IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Paul Wouters <paul.wouters@aiven.io> Tue, 22 November 2022 13:43 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94A58C1524AE for <radext@ietfa.amsl.com>; Tue, 22 Nov 2022 05:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLXS5M235slX for <radext@ietfa.amsl.com>; Tue, 22 Nov 2022 05:43:13 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 017D3C14F724 for <radext@ietf.org>; Tue, 22 Nov 2022 05:43:12 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id d8so10181465qki.13 for <radext@ietf.org>; Tue, 22 Nov 2022 05:43:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=v/s8nHP5ecdvYD4M8rPV/ic/m6DugRG1DN4zr/p6wiA=; b=CH7RDlBrzJGO5pLeMB+b8YGcZ0EU67eUJIWWPdIE8hew0GcrDapO01FVy+W5h+WHen Lm0SktVuVP+jmPJhc2zacWGE8n9neGaR2avtEJeiEilugmOCfc750QFe+Vbs4kzTg3fr qCNHMP3WS2WFNC4pRB/o221oV2y1Nundsvmzk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v/s8nHP5ecdvYD4M8rPV/ic/m6DugRG1DN4zr/p6wiA=; b=3J6MEzGEDvl47tgQZriApHRfXasg85ETmtHbp/vjFVSSjhOU10RHYYGmLELvQCS9pc rh5GTP/15Kyu3EUJ1C1+/gWNmBr2zeSg7WCcaHGbbXsUNhY/V6WmRAM+roBSZlIWZrGX 9tJctJaWyv5ZpPL+9MIqI2Wpq2ZjUvr4I1RDX6gKrIffyj+cLsU72Ec9axqxGIUlzSme 9vwd0xoy+SIABwO3dRdNsKkLbZ4uinqc5i8oe31NUgbfuR5qeqIIl6Ios4FMMXA/1pZc vWNqfqFfyTWEO3T4pxBJgBzQREn82JCTnM4bO0NhE2K9bbnYKGFw5i2YgmDN1dxZijJX YL1Q==
X-Gm-Message-State: ANoB5pmoIOMr//n6uDiQSdHOLNHTISgVSFFHCgI+jwm2lOf7DFLiKM1y IyMSldInmODPpYyy1h3smaW0MA==
X-Google-Smtp-Source: AA0mqf7oaOWk0pW0CfbMvsfZ10ngMoEAOngx7Y/Vh00igUlq4v37eOytsUFthc3JaeUQVkAxw+Ez0g==
X-Received: by 2002:a37:6512:0:b0:6fa:67fd:b2c7 with SMTP id z18-20020a376512000000b006fa67fdb2c7mr11257070qkb.615.1669124590794; Tue, 22 Nov 2022 05:43:10 -0800 (PST)
Received: from smtpclient.apple ([2605:8d80:64a:e4e0:eda3:899c:28a7:d450]) by smtp.gmail.com with ESMTPSA id bn29-20020a05620a2add00b006fa4cac54a5sm9967065qkb.72.2022.11.22.05.43.09 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Nov 2022 05:43:10 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul.wouters@aiven.io>
Mime-Version: 1.0 (1.0)
Date: Tue, 22 Nov 2022 08:43:08 -0500
Message-Id: <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io>
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com>
Cc: Bernard Aboba <bernard.aboba@gmail.com>, radext@ietf.org
In-Reply-To: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/N2lNY_gJZKQF0ILif6rBgHZ6_zw>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 13:43:17 -0000

On Nov 22, 2022, at 06:36, Alan DeKok <aland@deployingradius.com> wrote:
> 
> 
>  Avoiding MD5 at the TLS layer won't help.  MD5 is baked into RADIUS.  The Request Authenticator, Reply Authenticator, and Message-Authenticator require the use of MD5.
> 
>  In order for RADIUS to work in a FIPS -140 environment, the RADIUS protocol has to be purged of dependencies on MD5.

Indeed, there is a special exemption for radius when I was involved with FIPS certifications at redhat because there is no way to do radius without md5. Fixing this is one of the main reasons for doing the radius work. This is not about transport security, which can be configured to be FIPS compliant.

Paul

v2.23.0 | Report a Bug | By Email