Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
Alan DeKok <aland@deployingradius.com> Sun, 07 April 2013 00:02 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E1921F8B96 for <radext@ietfa.amsl.com>; Sat, 6 Apr 2013 17:02:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJZ+xMX39zcm for <radext@ietfa.amsl.com>; Sat, 6 Apr 2013 17:02:16 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9918F21F8B64 for <radext@ietf.org>; Sat, 6 Apr 2013 17:02:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id A9AF02240D85; Sun, 7 Apr 2013 02:02:16 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JoMhJHqKHXxU; Sun, 7 Apr 2013 02:02:15 +0200 (CEST)
Received: from Thor-2.local (bas1-ottawa11-1176224750.dsl.bell.ca [70.27.195.238]) by power.freeradius.org (Postfix) with ESMTPSA id 1BF812240D25; Sun, 7 Apr 2013 02:02:14 +0200 (CEST)
Message-ID: <5160B785.8070703@deployingradius.com>
Date: Sat, 06 Apr 2013 20:02:13 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Peter Deacon <peterd@iea-software.com>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <tslli8xnoms.fsf@mit.edu> <515ED047.3040200@deployingradius.com> <alpine.WNT.2.00.1304051020120.3988@SMURF> <5160255B.40409@deployingradius.com> <alpine.WNT.2.00.1304060913320.3988@SMURF>
In-Reply-To: <alpine.WNT.2.00.1304060913320.3988@SMURF>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Sam Hartman <hartmans@painless-security.com>, radext-chairs@tools.ietf.org, radext@ietf.org
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Apr 2013 00:02:17 -0000
Peter Deacon wrote: > Requests from unknown IPs by itself is not useful. Normally access to > the RADIUS request (NAS-ID) often provides relevant clue. That's not part of standard RADIUS. If you have a proprietary extension, you're responsible for ensuring it works. The IETF isn't. > I apologize for any misunderstanding. The migration would be in the > client rather than server. They would both have flags but the automatic > upgrade with memory to prevent downgrade would be handled at the client. That won't pass security review. Having the server *also* handle client upgrade is a hard requirement. >>> Servers would still maintain flag but it would only be a manually >>> turned knob to indicate security level it is willing to accept. > >> The draft allows it to me administratively configured. > > This appears to be restricted by the current text of the draft. See the > following from section 3.1. The server MUST maintain the flag and > description of "false" value mandates migration using MUST keyword. Quoting the text isn't helpful. I'm sure I've read it. The rest of the draft says: The "DTLS Required" flag MUST be exposed to administrators of the server. As clients are upgraded, administrators can then manually mark them as using RADIUS/DTLS. The "automatic" upgrade path is one which doesn't require administrator intervention. However, it doesn't *prevent* admins from manually forcing a client to do DTLS. Alan DeKok.
- [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jouni
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jim Schaad
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jim Schaad
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jim Schaad
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Joseph Salowey (jsalowey)
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jim Schaad
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Dave Nelson
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Arran Cudbard-Bell
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Arran Cudbard-Bell
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok