[radext] draft-ietf-radext-radiusdtls-bis-02.txt TLS vs DTLS
Fabian Mauchle <fabian.mauchle@switch.ch> Mon, 22 July 2024 15:43 UTC
Return-Path: <fabian.mauchle@switch.ch>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCC6AC151088 for <radext@ietfa.amsl.com>; Mon, 22 Jul 2024 08:43:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=switch.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HBo73eKq2wVP for <radext@ietfa.amsl.com>; Mon, 22 Jul 2024 08:43:34 -0700 (PDT)
Received: from mx3.switch.ch (mx3.switch.ch [85.235.88.34]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522CEC151063 for <radext@ietf.org>; Mon, 22 Jul 2024 08:43:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; l=2249; s=selector1; t=1721663014; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=ziIcpnsupapNoSZYcKZ1aUDjGo7Pygr7NlZX4q50EYQ=; b=VYTyCyRYAK1M1U/ahjR2nQRcMYgvLtrl8nKs/HkSjQ2norXLaZYiJeGV /3nFxnWXauzKIYazZ2Qbt8FrSoaVJcuhqNb2hC7JvIZ2G58syC3TKqT9Y J/OzJgeMc84rse4i5hJo7emCW0qpYjmuMcIe2tM8NplA6Baohfoc7vnrX ry1vi5VNXEoP+uVTOne+MqX/UgHw/AfwLXnLNWS1p1yPKvNPFP8IVh/zP mswyLq6uyBKlnocBTpndBuCYLobIV909uKBL3SjKncntikSG0eCtaa7UE kWooKxDqpOWMIBo6jekN8BLDl7I2sVkvw2vwM4FDER8YRbvIFrMUtBqfN g==;
X-IronPort-MAIL-FROM: fabian.mauchle@switch.ch
X-IronPort-AV: E=Sophos;i="6.09,228,1716242400"; d="scan'208";a="9036882"
Received: from unknown (HELO SWH-S02-EXC1.swd.switch.ch) ([172.16.60.11]) by mx3int.switch.ch with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jul 2024 17:43:31 +0200
Received: from [130.59.24.78] (172.16.60.33) by SWH-S02-EXC1.swd.switch.ch (172.16.60.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 22 Jul 2024 17:43:31 +0200
Message-ID: <b26615d5-4ed7-43b4-aeaa-58b4229688e6@switch.ch>
Date: Mon, 22 Jul 2024 17:43:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <172046488430.468905.4684737714586676955@dt-datatracker-5f88556585-j5r2h>
Content-Language: en-US, de-CH
From: Fabian Mauchle <fabian.mauchle@switch.ch>
In-Reply-To: <172046488430.468905.4684737714586676955@dt-datatracker-5f88556585-j5r2h>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.16.60.33]
X-ClientProxiedBy: SWH-S06-EXC4.swd.switch.ch (172.16.60.18) To SWH-S02-EXC1.swd.switch.ch (172.16.60.11)
Message-ID-Hash: IIYONRVIIKMDT572EABB66OW4NUIHLYU
X-Message-ID-Hash: IIYONRVIIKMDT572EABB66OW4NUIHLYU
X-MailFrom: fabian.mauchle@switch.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] draft-ietf-radext-radiusdtls-bis-02.txt TLS vs DTLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Nre6NJBQLvSg27dg1kjgrB8OI_g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Upon another review of radiusdtls-bis: There are a few paragraphs in sections 5 and 6 (addressing specific TLS and DTLS aspects) which I think should actually apply to both (and thus be moved to section 4?) # idle timeout and session timeout and connection limit Section 5.3 (TLS) defines that implementations SHOULD have configurable limits, but specifies no further details Section 6.4.1.1 (DTLS client) defines idle timeout and session limit (currently omitting the details from RFC7360 Section 6.4.2 (DTLS server) defines session timeout RFC7360 originally defined idle timeout (on the server) between 60 and 600 seconds, also referencing the clients watchdog timeout (without any means of knowing it). For clients, it defined an abstract 'three watchdog timeouts'. My proposal would be to unify idle/session timeouts and connection limit for all cases (client and server), make them a SHOULD requirement make them configurable and recommend some reasonable values. Maybe also hint why too short timeouts are not useful. # response cache Section 5.1 (TLS) specifies that "If a TLS session or the underlying TCP connection is closed or broken, any cached RADIUS response packets [...] associated with that connection MUST be discarded. [...]" Since DTLS also uses TLS sessions, the same logic should apply too, when either receiving a TLS close notify, or sending one based on timeouts or notification form the underlying transport that the connection is no longer usable. # session resumption Sections 6.4.1.1 and 6.4.2 (DTLS) define client and server SHOULD implement session resumption. TLS has currently no requirement regarding resumption in the draft I-D.ietf-radext-tls-psk (which is mandatory for servers) also has it as a SHOULD requirement. So again this should be unified and maybe also include some of the provisions of I-D.ietf-radext-tls-psk about storing and re-verifying the clients identity. I will try to come up with some proposals (Github PR) in the coming days (before the WG meeting). -- Fabian Mauchle Network NOC: +41 44 268 15 30 Direct: +41 44 268 15 39 Switch Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
- [radext] I-D Action: draft-ietf-radext-radiusdtls… internet-drafts
- [radext] draft-ietf-radext-radiusdtls-bis-02.txt … Fabian Mauchle
- [radext] Re: draft-ietf-radext-radiusdtls-bis-02.… Fabian Mauchle