IETF Logo Mail Archive

Re: [radext] BoF request for IETF 115

Bernard Aboba <bernard.aboba@gmail.com> Tue, 06 September 2022 21:48 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3208C157B4F for <radext@ietfa.amsl.com>; Tue, 6 Sep 2022 14:48:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mx2nD3a4S_PC for <radext@ietfa.amsl.com>; Tue, 6 Sep 2022 14:48:48 -0700 (PDT)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8361BC14CE3E for <radext@ietf.org>; Tue, 6 Sep 2022 14:48:48 -0700 (PDT)
Received: by mail-ej1-x630.google.com with SMTP id nc14so26222741ejc.4 for <radext@ietf.org>; Tue, 06 Sep 2022 14:48:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=pJK7K/+KIau9Kj2I/LrMbXDucJJNyca/sUPGB0jIPiE=; b=X6FlKkiAiQ/DrURzzrjLp9P8ezd6OT/sZGZIVMZH4Bu2NDFU32wAiu+x1Y340zT4yv t5x9fcVKurhebUN3hhFvGrRlcYY/hN/7RuqLe/NKwF0OGMdOytqKFip8DofXXsNj62EL Yv20j8UsibAEWFeksQ7yxx0owV9kY6sC7LaE9LOTydVgBIXF8zVwCwdcDos6leLM+R1V RDZeCIQA+S495CqjwuiIJdS6p/zc4oRzp510+gfBNoXKjdnsf1tPAftstvfNqDMpFHCB 1NGuZEIS+3nXr/nsJ++nmUQREytw0LcWiiXbmK2nDK0cFV248YUpPHNO4dOrR8j2XNjP zDbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=pJK7K/+KIau9Kj2I/LrMbXDucJJNyca/sUPGB0jIPiE=; b=3pdAaZ1lyhB6AUJFXOQEffuEqCMC2QWSyq2bUyOCxvhnZRmwlZ42Z6O4XTolmI+2hD Gc4RB3yhGBvUTz2VDRnzkr78VTMn+bwMDQ87iwhxh8w4Vecuofc50b5cIv+4BmB9WanZ gFwlaEGLIv9xMovYGLGHtRn81IzBJsTNhveMD/Kyvln5HcEAISQrGryfXNoue28h3MFH T6NT2lRvOjE4R5cb1T0U5jFWr/54fQ6TFoit37h5n2hPkZ9tky2dJr4k/3nyoCzmgo/a MrmbuJrS9ENPMvLfX6W+w/YhR2Io4z8fXktNu8mT2I/mKmyx4VCObf/eppqtHjWhZ0JO U5pQ==
X-Gm-Message-State: ACgBeo3vF4XyEtVDD8jp+E+R8Ce0kH2UcSIDDksYh3uwvKFNB4DfPDBM CY1EHbPWM+supLBT3c1jl9sgo4qNe6ACcNULKpg=
X-Google-Smtp-Source: AA6agR7tO/qB0ryTnAnd9x8/JRE3DNfTe4mO38516wX8lZRt4OUs0bpVSYEpkeNPUb1gUAzEFSeIEZaA67BE53+3zC8=
X-Received: by 2002:a17:907:391:b0:73d:c7d5:bb51 with SMTP id ss17-20020a170907039100b0073dc7d5bb51mr324369ejb.177.1662500926171; Tue, 06 Sep 2022 14:48:46 -0700 (PDT)
MIME-Version: 1.0
References: <5D005CCD-AF06-488A-AE48-5738B35EA4A2@deployingradius.com>
In-Reply-To: <5D005CCD-AF06-488A-AE48-5738B35EA4A2@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Tue, 06 Sep 2022 14:48:34 -0700
Message-ID: <CAOW+2dt8jX59=tyqc6SgQgXVPvS4DYErJeO-uYd-6rsSFWP+Pg@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: radext@ietf.org
Content-Type: multipart/alternative; boundary="00000000000024adb505e8092986"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/VuH89E7CUhEWuYB7KXek9sFoXAo>
Subject: Re: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2022 21:48:53 -0000

RADIUS cryptography was considered "marginal" at the time RFC 2058 was
published in 1997.  RFC 6421, which was published in 2011, laid out a
process that was intended to result in deprecation of RADIUS and widespread
deployment of a secure replacement within a decade.

It is now 2022. Given the Personally Identifiable Information (PII) carried
by RADIUS (such as location), I'd argue that allowing RADIUS to transit in
the clear not only violates privacy regulations but should be considered a
risk to public safety.

On Tue, Sep 6, 2022 at 1:30 PM Alan DeKok <aland@deployingradius.com> wrote:

>   I've submitted a BoF request to recharter RADEXT for IETF 115.  The
> request is at:
> https://datatracker.ietf.org/doc/bofreq-dekok-bofreq-dekok-radius-extensions-and-security-00/
>
>   It includes a proposed charter.
>
>   Depending on the opinion of the IESG, the request might be rejected, we
> might have a BoF, or RADEXT might just be rechartered as WG.
>
>   The preliminary charter has been shared with the ADs.  It would be good
> to hear if other people have opinions on (a) the proposal to restart
> RADEXT, or (b) the charter and work items.
>
>   The high-level summary was to why we need RADEXT is included here, too.
> The link above has more information.
>
> ---
> There is increasing conflict between the security practices defined in
> RADIUS and modern cryptographic requirements. The move to RADIUS over TLS /
> DTLS has helped to secure the base protocol. However, the use of MD4 / MD5
> is still "baked into" RADIUS. The use of these digest algorithms makes it
> impossible to use RADIUS in a FIPS-140 compliant system.
>
> The WG will define a new SRADIUS which drops all use of MD4 / MD5, and
> will be suitable for use in a FIPS environment. This work is expected to
> require only minor changes to existing implementations.
>
> As part of this effort, the IETF will formally deprecate the use of RADIUS
> over UDP. There are still many cloud providers sending bare RADIUS packets
> over the Internet. This practice is insecure, and should be forbidden.
>
> RADIUS over TLS / DTLS are in wide-spread use. They should be updated to
> use TLS 1.3, to require Server Name Indication (which helps with sites
> hosting multiple authoritative servers), and to move the documents to
> standards track.
>
> In order to address the 8-bit ID limitation, we also propose to allow for
> more than 256 packets "in flight" on one connection between client and
> server. This change will permit higher throughput connections. Some vendors
> have already implemented their own versions of this work, which has proven
> to be successful in practice. This behavior should be documented and
> standardized.
> ---
>
>   Alan DeKok.
>
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
>

v2.23.0 | Report a Bug | By Email