IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Alan DeKok <aland@deployingradius.com> Mon, 21 November 2022 20:36 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF36DC14CF12 for <radext@ietfa.amsl.com>; Mon, 21 Nov 2022 12:36:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0Yavq2eSb-Y for <radext@ietfa.amsl.com>; Mon, 21 Nov 2022 12:36:05 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45AABC14CEED for <radext@ietf.org>; Mon, 21 Nov 2022 12:36:04 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id E4EA6535; Mon, 21 Nov 2022 20:35:57 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAGL5yWYTzvN1SgL8ordMvenhDGMs-EZw32+U32_4jeR9mqGciQ@mail.gmail.com>
Date: Mon, 21 Nov 2022 15:35:56 -0500
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <81A072E3-88E2-432F-8672-A068DF41FAB4@deployingradius.com>
References: <CAGL5yWYTzvN1SgL8ordMvenhDGMs-EZw32+U32_4jeR9mqGciQ@mail.gmail.com>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/a9aWMl7rsIJtmxI3UHdtlsaxL7A>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 20:36:07 -0000

On Nov 21, 2022, at 3:03 PM, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org> wrote:
> Based on the inputs and discussions during the BoF at IETF-115 we have updated the proposed charter text. It can be found at https://datatracker.ietf.org/doc/charter-ietf-radextra/submit//
> 
> I've included it below.
> 
> Thanks to Stephen Farrell, Alan deKok and Margaret Cullen and everyone at the BoF (local and remote!) for their help.
> 
> Please let us know of any issues but also let us know if you believe the proposed charter is ready

  It looks good, but I'll throw out two additional bits for the WG to discuss.

  After the meeting, Karri, Heikki, and I had a long discussion about the documents.  One of the outcomes was that it may be useful to add two items to the charter:

1) Write a document giving guidance on using TLS-PSK with TLS and DTLS.

2) define (or investigate defining) a "hop by hop" signalling packet.

  Right now, the SRADIUS document has a discussion of TLS-PSK, but that text arguably belongs elsewhere.  The "deprecating insecure transports" document could also refer to a TLS-PSK document, to give guidance on migration to TLS.

  The "reverse CoA" document uses Status-Server for hop-by-hop signalling, but that's arguably overloading its semantics.  It may be useful to define a separate packet type.


  Also, RFC 6614 and RFC 7360 are essentially silent on the subject of TLS-PSK.  So NAS vendors have no idea what to do with TLS-PSK.

  Investigation of NAS equipment shows that many don't support RadSec, OR they don't support TLS-PSK, OR they confuse RADIUS shared secrets with TLS-PSK.  It would be best to give clear guidance on this subject.

  Any TLS-PSK document would focus on guidance for NAS vendors, so it is largely independent of updates to TLS and DTLS transport.  Further, a TLS-PSK document would be relatively short as it would focus on guidance, and not on TLS issues.

  It would be preferable to be able to publish both the"deprecating insecure transports" and SRADIUS documents without having normative dependencies on TLS / DTLS updates.

  So these two work items are not strictly new, but it may be worth calling them out as separate work items.  Otherwise their content would get repeated in other documents, which may make those documents less clear.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email