IETF Logo Mail Archive

Re: [radext] Server identity in RADIUS/(D)TLS-bis

Jan-Frederik Rieckers <rieckers@dfn.de> Sun, 14 April 2024 21:20 UTC

Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 401C8C14F6A8 for <radext@ietfa.amsl.com>; Sun, 14 Apr 2024 14:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFhp3o533B_M for <radext@ietfa.amsl.com>; Sun, 14 Apr 2024 14:20:24 -0700 (PDT)
Received: from a1004.mx.srv.dfn.de (a1004.mx.srv.dfn.de [194.95.233.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A617BC14F61F for <radext@ietf.org>; Sun, 14 Apr 2024 14:20:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :content-language:references:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1713129617; x=1714944018; bh=8lpWqGRlNURuVytpQj2pTDP+JteKjrssF0ZJoqytDq4=; b= WHKRyIlL5zAFVYIUZ3wQaITuDOy9yV9A8ANb3x/qV2Toqu4ddcDhUaGAu94xwTyy u/Mic3uIYO5wPaL+2MiSDSkiXe8Ldj3CNiM+7mt6l72dm5D0fthqJXMNAH3NpP+X cjKX/kGOpNRjgO87zfVh2ee5gAUP5Hn4LDfJU7hYRko=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by a1004.mx.srv.dfn.de (Postfix) with ESMTPS id CDB2A2000D7 for <radext@ietf.org>; Sun, 14 Apr 2024 23:20:17 +0200 (CEST)
Received: from [IPV6:2001:638:d:1010::1000] (unknown [IPv6:2001:638:d:1010::1000]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 5000C3D6 for <radext@ietf.org>; Sun, 14 Apr 2024 23:20:17 +0200 (CEST)
Message-ID: <d86d5c79-3f24-4e84-984a-e0e13c6e5648@dfn.de>
Date: Sun, 14 Apr 2024 23:20:11 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <10347.1712778967@obiwan.sandelman.ca> <7D282A57-B68E-43DA-A6A2-7E14A8C09119@deployingradius.com> <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de> <548E18B4-77BB-4658-B17D-56212F324436@deployingradius.com> <42665AEE-C6A2-489F-BFFC-0977F0DCA84F@deployingradius.com>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Organization: DFN e.V.
In-Reply-To: <42665AEE-C6A2-489F-BFFC-0977F0DCA84F@deployingradius.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms090908020909030607090503"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/UTVkBE7hv_UxgpKx_Z1vOaXz5yI>
Subject: Re: [radext] Server identity in RADIUS/(D)TLS-bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2024 21:20:28 -0000

Hi all,

-- begin "moderator talk --

we've had a lot of things being said and I fear at some point maybe some 
misunderstandings too.

My head is spinning a bit and I'm trying to understand everything that 
was said and what that means for the specification.

I think we have different ideas of the term "identity" in different 
contexts and have different contexts that we base this idea on (as we 
all have a different view of the RADIUS world).


Coming back to the original question that started this sub-thread, and 
with that maybe resolving the thread and getting a bit of clarity for 
everyone:

The current draft says in the section about detecting live servers (3.3) 
this:
> If a RADIUS/(D)TLS client has multiple connection to a server, it MUST NOT decide to mark the whole server as DOWN until all connections to it have been marked DOWN.

So this is the origin of this discussion. We need to have a common 
understanding of what "multiple connections to a server" or "whole 
server" means in this context.


-- end "moderator" talk, begin my own opinion --

The text that I drafted in the pull request had primarily one specific 
use case in mind: A client or proxy opens a second (or third/fourth/...) 
connections to the same server because it ran out of ID space and now 
has two open connections.

 From my understanding, if my software opens a new connection to the 
same peer, but with a different certificate/SAN/.... or -- looking at it 
from another perspective -- if a peer with a different IP address 
presented the same certificate, those connections should be considered 
as connections to a different server, because they may have different 
policies attached to them, may be in different load balancing groups, 
may be two different instances in the same load balancing groups, ...

We don't need to go into detail about Routes or Identity of the RADIUS 
server (server meaning here: the actual final destination of the RADIUS 
communication, ignoring proxies), because that is probably irrelevant 
for this specification. What we want is to identify the same peer for 
lifeness checks, and we don't care whether it is a proxy or the 
authoritative RADIUS server.

As Alan said, RFC2865 doesn't define fallback (=redundancy or 
load-balancing) algorithms. So with the current specification a server 
being marked "DOWN" has zero (normatively specified) effect, as well as 
if the watchdog algorithm identifies a connection as down.
It's up to the implementation what to do with that information.

I don't think this document would be the right place to specify RADIUS 
redundancy/load balancing. That would delay this document even further 
and at least I would be happy if we could finish the document soon.


Cheers,
Janfred


On 12.04.24 16:39, Alan DeKok wrote:
>    So summarize my thoughts a little more clearly;
> 
> RFC 7585 clients SHOULD use SNI.  This information can be used by a server which handles multiple realms, in order to present a matching certificate for that realm.
> 
> Other TLS clients MAY use SNI.  The SNI realm SHOULD be configured by the administrator of the RADIUS client.  The SNI realm does not need to be the same as any realm in packets sent by the client.
> 
> TLS connections MUST operate application-layer watchdog checks as per RFC 3559 Section 3.4.  TLS connections SHOULD also enforce idle timeouts, lifetimes, etc.
> 
> TLS connection liveliness checks MUST be applied on a per-connection basis.  There may be other connections to the same destination which are up and active.
> 
> Other issues of load-balancing, multiple connections to the same destination, etc. are outside of the scope of this document.
> 
>    Alan DeKok.
> 

-- 
Herr Jan-Frederik Rieckers
Security, Trust & Identity Services

E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education 
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
https://www.dfn.de

Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | 
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 136623822

v2.23.0 | Report a Bug | By Email