Re: [radext] I-D Action: draft-ietf-radext-radiusdtls-bis-00.txt
Fabian Mauchle <fabian.mauchle@switch.ch> Tue, 07 November 2023 08:49 UTC
Return-Path: <fabian.mauchle@switch.ch>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC0F3C1519A2 for <radext@ietfa.amsl.com>; Tue, 7 Nov 2023 00:49:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=switch.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9cfW5yKmh1wr for <radext@ietfa.amsl.com>; Tue, 7 Nov 2023 00:49:22 -0800 (PST)
Received: from mx3.switch.ch (mx3.switch.ch [85.235.88.34]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFCC7C15107A for <radext@ietf.org>; Tue, 7 Nov 2023 00:49:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; l=1608; s=selector1; t=1699346962; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=DkGWeunBzTabZ2rJZOCyDB8WQa+Yb836hOHcNj+9VN8=; b=FXOvDDPZU9uRC8MFfJLrO3qUbNLtX+odh5nXNxNWoshgqwX9nYmLuwY5 A6Ilu5R1nnz8DTtymSDpZRexsLKNkZtC2qfBGnGGCHhajlTNLltFUV+A8 +6YqVwUeoQj8uVTy4HvgYoNISUya0c3i+jlubOpNaWN2iUnPgDLfd05VM 7380FaI8yxy9l5Eyd8rQ7zdsGEuoys/i6VZzWDjGdCogPm2pc6CZkOlvT dbHEVoGRQclcVP7u686XAQDb7HB1febAXJ4jXI1n3QDpQQvBLcW5Koqrd e2v3uX7fxGgpOfWRDxT86YdqY8onNQurtfC2UzCsJkSPuU5XzoaOkagoQ A==;
X-IronPort-MAIL-FROM: fabian.mauchle@switch.ch
X-IronPort-RCPT-TO: radext@ietf.org
X-IronPort-AV: E=Sophos;i="6.03,283,1694728800"; d="scan'208";a="5852071"
Received: from unknown (HELO SWH-S02-EXC1.swd.switch.ch) ([172.16.60.11]) by mx3int.switch.ch with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2023 09:49:17 +0100
Received: from [130.59.196.158] (172.16.60.33) by SWH-S02-EXC1.swd.switch.ch (172.16.60.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.37; Tue, 7 Nov 2023 09:49:16 +0100
Message-ID: <0a5d9a97-6565-4520-8b44-eebeb840961e@switch.ch>
Date: Tue, 07 Nov 2023 09:49:16 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US, de-CH
To: radext@ietf.org
References: <169739080401.19425.3530994950072317079@ietfa.amsl.com>
From: Fabian Mauchle <fabian.mauchle@switch.ch>
In-Reply-To: <169739080401.19425.3530994950072317079@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.16.60.33]
X-ClientProxiedBy: SWH-S06-EXC4.swd.switch.ch (172.16.60.18) To SWH-S02-EXC1.swd.switch.ch (172.16.60.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Rgym3YeA6dw_t0DUwiAEdfB2RHQ>
Subject: Re: [radext] I-D Action: draft-ietf-radext-radiusdtls-bis-00.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 08:49:26 -0000
Hi All, On 15.10.23 19:26, internet-drafts@ietf.org wrote: > Internet-Draft draft-ietf-radext-radiusdtls-bis-00.txt is now available. It is > a work item of the RADIUS EXTensions (RADEXT) WG of the IETF. Couple of notes while reading the draft: # Section 3.2 Default ports: Page 5, at the bottom reads: > The default ports for RADIUS/UDP (1812/udp, 1813/udp) and RADIUS/TCP > (1812/tcp, 1813/tcp) SHOULD NOT be used for RADIUS/(D)TLS. While at the end of the section it reads: > RADIUS/(D)TLS peers MUST NOT use the old RADIUS/UDP or RADIUS/TCP > ports for RADIUS/DTLS or RADIUS/TLS. So we should decide whether its a SHOULD NOT or a MUST NOT. # Section 4.2.1, last sentence about trust base changes. First, I agree rechecking exiting connects SHOULD be done. However, TLS1.3 no longer supports renegotiation (see https://wiki.openssl.org/index.php/TLS1.3#Renegotiation). I would suggest that ... implementations SHOULD re-verify all certificates of established connections against the updated trust base and SHOULD close the connection if it the verification fails. # Section 7.5. Migrating from RADIUS/UDP to RADIUS/(D)TLS Regarding the 'MUST NOT reuse shared secret as TLS-PSK': The draft-ietf-radext-tls-psk talks extensively about this, so we should at least refer to that (draft or later RFC when published). I think keeping a short note here is fine to emphasize the point. Best regards, Fabian -- Fabian Mauchle, Network SWITCH Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39
- [radext] I-D Action: draft-ietf-radext-radiusdtls… internet-drafts
- Re: [radext] I-D Action: draft-ietf-radext-radius… Alan DeKok
- Re: [radext] I-D Action: draft-ietf-radext-radius… Fabian Mauchle