IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Matthew Newton <matthew-ietf@newtoncomputing.co.uk> Thu, 24 November 2022 16:51 UTC

Return-Path: <matthew-ietf@newtoncomputing.co.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DBF9C14F728 for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 08:51:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=newtoncomputing.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rpDntd6mfL1k for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 08:51:45 -0800 (PST)
Received: from mail.newtoncomputing.co.uk (mail.newtoncomputing.co.uk [IPv6:2001:8b0:b2:1::140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91744C14CEEB for <radext@ietf.org>; Thu, 24 Nov 2022 08:51:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=newtoncomputing.co.uk; s=feb2010; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:From:References:To:Subject:MIME-Version:Date:Message-ID:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FfPpY1W9H1hZn7EMNrQUx8I7UZxgElNTLHepXRYImZ8=; b=zLt81tf615u4gAufC4luEKbqMq IbZOa8QWzoh80+0NLuZteG2m0ZLZq8zQoKeWLDqkfBSgvy0Z+VmzqJJafWm0dXa8IIhMBsUJjMaC6 rQhItQ7FI75XIb/RC146wisfY2rWTKQ5hy/5IYouEKx3gU+MeBX84zaX1z8oPyNMyYl0=;
Received: from [2001:8b0:b2:1:e884:d1b7:7807:a9b8] by mail.newtoncomputing.co.uk with esmtpsa (Exim 4.92 #3 (Debian)) id 1oyFRc-0006c5-Kq for <radext@ietf.org>; Thu, 24 Nov 2022 16:51:24 +0000
Message-ID: <9e24bb0f-b12b-8235-3e88-65d4c59f205c@newtoncomputing.co.uk>
Date: Thu, 24 Nov 2022 16:51:22 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-GB
To: radext@ietf.org
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <CAOW+2dsKg_H9f3zRUnanCpgGO+G=VPyxzWa9hsrCJCpsnoBsxA@mail.gmail.com> <7CB701B8-BD8F-4ADC-9265-12FC7EBE8FB6@deployingradius.com> <CAOW+2dtDkN3Hvk1vmuyJYGP9KS5WaGDenwQBb7-g12e6SxvEzw@mail.gmail.com> <05f4711f-4f9f-7bb6-e04f-b3c9ebc73202@dfn.de>
From: Matthew Newton <matthew-ietf@newtoncomputing.co.uk>
In-Reply-To: <05f4711f-4f9f-7bb6-e04f-b3c9ebc73202@dfn.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-NC-Fw-Sig: d28eb7783fcaa8a96965cdcb17b1e1fe matthew-ietf@newtoncomputing.co.uk
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/MyiVlk8bSq41MXzB4iOg9UJ_Dvg>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 16:51:49 -0000

On 24/11/2022 16:23, Jan-Frederik Rieckers wrote:
> On 24.11.22 16:14, Bernard Aboba wrote:
>> For backwards compatibility, servers probably need to support RADIUS 
>> and the existing RADIUS over (D)TLS anyway.  So really we're talking 
>> about an "SRADIUS" configuration flag.  If a site requires FIPS, why 
>> can't it flip the SRADIUS flag and run its SRADIUS server on port 
>> 2083?  If some devices can't connect to an SRADIUS-configured server, 
>> then those devices don't support SRADIUS and presumably the site wants 
>> to point them at another server (one without the SRADIUS flag set), 
>> and eventually replace them with devices that support SRADIUS.

> But without negotiation of "RADIUS or SRADIUS" we have a huge 
> compatibility issue.

> Of course you can do this locally if you have control over all involved 
> servers, but if you don't then this is not possible without a flag day 

I'm not sure why you would need a flag day? Or a configuration flag.

There is no need to update all servers at once, just each hop. The 
"upstream" server can be configured to listen on the new SRADIUS port as 
well as e.g. 1812/udp. Then the "downstream" servers can in time be 
configured to connect over SRADIUS instead of UDP. Once nothing is using 
1812/udp, the "upstream" server is reconfigured to stop listening on it.

Over that particular hop no message authenticator / shared secret / MD5 
is used, and there is a wider range of possible message IDs available. 
Over the other hops, the RADIUS packet is encoded as before.

> If people are worried about being FIPS compliant, they can choose to use 
> SRADIUS with the new port. The implementation overhead for SRADIUS (if 
> you already support RADIUS/TLS or RADIUS/DTLS) should be minimal, so 
> vendors should be able to implement it quickly and admins may switch to 
> SRADIUS at their discretion once their software supports it.

Sure. But no need for any flag day for e.g. an entire federation to 
switch over. And, with a new port, no need for any protocol level 
negotiation - this keeps things much simpler. Each hop-by-hop connection 
can be upgraded separately as required.

-- 
Matthew

v2.23.0 | Report a Bug | By Email