IETF Logo Mail Archive

[radext] BoF request for IETF 115

Alan DeKok <aland@deployingradius.com> Tue, 06 September 2022 20:30 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 864CCC159490 for <radext@ietfa.amsl.com>; Tue, 6 Sep 2022 13:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPJ_M-A7Eqh5 for <radext@ietfa.amsl.com>; Tue, 6 Sep 2022 13:30:39 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0F27C14CE31 for <radext@ietf.org>; Tue, 6 Sep 2022 13:30:39 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id E6BBE509 for <radext@ietf.org>; Tue, 6 Sep 2022 20:30:31 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Message-Id: <5D005CCD-AF06-488A-AE48-5738B35EA4A2@deployingradius.com>
Date: Tue, 06 Sep 2022 16:30:30 -0400
To: radext@ietf.org
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/a7-e_uIFYFrIrOIqvEzkeSfyAyw>
Subject: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2022 20:30:41 -0000

  I've submitted a BoF request to recharter RADEXT for IETF 115.  The request is at:  https://datatracker.ietf.org/doc/bofreq-dekok-bofreq-dekok-radius-extensions-and-security-00/

  It includes a proposed charter.

  Depending on the opinion of the IESG, the request might be rejected, we might have a BoF, or RADEXT might just be rechartered as WG.

  The preliminary charter has been shared with the ADs.  It would be good to hear if other people have opinions on (a) the proposal to restart RADEXT, or (b) the charter and work items.

  The high-level summary was to why we need RADEXT is included here, too.  The link above has more information.

---
There is increasing conflict between the security practices defined in RADIUS and modern cryptographic requirements. The move to RADIUS over TLS / DTLS has helped to secure the base protocol. However, the use of MD4 / MD5 is still "baked into" RADIUS. The use of these digest algorithms makes it impossible to use RADIUS in a FIPS-140 compliant system.

The WG will define a new SRADIUS which drops all use of MD4 / MD5, and will be suitable for use in a FIPS environment. This work is expected to require only minor changes to existing implementations.

As part of this effort, the IETF will formally deprecate the use of RADIUS over UDP. There are still many cloud providers sending bare RADIUS packets over the Internet. This practice is insecure, and should be forbidden.

RADIUS over TLS / DTLS are in wide-spread use. They should be updated to use TLS 1.3, to require Server Name Indication (which helps with sites hosting multiple authoritative servers), and to move the documents to standards track.

In order to address the 8-bit ID limitation, we also propose to allow for more than 256 packets "in flight" on one connection between client and server. This change will permit higher throughput connections. Some vendors have already implemented their own versions of this work, which has proven to be successful in practice. This behavior should be documented and standardized.
---

  Alan DeKok.

v2.23.0 | Report a Bug | By Email