IETF Logo Mail Archive

Re: [radext] CUI comments in "deprecating insecure transports"

Alan DeKok <aland@deployingradius.com> Wed, 26 July 2023 16:20 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC9FBC16B5C9 for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 09:20:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RXMRACnkVKy4 for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 09:20:51 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78E83C169536 for <radext@ietf.org>; Wed, 26 Jul 2023 09:20:51 -0700 (PDT)
Received: from smtpclient.apple (dhcp-8aa8.meeting.ietf.org [31.133.138.168]) by mail.networkradius.com (Postfix) with ESMTPSA id A879B51B for <radext@ietf.org>; Wed, 26 Jul 2023 16:20:48 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Wed, 26 Jul 2023 09:20:46 -0700
References: <BC530A34-D348-44D0-886E-DB1ECF3A5010@deployingradius.com> <06c301d9bfc0$e07154d0$a153fe70$@gmail.com> <5F5C2E17-2061-4FFC-942A-9C4ED861EE5F@deployingradius.com> <a0df55dd-01e3-44ee-bc18-183d7057390c@app.fastmail.com>
To: radext@ietf.org
In-Reply-To: <a0df55dd-01e3-44ee-bc18-183d7057390c@app.fastmail.com>
Message-Id: <A0D7BF87-C696-4C52-A0B7-E88AE5274D20@deployingradius.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Q7zSeuqsqK0YxylIeP9g0DAyOIw>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 16:20:53 -0000

On Jul 26, 2023, at 8:54 AM, Alexander Clouter <alex+ietf@coremem.com> wrote:
> I disagree, not just because of my views on this, but I can quote straight from the introduction of RFC4372:
> 
> "For example, local or intermediate networks may limit the number of simultaneous sessions for specific users; they may require a Chargeable-User-Identity in order to demonstrate willingness to pay or otherwise limit the potential for fraud."
> 
> So this can, and I would argue should, not only be the same CUI across multiple sessions but also multiple devices.

  I think that's implied, yes.  But not stated explicitly.  :(

> They can always block based on the TLS session resumption materials.

  Is the session ticket sent in the clear?  I'm not sure how a visited network would block based on the ticket.

> Maybe lets include some recommended strategies for an IdP/homesite to generate a CUI and along with the benefits and disadvantages of each.

  Yes.  I'll add that.

> For example did we want to recommend that a CUI is stable for say 24 hours and if so the describe how to go about doing that and more importantly how not to do that; such as "please do not mix in the MAC address or the time with less than day resolution".

  Sure.

  Over all, I think user privacy conflicts directly with the desire of the visited network to enforce local policies.  Off of the top of my head, the only way I can think to address this is for the visited network to inform the home server of it's policies,  The home server can then apply and enforce those policies.

  That being said, none of this is possible in RADIUS today.  There is no attribute which says "please limit simultaneous logins to N", or anything similar.  This kind of extension would be necessary in order to get full user privacy at the visited network.

  I'll update the doc with issues and trade-offs.  There isn't much else we can do at this point.

  Alan DeKok.

v2.35.0 | Report a Bug | By Email | System Status