[radext] draft-ietf-radext-radiusdtls-bis-02.txt

"ethan.thompson@networkradius.com" <ethompson@networkradius.com> Wed, 24 July 2024 16:49 UTC

Return-Path: <ethompson@networkradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E967C180B71 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 09:49:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=networkradius.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fiyvoabrabC3 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 09:49:50 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82E44C1D5C6F for <radext@ietf.org>; Wed, 24 Jul 2024 09:49:46 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id 6699A20A for <radext@ietf.org>; Wed, 24 Jul 2024 16:49:44 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=fail (p=none dis=none) header.from=networkradius.com
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=networkradius.com; s=mail; t=1721839784; bh=bMbkdURmsFCC4O4IqmdSW1P3a7Hkv/sjYvLMVEmscHc=; h=From:Subject:Date:To:From; b=t9v9dUg+Pv3FBwfC6U4IsCyeTqCKNofIwNllwItGySRdf7BqS6hP2cTr8MxKSyUrq O+3fzNpjKSsPg1sNO34vwkhKp7WdXYQCGTeuBgMwdlX3+voFKHFZiyBI5jAKvZfC/R fk3tkOhNU768pe5kmx2mjTo1BPT3eZvDPFNdDFKE=
From: "ethan.thompson@networkradius.com" <ethompson@networkradius.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_3BCBCE3D-DF96-464E-B9AF-006703D4A1F8"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
Message-Id: <318B0438-B0CF-420D-B9B0-8E2DACAB311C@networkradius.com>
Date: Wed, 24 Jul 2024 12:49:33 -0400
To: radext@ietf.org
X-Mailer: Apple Mail (2.3774.600.62)
Message-ID-Hash: 5TMZTHCHJ72SRZH5J7U3CTJHBB3RPXCP
X-Message-ID-Hash: 5TMZTHCHJ72SRZH5J7U3CTJHBB3RPXCP
X-MailFrom: ethompson@networkradius.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] draft-ietf-radext-radiusdtls-bis-02.txt
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/JlzaoTqtE1tl1VepwmEgG0if9uA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

After reading the most recent draft, I have the following comments/edits:

(Section 4.2.1) “... the configured IP address is matched against the presented addresses in the subjectAltName:iPAddr extension; if no such exist, …” 
I think “if no such addresses exist” or “if no such extension is present” would flow better.

(Section 4.5.1) “In both situation, the proxy is left with a difficult choice about what to do with the incoming packets.”
“situation” should be “situations” plural.

(Section 4.5.1) “… which originate Accounting-Request packets (i.e. not proxies) do not include Acct-elay-Time in those packets.”
“Acct-elay-Time” I believe should be “Acct-Delay-Time”.

(Section 7.4) “Any non-RADIUS traffic on that session means the other party is misbehaving and is a potentially security risk.”
“is a potentially” should be changed to “is a potential security risk” or “is potentially a security risk”.

(Section 7.4) "Similarly, any RADIUS traffic failing authentication vector or Message-Authenticator validation means that two parties do not have a common shared secret. Since the shared secret is static, this again means the other party is misbehaving.”
The other party may also just be misconfigured.

(Section 8.2) "As with the supported transports, the assumption is that RADIUS servers are generally believed to be less constrained that RADIUS clients.”
This sentence should read “… less constrained than RADIUS clients”.

(Section 8.2) "Since some client implementations already support using certificates for mutual authentication and there are several use cases, where Pre-shared keys are not usable …”
This sentence should be “… where pre-shared keys …” (lowercase “p”).

(Appendix A.1) "Lifetime: PKIX certificates have an expiry date, and need administrator attention and expertise for their renewal”
But isn’t that exactly what the ACME protocol (RFC 8555) solved? Though I admit, perhaps this is not the place to discuss this.

Ethan Thompson