Re: [radext] I-D Action: draft-ietf-radext-tls-psk-01.txt

Alan DeKok <aland@deployingradius.com> Thu, 10 August 2023 11:41 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E88E6C151557 for <radext@ietfa.amsl.com>; Thu, 10 Aug 2023 04:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oA3FcyEgvnv6 for <radext@ietfa.amsl.com>; Thu, 10 Aug 2023 04:41:25 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8985BC151553 for <radext@ietf.org>; Thu, 10 Aug 2023 04:41:25 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 374E8380; Thu, 10 Aug 2023 11:41:22 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <77dac3b2-73be-4170-8a6e-17a70361e750@app.fastmail.com>
Date: Thu, 10 Aug 2023 07:41:20 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <75FBCB67-52AF-417C-ADED-ABCA46D77408@deployingradius.com>
References: <169151650874.8889.17786705009619055833@ietfa.amsl.com> <77dac3b2-73be-4170-8a6e-17a70361e750@app.fastmail.com>
To: Alexander Clouter <alex+ietf@coremem.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/ZFsXl72XUm3hvhJUsK2i4PNSz58>
Subject: Re: [radext] I-D Action: draft-ietf-radext-tls-psk-01.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 11:41:28 -0000

On Aug 9, 2023, at 3:29 PM, Alexander Clouter <alex+ietf@coremem.com> wrote:
> I keep re-reading the following and I just don't "get it":
> 
> "If an implementation supports both TLS 1.2 and TLS 1.3, it MUST require that TLS 1.3 be negotiated in RADIUS/TLS and RADIUS/DTLS. This requirement prevents reuse of a PSK with multiple TLS versions, which prevents the attacks discussed in [RFC8446] Section E.7."

  The design of TLS 1.2 has issues.  If you use the same PSK for TLS 1.2 and TLS 1.3, then it's possible to attack TLS 1.2, get the PSK, and then use that to attack the TLS 1.3 connection.

  The solution is some hand-waving requirement to not use the same PSK across the TLS 1.3, and TLS <1.3 boundary.  How does that work in practice?  I'm unsure.

> So I am confused about what the action is here for an implementor if I want to support TLS-PSK on 1.2?

  If it's only used for TLS 1.2, fine.  But the requirement is for _different_ PSKs to be used for 1.2 and 1.3.

> Section 5:
> 
> "Implementations MUST use ECDH cipher suites", any reason why I cannot use anything else now or in the future? Should this be "MUST support" instead?

  Yes.

> Misc:

  Fixed, thanks.

  Alan DeKok.