Re: [radext] CUI comments in "deprecating insecure transports"
Heikki Vatiainen <hvn@radiatorsoftware.com> Thu, 27 July 2023 10:25 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86093C151AEC for <radext@ietfa.amsl.com>; Thu, 27 Jul 2023 03:25:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAvQ-UOpIJ84 for <radext@ietfa.amsl.com>; Thu, 27 Jul 2023 03:25:18 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AF1BC151B00 for <radext@ietf.org>; Thu, 27 Jul 2023 03:25:18 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-52227884855so1087178a12.1 for <radext@ietf.org>; Thu, 27 Jul 2023 03:25:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20221208.gappssmtp.com; s=20221208; t=1690453516; x=1691058316; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=vLG4yONXZq15I8wwvetxCcky9anr1K/FeApZSWM71tg=; b=MQd3O/uVz8+oXfyTvScuE+Ck1JHurJK2OZnJBgsr7BiPS/cXE/ZrO3MYGJWHaHkaV9 po/LmGFea9MWoySA4ZOLACYVgR8oRXI/seJC5VkIMYiyn9T17e80AGuE9Hs+xUKjEHtf +R39/S5x0dNqU2stjwn5sdAzg0ZyNqFUPTknm6+Ona/yGKZpSd85OruWilouJLQQ1gCC M99RuuaZPFDhv6GmZnKO5Wtdql1YAW0S6tVUcsRZ0sjPw60ReQkmLdsrHChQBPvTDsfU HUIDEzno0Lgn9Q2XPG/95p3x2tDy3E0is0+lXfjn0neByFadzechKMEAf/cDWqMK18JV XJPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690453516; x=1691058316; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vLG4yONXZq15I8wwvetxCcky9anr1K/FeApZSWM71tg=; b=lAvfXgHBwufMv1tyn6Oi5jw+kx6lsgjf6M8jZ9s7gXwehDBSfyKNSXNi5X/iboaBtA F5wBaeFADyTVMcMF3twjEQ4Ar4QV3n7pw8hsuqi3VU9k7tE40wLnHZ8ilvcAYXuNFlHn XdhAMWI1cdz6Yiih2HM6uNU/5u0mTGur1DxE1+zApgZdF+JUx8prNyKucTXWbnTBmHMx MDCOyiDy1G+DwuPiZoHA6pIPD/+REa77hI97GbRTnAsn3EUtP8vrM8dwnCHcDx5yw15V vd0kXtoj0Ck9tQKU1Rxvb7uQraYXWu7DUVYsPEdBFkKrUd9NIBb8NlnuuAfEV39AAJyC mi8A==
X-Gm-Message-State: ABy/qLa5AAWCv4QQaup53ELcHeLyhTnHNLxWbSg4KZ7UhXr6vQwCleUv MofkRbVn2yY5R/u8l0+mD2YyarF70V2pr16GCw5LkxKFC/HgQjZ1KIs=
X-Google-Smtp-Source: APBJJlHZq30NOXMx0aeyWqOJT2D65oWSrZZsc2mSbmNzMdzc2MKqHYBKLB8jn7yJT5+CEqORcBvqulWgS3Kk648AZXM=
X-Received: by 2002:a05:6402:351:b0:51d:9e0c:1396 with SMTP id r17-20020a056402035100b0051d9e0c1396mr1366128edw.35.1690453516145; Thu, 27 Jul 2023 03:25:16 -0700 (PDT)
MIME-Version: 1.0
References: <06c301d9bfc0$e07154d0$a153fe70$@gmail.com> <5390176A-A8D1-40E5-AA3B-9008328650F9@gmail.com> <0D326753-2295-4FA9-B14E-06FE55C9AFB4@deployingradius.com> <61776FFB-7C8B-4234-8B1F-C4F33150106D@deployingradius.com> <3752E2C9-D184-4C0F-9474-6FAE1204C107@freeradius.org> <6e9100c1-9be2-4526-9283-e3e5f21c38e3@app.fastmail.com> <B6E8FDC6-53D7-4FA1-BE39-9228F5BC4253@freeradius.org> <07d601d9c06e$ddbee0f0$993ca2d0$@gmail.com>
In-Reply-To: <07d601d9c06e$ddbee0f0$993ca2d0$@gmail.com>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Thu, 27 Jul 2023 13:25:00 +0300
Message-ID: <CAA7Lko9mg=q1fLzndFQTZ4ZJVgp_KYTAiwJQZs8EaSucbVp6=A@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="00000000000056ed54060175614c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/QLiuxHQ81pzWyKZ8H-1IufdOspA>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2023 10:25:20 -0000
On Thu, 27 Jul 2023 at 12:44, <josh.howlett@gmail.com> wrote: > > Apparently private macs change every 24hrs as of iOS 14, so that's > something. > > Max ticket lifetime is 7 days as per 8446. > > I thought I'd read somewhere that vendors were converging on using a > different but persistent MAC for each network. I could easily be mistaken > though. > Here's an article that describers per network MAC randomisation: https://support.apple.com/en-gb/guide/security/secb9cb3140c/web What I remember hearing is that randomisation was done more frequently previously, but now its use and frequency has been reduced. One reason I've heard, which also relates to RADIUS authentication, is that per-connection randomisation was a nuisance with captive portals, for example in hotels, where people expect that they only need to authenticated once a day, at maximum. -- Heikki Vatiainen hvn@radiatorsoftware.com
- [radext] CUI comments in "deprecating insecure tr… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Mark Grayson (mgrayson)
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Margaret Cullen
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Margaret Cullen
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
- Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
- Re: [radext] CUI comments in "deprecating insecur… josh.howlett
- Re: [radext] CUI comments in "deprecating insecur… Heikki Vatiainen
- Re: [radext] CUI comments in "deprecating insecur… Heikki Vatiainen
- Re: [radext] CUI comments in "deprecating insecur… Michael Richardson