3QVoax for <radext@ietfa.amsl.com>; Sat, 6 Apr 2013 06:38:44 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 25DB421F89B2 for <radext@ietf.org>; Sat, 6 Apr 2013 06:38:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 1149F2240D85; Sat, 6 Apr 2013 15:38:38 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDy2GA67NAd4; Sat, 6 Apr 2013 15:38:37 +0200 (CEST)
Received: from Thor-2.local (bas1-ottawa11-1176224750.dsl.bell.ca [70.27.195.238]) by power.freeradius.org (Postfix) with ESMTPSA id 175222240777; Sat, 6 Apr 2013 15:38:36 +0200 (CEST)
Message-ID: <5160255B.40409@deployingradius.com>
Date: Sat, 06 Apr 2013 09:38:35 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Deacon <peterd@iea-software.com>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <tslli8xnoms.fsf@mit.edu> <515ED047.3040200@deployingradius.com> <alpine.WNT.2.00.1304051020120.3988@SMURF>
In-Reply-To: <alpine.WNT.2.00.1304051020120.3988@SMURF>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Sam Hartman <hartmans@painless-security.com>, radext-chairs@tools.ietf.org, radext@ietf.org
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 13:38:45 -0000

Peter Deacon wrote:
>> clients be known by source IP address.  RADIUS/DTLS servers MUST treat
>> packets from unknown IP addresses as being DTLS.  This requirement
>> does not mean that the server is required to accept these packets.  It
>> means that if the server chooses to accept them, they are to be
>> treated as being DTLS.
> 
> I don't think this will work for us.  This is data that people use to
> flag/report possible new clients they should have known about, existing
> clients with changed addresses and plain old configuration errors.

  I don't see how that relates to what I said.  The text doesn't
*prevent* you from flagging IP addresses, or warning an admin about
packets from those IPs.

> It can be a configuration option, done conditionally within the context
> protocol disambiguation or even a recommendation but not something
> unconditionally required.

  This is how RADIUS works today.  Clients are keyed by known IP.
Changing that is not an option for RADIUS/UDP.

> Suggest reversing this.  Have the client maintain the flag.  If DTLS
> handshake has succeeded then client uses DTLS from then on for any
> inquiries without the option of automatically falling back to UDP.

  The draft already discusses a flag for the client.

> Servers would still maintain flag but it would only be a manually turned
> knob to indicate security level it is willing to accept.

  The draft allows it to me administratively configured.

> The more I think about it the more I agree with Joe's points on separate
> UDP ports.

  It is definitely simpler.

  Alan DeKok.

v2.39.1 | Report a Bug | By Email | System Status