IETF Logo Mail Archive

Re: [radext] New draft: RFC6614bis (RADIUS/TLS)

Alan DeKok <aland@deployingradius.com> Mon, 24 October 2022 15:36 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D108C14CE2B for <radext@ietfa.amsl.com>; Mon, 24 Oct 2022 08:36:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XtVqpPlqVqN0 for <radext@ietfa.amsl.com>; Mon, 24 Oct 2022 08:36:24 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 096ACC14CE29 for <radext@ietf.org>; Mon, 24 Oct 2022 08:36:23 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 3ABD641D; Mon, 24 Oct 2022 15:36:19 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <7672c376-e9f2-718f-5586-1c36c8e5d72f@dfn.de>
Date: Mon, 24 Oct 2022 11:36:17 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <DDD49207-DCEA-4BA3-9C4C-4C33C5F449A5@deployingradius.com>
References: <d9a015f8-60a7-8eb1-65e0-ea19633c3784@dfn.de> <817A08A2-A6E0-43AD-92C4-144D2D4C4D63@deployingradius.com> <7672c376-e9f2-718f-5586-1c36c8e5d72f@dfn.de>
To: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/enOnhBmOKm07YNf1hOAu8mab-jA>
Subject: Re: [radext] New draft: RFC6614bis (RADIUS/TLS)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 15:36:25 -0000

On Oct 24, 2022, at 11:27 AM, Jan-Frederik Rieckers <rieckers@dfn.de> wrote
>>  This is wrong.  The RADIUS shared secret does not "encrypt RADIUS traffic" when TLS is being used.  I suggest just reverting to the RFC6614 abstract.
> 
> I tried to refer to TLS-PSK here, not to the radius encryption.
> I'll reword it.

  Thanks.  Using "shared secret" in the context of RADIUS *always& means the RADIUS shared secret.

> I wasn't sure if TLSv1.3 is "new enough" to mandate its usage, I have no problem with mandating it.

  It's been around for years.  This specification will be used for years.  So we might as well mandate TLS 1.3 now.

>>   You're banning TLS compression.  Why?
> 
> TLSv1.3 does not have compression, RFC7525 discourages compression if there is a possibility for compression-related attacks.
> So my counter-question would be: Why should we need it?

  I was questioning why the change was made.  It would be good to explain that TLS compression is optional for TLS 1.2 and smaller, and not supported by TLS 1.3.

  i.e. the use of compression (or not) is a property of the TLS transport.  It is not a property of RADIUS/TLS.  As such, this document should defer to TLS for TLS functionality.

>>   Removing the Diameter Compatibility section is fine.
>>   A lot of other text has changed, and it's not clear why.  Security information and recommendations have been removed.
>>   It would be good to add text describing operational experience with RADIUS/TLS.  The purpose of the experiment was to see what worked.  So... what were the results?
> 
> Definitely. I'm only aware of the RADIUS/TLS deployment in eduroam, if there are other persons willing to share more operational experience, please feel free to speak up :)

  I hope so.  But We might be waiting a while.  :(

  Alan DeKok.

v2.23.0 | Report a Bug | By Email