IETF Logo Mail Archive

Re: [radext] CUI comments in "deprecating insecure transports"

Alexander Clouter <alex+ietf@coremem.com> Wed, 26 July 2023 15:54 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E157FC169528 for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 08:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="IT58ytrz"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="BZPftZCl"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maFpqJ2R7ARX for <radext@ietfa.amsl.com>; Wed, 26 Jul 2023 08:54:25 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54032C153CA8 for <radext@ietf.org>; Wed, 26 Jul 2023 08:54:24 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id E2C8732001AB; Wed, 26 Jul 2023 11:54:23 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Wed, 26 Jul 2023 11:54:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1690386863; x=1690473263; bh=j0 oBjFun2iQ2NIMaoVYwuVrClE2wChdS3GHiAFuZ0kk=; b=IT58ytrzjUFZuHgfB9 rmwOrnn/R9W8IfHnAh0pPLaDZZgKIQ39RGZMcB/+xt+BrihhlTRycuzEUkqh1pML b4CuSNGoMzv1RBJkRTR6G+vDryz3FWDdQrui/6KRo+E6ImSpmsqEXLy1Ia669/zJ 1TFgV9TKHTnRQ3okLi2YoG0WeAwV7712FxUd+1DEUKWNK8ci7pe8C8zrqbHdREcc Q6B9eXcUBgJRSCwvJ/ID44QerMYGUQBM0EYNRKPmFdXcvCCXuho0AEKaXeqJwAVo TqHS0eTd0pN2FWzbvyZRzkmyyf72S9zE09YT7A0BUCHa71fq1TQtm9LvYbrMnnrz SmTA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1690386863; x=1690473263; bh=j0oBjFun2iQ2N IMaoVYwuVrClE2wChdS3GHiAFuZ0kk=; b=BZPftZClkKZIHV7SxQdjNAMVQTNHl 5MNKrw82Si7xNYbFRO5uxsiNrGgJyLf0Z84bmsrZQf/NZVkpu9Jl67iK7qwv3Pwx NKYQTwAgMsAvR2z1xZq7xI7RmMx/+BL8sSBFYUEyxL6q4nbaAe6QKaYOleg3EUyv s0vC9EzAyfvLf607ZYXW/wll09k4s7oRhxhOAMKmQf9e1xUVn22q4f6qaDr1Pto1 bnJVDKhv2MmmwrwF94De8gkCsO+/iP9DAGeXUH4JbCnqQ1j4DnrlER9qK20L+eca 8E3cSeyoZHUKyHDV0t7LKvol6lop6HEh6NlDbaQYTVwD7cQne51IGop1A==
X-ME-Sender: <xms:r0HBZEwlZ-0pfYsr-SpOgcKwhiT2aMxk7o61CgSZSBkX7F7454hFUA> <xme:r0HBZIRFc1Ir_i4U1zZ7e93JgHd5AkuWDE2viW-FszvGIA19yy_YY_sSP-zUvm51o _H1voNOUFS_wM-yqQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedriedvgdelvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvvefutgesthdtredtreertdenucfhrhhomhepfdetlhgv gigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgvgidoihgvthhfsegtohhrvghmvghmrd gtohhmqeenucggtffrrghtthgvrhhnpeefueehuefhfeekhfdvueehjeeutdegveejgeev iedutdeuleejgffgkeehvefftdenucffohhmrghinhepjhhishgtrdgrtgdruhhknecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprghlvgigodhi vghtfhestghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:r0HBZGWJmTCsy8chjTRsEkThCNrEJj8itNulpUTNbEJcN_zaZczSkw> <xmx:r0HBZCiqzyb66YAp8cXBlOYRgkmbicYf3Yp9b-Nsdv28bAiZmCp4jQ> <xmx:r0HBZGAnb-KplhJSjd4tAj8wjl0B33n8CLHVcwQldvAxNSx2zAa6rA> <xmx:r0HBZBqOBl-5ot9db7Xqx1Bq3WyslEv27wmzoH6fLF9cmnejEcM-uA>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0ACF32A20085; Wed, 26 Jul 2023 11:54:23 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-592-ga9d4a09b4b-fm-defalarms-20230725.001-ga9d4a09b
Mime-Version: 1.0
Message-Id: <a0df55dd-01e3-44ee-bc18-183d7057390c@app.fastmail.com>
In-Reply-To: <5F5C2E17-2061-4FFC-942A-9C4ED861EE5F@deployingradius.com>
References: <BC530A34-D348-44D0-886E-DB1ECF3A5010@deployingradius.com> <06c301d9bfc0$e07154d0$a153fe70$@gmail.com> <5F5C2E17-2061-4FFC-942A-9C4ED861EE5F@deployingradius.com>
Date: Wed, 26 Jul 2023 16:54:02 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: Alan DeKok <aland@deployingradius.com>, josh.howlett@gmail.com
Cc: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/SEJnArYlF51fZcAjFKkIM7tjNTI>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 15:54:30 -0000

On Wed, 26 Jul 2023, at 16:16, Alan DeKok wrote:
> The intent of CUI was that if a user was abusive, the visited network
> could report the CUI to the IdP.  The IdP would then block the user.
> While this isn't perfect, it provides for better user privacy.

I disagree, not just because of my views on this, but I can quote straight from the introduction of RFC4372:

"For example, local or intermediate networks may limit the number of simultaneous sessions for specific users; they may require a Chargeable-User-Identity in order to demonstrate willingness to pay or otherwise limit the potential for fraud."

So this can, and I would argue should, not only be the same CUI across multiple sessions but also multiple devices.

If this was purely for the reasons of managing abuse, the visited site could just report the timestamp with the Calling-Station-Id and call it a day; similarly to how IP network abuse is reported with a timestamp with source IP/port (I do not miss the .

That said, CUI *allows* for this, there is no reason for a federation to provide this level of reconciliation.

>From my previous life being an eduroam jockey, I did have an expectation[1] that CUI was a *user* identifier that if I blocked *all* devices for a short (eg. days) duration of that user would be denied.

>   Where there is a trade-off around user privacy, I would lean towards 
> keeping user privacy at the cost of increased effort in the network.

They can always block based on the TLS session resumption materials.

>   I'll see if I can update the wording to suggest that the CUI can be 
> static for one visited / home network relationship, provided they both 
> agree to this.  But generally it's better to have it different for 
> every session.

Maybe lets include some recommended strategies for an IdP/homesite to generate a CUI and along with the benefits and disadvantages of each.

For example did we want to recommend that a CUI is stable for say 24 hours and if so the describe how to go about doing that and more importantly how not to do that; such as "please do not mix in the MAC address or the time with less than day resolution".

>   The issue of CUI changing is made a little less relevant by the fact 
> that the MAC address doesn't change for one visited network (SSID, 
> etc).  So the visited network can always correlate MACs across sessions.

My laptop is setup to be an arse, so it does for me it does...that will learn them for having a high DHCP lease time :)

Cheers

[1] https://community.jisc.ac.uk/library/janet-services-documentation/chargeable-user-identity-eduroam-freeradius-implementation

v2.35.0 | Report a Bug | By Email | System Status