Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt

Alan DeKok <aland@deployingradius.com> Mon, 02 October 2023 14:54 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58622C151074 for <radext@ietfa.amsl.com>; Mon, 2 Oct 2023 07:54:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tGu44mewdGIH for <radext@ietfa.amsl.com>; Mon, 2 Oct 2023 07:54:44 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8F6C151535 for <radext@ietf.org>; Mon, 2 Oct 2023 07:54:43 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id B0C72209; Mon, 2 Oct 2023 14:54:41 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <17676.1695222342@localhost>
Date: Mon, 02 Oct 2023 10:54:40 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A0FECA36-40C7-47F0-B948-88E72CE17A28@deployingradius.com>
References: <169290062850.51444.4789101133837195921@ietfa.amsl.com> <EFF9D14C-6714-4168-8C2D-A03DCB9ADFFB@deployingradius.com> <B88BB843-C4C3-418F-A6CA-4F360EB67C95@deployingradius.com> <CAA7Lko_oL5Oy9T52JnwUiaZDvUhwed8hivysoSuqY1jhXF=Ziw@mail.gmail.com> <8081E8F9-3818-43ED-8C82-3EBB093BCDBB@deployingradius.com> <CAA7Lko8sDWY1nJxn1BkG0M1pLRuoOQhvnZvorLgZxBEBdzLPbA@mail.gmail.com> <17676.1695222342@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/bKKeNrdK8eZ3tl4EJVRh-A8OA8U>
Subject: Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2023 14:54:48 -0000

On Sep 20, 2023, at 11:05 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> It seems that one ought to be able to take the good old radius secret and run
> it through a suitable keyed hash function such a different key is used for
> TLS 1.2 and 1.3.
> (In particular, DTLS 1.3 is likely unavailable on many platforms for some time)
> 
> This seems to be the best way to accomplish automatic upgrade to TLS.
> 
> Am I missing something as to why this isn't being specified?

  I think people are scared of doing more crypto work in RADEXT.

  I would very much like to push all security requirements to TLS.  While we could do some things in RADEXT, other applications are likely to have similar issues.  So any fix here would be more of a band-aid then a proven security improvement.

  Alan DeKok.