Re: [radext] Proposed charter text based on IETF-115 BoF
Bernard Aboba <bernard.aboba@gmail.com> Thu, 24 November 2022 04:27 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B27C3C14F73B for <radext@ietfa.amsl.com>; Wed, 23 Nov 2022 20:27:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcYcbTosbgxR for <radext@ietfa.amsl.com>; Wed, 23 Nov 2022 20:27:11 -0800 (PST)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44954C14F736 for <radext@ietf.org>; Wed, 23 Nov 2022 20:27:11 -0800 (PST)
Received: by mail-ej1-x62a.google.com with SMTP id e27so1516452ejc.12 for <radext@ietf.org>; Wed, 23 Nov 2022 20:27:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UM6a+nyBf8BqzH0AANPNpwBK/Eea0fmeB5102iQu2y8=; b=WaFkVHhOJF0+i9vhZbpAX6JKzS42fpkERTx/TB9OvzTApFqbZLJlHFzWMDfnnFoF90 RWk/8DzgnJc/NyB47E2A0Y1E0mrQyeQC4YsvEcsc2JlDHksYkd+RX/SkClKPK6M+uCXu YN3jB6ZOHX2IIse7lsLVJ3w1mhW4LHGMHcV7RCcoJy+HNDrA3eTnSonMBzv0wFwPCaDv s1RSJcZGwtPDEu62X/RmUutr8xgeNH1FbNgSEGBbPRt3JEFpN30RFxfyR11yhrdwAKO0 8kwrDZQvm7oN3YmM8Jw3Wr+Mgs2p6/j5byhDqyeqZDNglzk6jLuiktCnmCtVg77Un2XF g+Kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UM6a+nyBf8BqzH0AANPNpwBK/Eea0fmeB5102iQu2y8=; b=qZ75yxoESeeW1n8vkvgJU1yISkhZEA1aiKxYdlqB3nyQMgYRwenPQkl3OIgbNUnTx9 LN3bAoFBeTcn/GHToWVwdRRt3YNQ/SZzC5TE3CT8TOneD7rdU3nOwEo0OyYw3p5tifkj sMz6I8cUJ+wlIe/Le24xaorPrC+QBaa9L8bY52K8aFLFFFH4J0YOoOLXf71LrS7rE5gj KNM7vnogf1+RDRhZ1JkoTXOljX9ylB560jAklYjLdaLwzcJJXTQH+WAaNHQBMB6ps35B yOU4UM2kWjASgfvWa/C2EzHac5thYbFuOB+DPM7Ggl7gCwS9/JqPruHKSmlJpsZiAzhh iIuQ==
X-Gm-Message-State: ANoB5plydxl/TpA06jVWxvoT+1XPsHYoFoQdMQeT9KOpu3zUGD49h2Xe iHjwXPmdF6GG7HGgBZ6EXeMewIAEgKHcR3hDL5E=
X-Google-Smtp-Source: AA0mqf7dDF9E1n2Fz6FwXMeeuUuya5O5JGvHaT3P2P4ySCefQiqVJChcYJmFFsAmw8efWmfd9uls3Ky/3hf+07MZy2I=
X-Received: by 2002:a17:906:3096:b0:7ae:eae9:25a5 with SMTP id 22-20020a170906309600b007aeeae925a5mr26346908ejv.394.1669264029257; Wed, 23 Nov 2022 20:27:09 -0800 (PST)
MIME-Version: 1.0
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <4ce6d292-bb34-5dd7-7b8b-d43c282658f1@iea-software.com> <CAGL5yWbd3u+eUqe8vNZ-qKiQt+vr+jHGqtmQpskW-PwCNrYD5g@mail.gmail.com>
In-Reply-To: <CAGL5yWbd3u+eUqe8vNZ-qKiQt+vr+jHGqtmQpskW-PwCNrYD5g@mail.gmail.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Wed, 23 Nov 2022 20:26:58 -0800
Message-ID: <CAOW+2dv6+F_ccB19qFxMTwhxOz0CJPVZNnjyWpGXZiTg10A2tQ@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: Alan DeKok <aland@deployingradius.com>, Peter Deacon <peterd@iea-software.com>, "radext@ietf.org" <radext@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008019cd05ee2fd104"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/YZkKP0r1mkIYTOTcYc80LiLKICQ>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 04:27:11 -0000
Paul said: “ This means (and this is what people concluded in the past) is that wrapping Radius in TLS, where the TLS layer only uses approved algorithms, is not good enough for FIPS. The inner radius packets are still used to make authentication decisions based on security methods that uses MD5, which is not allowed for FIPS.” [BA] In “FIPS mode” the RADIUS server cannot execute user authentication mechanisms that depend on MD5, such as EAP-MD5 (for 802.1X) or CHAP. So typically we see users being required to authenticate with EAP-TLSv2. This requires no change to the RADIUS protocol, just appropriate configuration of user authentication methods. With respect to MD5 usage within RADIUS over (D)TLS, the specifications already require mutual authentication and encryption between RADIUS peers using (D)TLS, so that security decisions such as peer authorization or the protection of hidden attributes need not depend on legacy RADIUS MD5 mechanisms (e.g. no need to check that the “default” shared secret is in use). SRADIUS goes further by removing the dependencies on MD5 entirely, which allows it to function in “FIPS mode” environments where MD5 is not available. Since deployments typically know whether they are required to operate in “FIPS mode” or not and configure their equipment accordingly, there are few scenarios where interop is required between a “non-FIPS mode” NAS and a “FIPS mode” server. Rather, installations that require FIPS compliance will require support on both network devices as well as servers, and will ensure that the devices and servers are configured so they can talk to each other. FIPS compliance for network access is not new - I recall shipping 802.11 support for FIPS circa 2008.
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- [radext] Proposed charter text based on IETF-115 … Paul Wouters
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Paul Wouters
- Re: [radext] Proposed charter text based on IETF-… Peter Deacon
- Re: [radext] Proposed charter text based on IETF-… Michael Richardson
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Peter Deacon
- Re: [radext] Proposed charter text based on IETF-… josh.howlett
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Michael Richardson
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Paul Wouters
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Peter Deacon
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Alexander Clouter
- [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Stephen Farrell
- Re: [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Stephen Farrell
- Re: [radext] Proposed charter text based on IETF-… Michael Richardson
- Re: [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Stephen Farrell
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Paul Wouters
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alexander Clouter
- Re: [radext] Proposed charter text based on IETF-… Alexander Clouter
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alexander Clouter
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Matthew Newton
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Matthew Newton
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Heikki Vatiainen
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Heikki Vatiainen
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… josh.howlett
- Re: [radext] Proposed charter text based on IETF-… Margaret Cullen
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Liaison to government agencies Margaret Cullen
- Re: [radext] Liaison to government agencies Margaret Cullen
- Re: [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Alan DeKok
- Re: [radext] Liaison to government agencies Alexander Clouter
- Re: [radext] Liaison to government agencies Behcet Sarikaya