IETF Logo Mail Archive

Re: [radext] Fwd: New Version Notification for draft-dekok-radext-radiusv11-03.txt

Alexander Clouter <alex+ietf@coremem.com> Thu, 06 April 2023 07:08 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5B33C13AE24 for <radext@ietfa.amsl.com>; Thu, 6 Apr 2023 00:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="Ih57vBnG"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="LycmeUE6"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvjyznR0coKi for <radext@ietfa.amsl.com>; Thu, 6 Apr 2023 00:08:36 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF5B1C13AE28 for <radext@ietf.org>; Thu, 6 Apr 2023 00:08:36 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 4B9CA3200954 for <radext@ietf.org>; Thu, 6 Apr 2023 03:08:34 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Thu, 06 Apr 2023 03:08:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm1; t=1680764913; x=1680851313; bh=/1 R/6yeayUNbaSssk4voQ9deUQXFxzqG/JvaEroqYt8=; b=Ih57vBnG5uPgMy3TMJ UGyrghtiTvfjpWGdirrAmbV4hjveqi9UUukUhYyS0suBPjMTH9aCPL3hpQ2oJNuO /vNhZrMF5S1vpjj3tmTaNth3WdL3TiFBb/e0K7/+Ez+9EptVLSP2xuDNQyVnDNWq zm/6MSQrb/EF/zfo99pScGCh7uEIEoF64lHGd/fFSBlfThDXEnEElXaVkXyJFsL6 /2EkWTPnm/KoexEZ5u4yenWYwvk1/797Go4tx91TuBAcZeWmqLg1VAIvicDowFGm f9EIZBXR5Q1svWpidLsrBbDc7n4kGIktq5i+CsEuo9/wzPdObL8WGeOIv4E42iT3 2XWQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1680764913; x=1680851313; bh=/1R/6yeayUNba Sssk4voQ9deUQXFxzqG/JvaEroqYt8=; b=LycmeUE6Bd9Lq4fQ42vphqEghPVwy 3026+tMhefjBwXwu5OcYnUyvC1ZgAq2KWjsQqPfn/ObY8qhXJkvA2vBp371C8xOM OCD1qVri/AazCKlBw3zUBhhf1K2OlGh2V9BxwKROI0ikdwBGMTECwXhjQWUJDMSE vC10cC86TH2gbGmJqNN/3fHu9MFADejxW0rOHniZw+RP0OspEVabia/bIG0Qf1nI T+aWnZGPLA6IxZuPHOD1A0/ee3KeCqFzN6dYHzcQcWXIQ6mwrK9XDqzYYHfrKr0i ECpG9kkX79Wa5YCgTyFrBQUhZ9xM9iDEnn5baXdxgKiLJmVEi0tq0mkdQ==
X-ME-Sender: <xms:8W8uZFx-8JSvXfH9HUbYLi3lI4OM-tLch-G-RPKQiGB1bYUjEbIoMw> <xme:8W8uZFSRsgh9_i1QHiN6a39VHAWOYhid5tBneixWtwWSsWOnwpX5EkgITgTl3vMwV z2tGj-Ze2MEJhq-qA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdejvddguddukecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegr lhgvgidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpedtje evheeljefhhfekgeeuhfdvuddvveekfeetuddvkeeikeeiffehvdehtddtfeenucffohhm rghinhepihgvthhfrdhorhhgpdhrfhgtqdgvughithhorhdrohhrghenucevlhhushhtvg hrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhgvgidoihgvthhfsegt ohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:8W8uZPWwaet_DD7gxe0pSisNgSvZLBLwMqNtZ7rS2QVQgaNVVuoAXQ> <xmx:8W8uZHjiuw2cUeoh2QWpAIYSyITcbUJ90tOKnnB3jrJsl4KqKMALSQ> <xmx:8W8uZHABW7mTIJ4hjVmS_t-KhvErHhD60-eJU7jNFAJ1p9QQmDG_XA> <xmx:8W8uZKPYF4X7XU1HJAUhTurkjG9DpmTV2IBSX6-UzWJtXVXbp90sNQ>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A36502A20095; Thu, 6 Apr 2023 03:08:33 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-334-g8c072af647-fm-20230330.001-g8c072af6
Mime-Version: 1.0
Message-Id: <afb09cd8-159e-4887-b1dc-8adb4bf9de89@app.fastmail.com>
In-Reply-To: <BD160E3B-2CA6-4136-A20D-4B7413DC4063@deployingradius.com>
References: <168053561695.20621.9602480367785696173@ietfa.amsl.com> <BD160E3B-2CA6-4136-A20D-4B7413DC4063@deployingradius.com>
Date: Thu, 06 Apr 2023 08:08:13 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/OyCG8sGxxS3OTjXEJw6P2xz4svU>
Subject: Re: [radext] Fwd: New Version Notification for draft-dekok-radext-radiusv11-03.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2023 07:08:41 -0000

On Mon, 3 Apr 2023, at 16:35, Alan DeKok wrote:
>   I've updated the document based on feedback from the meeting last week.
> 
>   At this point, I think the content is pretty close to being done
> 
>> Name: draft-dekok-radext-radiusv11
>> Revision: 03
>> Title: RADIUS Version 1.1
>> Document date: 2023-04-03
>> Group: Individual Submission
>> Pages: 21
>> URL:            https://www.ietf.org/archive/id/draft-dekok-radext-radiusv11-03.txt
>> Status:         https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/
>> Html:           https://www.ietf.org/archive/id/draft-dekok-radext-radiusv11-03.html
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-dekok-radext-radiusv11
>> Diff:           https://author-tools.ietf.org/iddiff?url2=draft-dekok-radext-radiusv11-03

The links at the top for point to 'rfcRFC...' for some reason:

Updates: RFC6613 <https://www.rfc-editor.org/rfc/rfcRFC6613>, RFC7360 <https://www.rfc-editor.org/rfc/rfcRFC7360> (if approved)

Typos (well ones aspell found):

 * s/extenion/extension/g - should catch the same plural typos
 * s/enitrely/entirely/g
 * s/interchangably/interchangeably/g
 * s/protcol/protocol/g
 * s/administative/administrative/g
 * s/ bave / have /g

For section 5.2, I would find it helpful to see the whole RADIUS packet (you have shown 80% of it already anyway!):

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |  Identifier   |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             Token                             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                            Reserved                           |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Attributes ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-

As the first thing I think is "okay, what do we know do with the Identifier field" I think it may even deserve its own section. As it is the recommendations for receiving and sending is only described in the receiving section (5.2.2). Alternatively, move the 'recommend it is set to zero' to the sending section? I suspect breaking it out will make it easier to read/follow than blending it in with the Token field section.

On a related note. Has anyone thought of a situation where an implementation would need Identifier to continue to function? I know the backwards compatibility was aimed to reduce code churn but I suspect if Identifier was also made reserved, the additional work on top of supporting the removal of Authenticator and switching tracks to from RADIUS v1.0 and RADIUS v1.1 this would require an additional 1% effort? Suggesting it now as I see an opportunity to reclaim an otherwise unused field in a manner that I cannot see having an impact...something that we may not be able to do later.

Section 6.1, Obfuscated Attributes,

> As a result, any claims that passwords are sent "in the clear" are false.

I completely agree with the statement and the reasoning backing it, an argument I have used too.

There is another reason for the push back, there is a concern about the transmitting of the credential (User-Password) to the 'wrong' end system, or passing through a hostile hop.

Of course we can (and should) retort with "well if you are not going to verify the certs of your peers and/or peer with anything that rocks on up to your door then you are going to have a Bad Day(tm)".

I do think the wording could reflect on more that as the *method* of transmission and the *risks* involved are identical to each time you log into a website or fetch your email.

So maybe something like:

"For the unsure reader the use of TLS here to transmit your credentials is the same mechanism used with matching risks each time you log into a website, send and receive email, etc. As a result, any claims that passwords are sent "in the clear" are irrelevant."

Not completely happy with that wording, but it lands it closer to where I think it should be.

Section 6.2, Message-Authenticator

On the topic of 'invalid' attributes, RFC6929, section 2.8 says "if you are a proxy, thou shalt embrace the brokenness and proxy onward..." whilst this section causes a bit of a grey area when you are a proxy recommending instead that you discard the attribute.

I suggest stating "Message-Authenticator is now a non-special attribute, ignore when you have the role as the server or client, and forward verbatim when you are the proxy".

At some stage in the future, someone may want to repurpose it as some sort of end-to-end authenticator to verify the proxies in between have behaved; similar to a DNS TSIG RR.

Cheers

v2.23.0 | Report a Bug | By Email