Re: [radext] CUI comments in "deprecating insecure transports"

"Mark Grayson (mgrayson)" <mgrayson@cisco.com> Wed, 26 July 2023 15:52 UTC

IronPort-PHdr: A9a23:Fng2ExZARg4xobIEJyNWwOj/LTDhhN3EVzX9orIuj7ZIN6O78IunZ wrU5O5mixnCWoCIo/5Hiu+Dq6n7QiRA+peOtnkebYZBHwEIk8QYngEsQYaFBET3IeSsbnkSF 8VZX1gj9Ha+YgBOAMirX1TJuTWp6CIKXBD2NA57POPwT4vdlc2mzOe005bSeA5PwjG6ZOA6I BC/tw6ErsANmsMiMvMo1xLTq31UeuJbjW9pPgeVmBDxp4+8qZVi6C9X/fkm8qZ9
IronPort-Data: A9a23:dFXYx6mR2DydGUfqkxLtQJno5gz5JkRdPkR7XQ2eYbSJt1+Wr1Gzt xJLXT2DOfrbM2ShLopxYIuy8E0Eu5LVmIIwSFFoqiwwQ1tH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaA4E/raNANlFEkvU2ybuKU5NXsZGYpHGeIdA970Ug4w7Fj3NYx6TSEK1rlV e3a8pW31GCNg1aYAkpMg05UgEoy1BhakGpwUm0WPZinjneH/5UmJM53yZWKEpfNatI88thW6 Ar05OrREmvxp3/BAz4++1rxWhVirrX6ZWBihpfKMkSvqkAqm8A87ko0HPcdS0ZcsBePo/5K1 YxVrs2QFzkNGaKZzYzxUzEAe81/FaRC/LmCKn+lvInDiUbHaHDrhf5pCSnaP6VBpb0xWj8Ir KdecWxUBvyAr7reLLaTT+Z2j9U4K8/DN4IEsXYmxjbcZRojacmYGfmWvoIAhV/cgOhTJ+zTe +YeRgBtcRrRT0RRM2YqD54hybLAan7XKm0E9w39SbAMy3LawAFhzJDsPcbbPNuQSq1ocl2wr 2bC+SHyBQsXcYzZwjue+XXqjejK9c/mZG4MPLC51P9hu3+V+kIoFUQOTgqb/8edrUHrDrqzN Hco0iYpqKEz8mmiQd/8QwC0rRa4Uvg0BoQ4/woStV/l90bE3+qKLjNfFm8bOLTKoOdzFGJ0i gLV9z/8LWE32IB5X05x4Vt9QdmaECwRIGlqicQsElZdu4OLTG3ecnvyojtLGaqxiJj+Hiv9h mDMpykljLJVhskOv0lawbwlq2z2znQqZldqjukyYo5Dxl8lDGJCT9DygWU3Fd4acO6koqCp5 RDoYfS24uEUFo2qnyeQWugLF7zBz6/bYWWH2Q8/RMl7qGnFF5ufkWZ4vmgWyKBBbJ5sRNMVS BS7Vf55vcUKZyL6McebnarhUZpCIVfc+STND6CIMYUmjmlZfw6c9yYmfl+Lw23oiyARfVIXZ /+mnTKXJS9CU8xPlWPuL89EiOND7n5lnwv7G8ukpylLJJLDPhZ5v59fbgvXBg34hYvZyDjoH yF3bJTSlUUHAL2iPkE6M+c7dDg3EJTyPrivw+R/fe+YKQ0gE2YkY8I9C5t4E2C5t8y5Ttv1w 0w=
IronPort-HdrOrdr: A9a23:Yrlaz6AAeemPDv/lHegesceALOsnbusQ8zAXPh9KKCC9I/b3qy nxppsmPEfP+UkssREb8+xpOMG7MBThHO1OkPcs1NaZLUTbUQ6TTL2KgrGSuAEIdxeOk9K1kJ 0QD5SWa+eAQWSS7/yKmjVQeuxIqLLqgcPY59s2jU0dMD2CAJsQiTuRfzzranGeMzM2fKbReq DsgvavoQDMRV0nKuCAQlUVVenKoNPG0Lj8ZwQdOhIh4A6SyRu19b/TCXGjr1kjegIK5Y1n3X nOkgT/6Knmmeq80AXg22ja6IkTsMf9y+FEGNeHhqEuW3TRY0eTFcRcso+5zXIISdKUmRMXeR 730lMd1vFImjDsl6eO0FzQMkfboXATAjTZuC6laDPY0LzErXQBeoV8bUYzSGqA16Lm1+sMiZ 5jziaXsYFaAgjHmzm479/UVwtynk7xunY6l/UP5kYvGbf2RYUh27D3xnklWasoDWb/8sQqAe NuBMbT6LJfdk6bdWnQui1qzMa3Vno+Ex+aSgxa0/blmQR+jTR81Q8V1cYflnAP+NY0TIRF/f 3NNuBtmKtVRsEbYKphDKMKQNexCGbKXRXQWVjiamjPBeUCITbAupT36LI66KWjf4EJ1oI7nN DbXFZRpQcJCjXT4A21rel2Gzz2MRCAtG7Wu7JjDrBCy8/BeIY=
From: "Mark Grayson (mgrayson)" <mgrayson@cisco.com>
To: Alan DeKok <aland@deployingradius.com>, "josh.howlett@gmail.com" <josh.howlett@gmail.com>
CC: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] CUI comments in "deprecating insecure transports"
Thread-Index: AQHZvo98w/4fmQtODkSZTAcpN1j7Nq/MBKCAgAAmn4CAAAhlXg==
Date: Wed, 26 Jul 2023 15:52:34 +0000
Message-ID: <PH0PR11MB5928721437690CD39DC3ECEFD200A@PH0PR11MB5928.namprd11.prod.outlook.com>
References: <BC530A34-D348-44D0-886E-DB1ECF3A5010@deployingradius.com> <06c301d9bfc0$e07154d0$a153fe70$@gmail.com> <5F5C2E17-2061-4FFC-942A-9C4ED861EE5F@deployingradius.com>
In-Reply-To: <5F5C2E17-2061-4FFC-942A-9C4ED861EE5F@deployingradius.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /0d5FBagGoF5RhcpvzekS9wA5uCDKIU+ITBJdGT2UpvOPKrxMyaQHXviCoT7H4OsXIiWycP5EOzvOQf3K8sNJ9CJED0mTo9ITOTeSvev25Ux2GtREVUW011iwCpwuNRnnH3fbdfi+NcS4f5rQL3TqQa1TadTXluCwFANgF72mAK/lKQLSkxr0gNdbh3DEaq1s9Gc9YbVaLqSnE/OHigcp7PFfeRJAoOX4XjPvGJhxTpQAWOXjXJNG2DSuwFjHhfiUHeGhuHTkguGgaum15jRK7QyOk+Ij+BKGfS0zAMdXMLlnldCo3J3ksDt1F3eQxkRzAQOJQCbl/eL3CTgxFI/OKN+XDafs4yBCKewl10k3kxem0t6eLraGD8RmnpUPMjOP6ag60UZJLnMpk9R6krN0XcM38DI38m3eFXjBPTjcNSndgQE5ENgTJQ9ricxMZhNCN4N8wLxT+CNWNr5fIOmL3gDjjNUq/CZAM4vQSHxjuHMDqcZxOhNuOfsxIICRppy4yhwSEGGblFF4SgAlMOz26Y4sOhY8D/pk+5iVEN5KrZPaoEUYRCRW2xxP6er7DPfRBwRBZLaylAD2/iSIeZbMqEnLxG9d8FvPg3NTpGok7WsF2WfKXctOYbs+eqomLQ2EsIh9Bnn5pkU8pSq4VN2dr65NqZCi6aCTfDNQ8LIZRldGrhFPOQR8ZxjuGFpqa5zk8f7K/8gmbtRtexew0op4n1kEhOp+rdwdG8SpRF54fCmH+qswZnYuG3Q5SWhR2dBcHs5zpjrKXZncH91NTajy/Z6yJjuOBEKfIHSs6WnZ2hF968mNno5/HJkEI2jTGrmLfEmJVRn8GLPxxDG2jnXCwfqieXf6xo+It67Gpw5aynPPjwysup1i/yEYtEBSFjg+l5CLYmIdXtwbTizJvdSgNBc35Ck8HX0eZo8QKmYnPrxID+LBtuDT4eUYK/p1M9UvzaZMohsttn174TyO1pAP/O21EZ4hlT9eLVsKJKhZrQOIwZ4em/Kljm0hmUbilsim55WV0A3NWToIFcarcpjwpwC6dKvBzrh8/pUKNi/8FTR4rHAz3ZAu+usIKtB5vbc4Q0courp793I+aPZx6Pu7gLZ3XAkl7JR2bsYlDt2hHsswGK3GmVvT6f6UTugxzG7YEGuj2eCgQLZutb85T/FXG1P3eBG1le5m7083f/RIgRomk+5a8i+Wggb8uvFOcWtJbRA0WxvmnZ4T4nPvxRihP/8Z5SMd+SUVozu8EP7C3Ihr3DlilcdqPyAwTMls1f85j/fyFyvqlevLP/mXdpvJcfeOsX4ykxIg7oYFh20//p/hbq4XaUJ22DYR3VJFZH4OvuyirBE443Xhn4k7HRkG50uMliqF+wPiQ+IjEoBLEKEyqkhX/hI5WszdcTCWo/agKRqOrGfa62DFeWVfmbA4cpThPa0La0EOt83ML08u/qpbkqjX4P6UheKhdd7d+YnOT675lEEKDoKvcIsvIFc5PwwVCTgWRQl91nvQ2tiU7AhQkiOLLXVj4xE/ECUfFbvLD95oeK4Os617Hn9rfZ5ILrgWcsKwAvckVzqBm3tVvOHJtpYagZmTjF2YhvG3mzM9r7TYDkA4yvMwhH//VNWnQ==
Content-Type: multipart/alternative; boundary="_000_PH0PR11MB5928721437690CD39DC3ECEFD200APH0PR11MB5928namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5928.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 64a98118-df8c-4796-2f74-08db8df05405
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2023 15:52:34.3772 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5zUf1oJfQY9fSGVnRriG9xegDugSVMl0WwN+t1ZkwmohidppzqPbEBxKY+vz9EtfkrWcTebWZN0ohc/a2InZKg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB6729
X-Outbound-SMTP-Client: 173.37.147.251, alln-opgw-3.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/SYICskZIo2_E1z1ERrb4qYifxxo>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 15:52:46 -0000

Whereas there is text on binding-lifetime for CUI, does there need to be equivalent discussion around the use of user-name re-write and class attribute?

Cheers,
Mark

From: radext <radext-bounces@ietf.org> on behalf of Alan DeKok <aland@deployingradius.com>
Date: Wednesday, 26 July 2023 at 16:17
To: josh.howlett@gmail.com <josh.howlett@gmail.com>
Cc: radext@ietf.org <radext@ietf.org>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
On Jul 26, 2023, at 5:58 AM, <josh.howlett@gmail.com> <josh.howlett@gmail.com> wrote:
>
> There are good reasons for the CUI value to be persistent, provided that it
> is targeted to each network access provider. In this way, different
> providers cannot collude to track users. However, they still maintain the
> ability to *recognise* (but not identify) the same user that they saw
> previously.
>
> There are legitimate reasons to track and, if necessary, identify users,
> including troubleshooting and prevention of service abuse.

  The intent of CUI was that if a user was abusive, the visited network could report the CUI to the IdP.  The IdP would then block the user.  While this isn't perfect, it provides for better user privacy.

  Where there is a trade-off around user privacy, I would lean towards keeping user privacy at the cost of increased effort in the network.

  I'll see if I can update the wording to suggest that the CUI can be static for one visited / home network relationship, provided they both agree to this.  But generally it's better to have it different for every session.

  The issue of CUI changing is made a little less relevant by the fact that the MAC address doesn't change for one visited network (SSID, etc).  So the visited network can always correlate MACs across sessions.

  But for me, this is about nibbling away at the privacy bits one problem at a time.  At some point, MADINAS will perhaps allow MACs to be changed per session, and then that problem will go away.  And the CUI will already be different per session (usually).  So we won't have to go back and fix it again.

  Alan DeKok.

_______________________________________________
radext mailing list
radext@ietf.org
https://www.ietf.org/mailman/listinfo/radext

[radext] CUI comments in "deprecating insecure tr… Alan DeKok
Re: [radext] CUI comments in "deprecating insecur… josh.howlett
Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
Re: [radext] CUI comments in "deprecating insecur… Mark Grayson (mgrayson)
Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
Re: [radext] CUI comments in "deprecating insecur… Margaret Cullen
Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
Re: [radext] CUI comments in "deprecating insecur… josh.howlett
Re: [radext] CUI comments in "deprecating insecur… Margaret Cullen
Re: [radext] CUI comments in "deprecating insecur… josh.howlett
Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
Re: [radext] CUI comments in "deprecating insecur… Alexander Clouter
Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
Re: [radext] CUI comments in "deprecating insecur… Arran Cudbard-Bell
Re: [radext] CUI comments in "deprecating insecur… Alan DeKok
Re: [radext] CUI comments in "deprecating insecur… josh.howlett
Re: [radext] CUI comments in "deprecating insecur… Heikki Vatiainen
Re: [radext] CUI comments in "deprecating insecur… Heikki Vatiainen
Re: [radext] CUI comments in "deprecating insecur… Michael Richardson