IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Alan DeKok <aland@deployingradius.com> Thu, 24 November 2022 14:07 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3BF2C14CF00 for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 06:07:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0pBj2O1tLE58 for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 06:07:40 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91484C14CEE7 for <radext@ietf.org>; Thu, 24 Nov 2022 06:07:40 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 04C6C743; Thu, 24 Nov 2022 14:07:37 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <13864825.91gbytsIAZ@tauon.chronox.de>
Date: Thu, 24 Nov 2022 09:07:36 -0500
Cc: Peter Deacon <peterd@iea-software.com>, Paul Wouters <paul.wouters@aiven.io>, Bernard Aboba <bernard.aboba@gmail.com>, "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7AE506CB-0D5E-4768-A918-06A320D23005@deployingradius.com>
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <4ce6d292-bb34-5dd7-7b8b-d43c282658f1@iea-software.com> <CAGL5yWbd3u+eUqe8vNZ-qKiQt+vr+jHGqtmQpskW-PwCNrYD5g@mail.gmail.com> <13864825.91gbytsIAZ@tauon.chronox.de>
To: Stephan Mueller <stephan.mueller@atsec.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/XtRRvMlAR6Y3j_7h6VaScn9Ml4Q>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 14:07:42 -0000

On Nov 24, 2022, at 3:41 AM, Stephan Mueller <stephan.mueller@atsec.com> wrote:
> If you conclude that the TLS wrapper covers all security concerns that are 
> addressed by MD5, then you can leave MD5 as non-approved. But this then does 
> not hurt because as it does not contribute to security. Thus, you do not 
> violate a FIPS requirement.

  That's good to know.

  It would be useful if NIST published a statement to this effect.  Confusion around the FIPS requirements causes ongoing issues for most RADIUS implementors.

  The customer says "FIPS says no MD5, so we must ban ALL uses of MD5."

  The RADIUS vendor responds with "You can have a completely open network with no authentication, or you can have a secure network using RADIUS with MD5.  Pick one".

  At which point peoples heads explode.  There is much arguing back and forth.

  Corporate processes deal better with checklists than with exceptions.  A simple "FIPS means no MD5" is a checklist item, and is clearly understandable by everyone involved.  It is a lot of work and frustration to explain that RADIUS is somehow special, and that it's fine for RADIUS to apparently violate the FIPS requirements.


  As a similar example, there are many claims hat RADIUS sends passwords "in the clear" over the network.  This isn't true, of course.  But a naive reader sees "clear text passwords" and "RADIUS sends passwords", and leaps to the wrong conclusion.  This issue is made worse by endless "security" experts writing public articles which are 100% wrong.

  This has been a source of confusion and misunderstanding for decades.  I can't tell you how many times I've had to argue with "security" people who are implementing some kind of ridiculous checklist for their network.  They can't seem to grasp that if they're talking to RADIUS people, then perhaps those RADIUS people might just understand RADIUS better than they do.


  The issue of FIPS and MD5 is similar.  Arguably we should have removed MD5 entirely from RADIUS/TLS when RFC 6614 was published.  Since that hasn't happened, we have the choice either to address the issue, or to spend decades explaining why it's fine to use RADIUS in FIPS mode.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email