Re: [radext] New Draft for RADIUS Attribute Security
Bernard Aboba <bernard.aboba@gmail.com> Sat, 18 February 2017 15:47 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CEC3129408 for <radext@ietfa.amsl.com>; Sat, 18 Feb 2017 07:47:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsaJ33ARcJKy for <radext@ietfa.amsl.com>; Sat, 18 Feb 2017 07:47:52 -0800 (PST)
Received: from mail-pg0-x232.google.com (mail-pg0-x232.google.com [IPv6:2607:f8b0:400e:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68C44126D73 for <radext@ietf.org>; Sat, 18 Feb 2017 07:47:52 -0800 (PST)
Received: by mail-pg0-x232.google.com with SMTP id v184so23774303pgv.3 for <radext@ietf.org>; Sat, 18 Feb 2017 07:47:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ibsU+R2vzKsfgtny9y23jYZnM8CxmBTEffLt63Q5w8c=; b=QA7o1HcfIWShi5pEsUaD4kXyfr2/kBJvTNccKbIziq8OQ4vjVSB0RQrjK/6rgozTK9 PCDM6nXtyA7sfw6J1dZDZzXJqnb0KT8ZfdFP83HxWAgZIHe3Mtz0oKcLClxudiYBWCK5 Sq51I57eDhyREKqGzwY7sdwmwIE+lERx5/PluQTPL3Lo55utiU5XSMFAMfYGGhEUrHWX K2WoE/j553LUaSW03GdMO1ek0GZzLIk8fyLkXqYF0i4fe9vzkbQtEb0bqaA9Qs+zcyFv zrJD9YY6cz83cJ78ye2sxwBdCyFGT20z9Bh/+BNCt+aq524MA+fhO6UqWjuEtXL3KmVa 2HTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ibsU+R2vzKsfgtny9y23jYZnM8CxmBTEffLt63Q5w8c=; b=cL+fAsNlj8uCB2EFCRzNPGwYKDTPxRLRejpn/cSGfkP6sf3nmQb5HZjF/rG7Agp+YD M99oojxR/hbL8VMskqVkoPJSA8/4Ii3eaNdlUObgu+drF7iMPPg41gmOkv+BMDlXsEkf BV06rCpPj2M35geytEOGD3DXrbzF0haUtKVDXof1IWCDNiZpRw9cumytzF8f7Y6QJpfD LkEe6OcngdFb9U8X15u5v97lT9aIpISil4e3aENOURlGMuPZtruf7v8OtoX3xqLscKDr k8n7ip1P0eJ9/nE6EdFX74YHbOpVuEOY5Rl5T0h/avtWq1BSpY8LMXCBIFYSTy9oOyYS PMhQ==
X-Gm-Message-State: AMke39nA0/v2q5Acum+3tdwr8v/BqFvYmq5q8p9SJ09Mc3zcaUoz6xrY8WTyI5cMhYdxwg==
X-Received: by 10.84.176.131 with SMTP id v3mr19232130plb.20.1487432872033; Sat, 18 Feb 2017 07:47:52 -0800 (PST)
Received: from [10.48.180.28] (mobile-166-176-186-80.mycingular.net. [166.176.186.80]) by smtp.gmail.com with ESMTPSA id j127sm2812214pfg.89.2017.02.18.07.47.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 18 Feb 2017 07:47:51 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <D644C325-05CD-47B5-B0A0-D55BC6DEB8B7@deployingradius.com>
Date: Sat, 18 Feb 2017 07:47:49 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1C3BBAE-044C-42CD-80C7-4E6E932CE3D1@gmail.com>
References: <D5A6F3355F664C40AFB65BB1277D8D45044ECDD0F5@MAAX7MCDC101.APAC.DELL.COM> <D644C325-05CD-47B5-B0A0-D55BC6DEB8B7@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/IkDBA6tUtYUSCvge2VQfx7E4UWI>
Cc: Aravind.Sridharan@dell.com, Sanal.Kumar.Sivarama@dell.com, radext@ietf.org
Subject: Re: [radext] New Draft for RADIUS Attribute Security
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2017 15:47:54 -0000
+1. Using standards-based transport security via (D)TLS is better than continuing with RADIUS application security. It automatically benefits from new (D)TLS versions. It can use any credential (D)TLS supports. And (D)TLS is already present on most devices. > On Feb 18, 2017, at 5:22 AM, Alan DeKok <aland@deployingradius.com> wrote: > >> On Feb 17, 2017, at 7:41 AM, <Aravind.Sridharan@dell.com> <Aravind.Sridharan@dell.com> wrote: >> We have proposed a new draft for RADIUS Attribute Security. > > My $0.02: use TLS with a pre-shared key. While this requires a TLS implementation on the client, the administration overhead is exactly the same as for traditional RADIUS shared secrets. > > And TLS isn't much of an overhead any more. While OpenSSL is huge, there are many other small / embedded SSL libraries. Any modern RADIUS client should be able to handle TLS without much difficulty. > > Alan DeKok. > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext
- [radext] New Draft for RADIUS Attribute Security Aravind.Sridharan
- Re: [radext] New Draft for RADIUS Attribute Secur… Alan DeKok
- Re: [radext] New Draft for RADIUS Attribute Secur… Bernard Aboba