IETF Logo Mail Archive

Re: [radext] BoF request for IETF 115

Margaret Cullen <margaret@painless-security.com> Thu, 22 September 2022 19:44 UTC

Return-Path: <margaret@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F01DC14F746 for <radext@ietfa.amsl.com>; Thu, 22 Sep 2022 12:44:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=painless-security-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkLN-JDdlS_J for <radext@ietfa.amsl.com>; Thu, 22 Sep 2022 12:44:44 -0700 (PDT)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D653FC14F74A for <radext@ietf.org>; Thu, 22 Sep 2022 12:44:44 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id cj27so7068491qtb.7 for <radext@ietf.org>; Thu, 22 Sep 2022 12:44:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=painless-security-com.20210112.gappssmtp.com; s=20210112; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :from:to:cc:subject:date; bh=ZtxIx6iXBQnkR0xG3kG6i6aoumnzY9Y6GoJp3vKyBX0=; b=ch4Ku3VcuLRPqf82Fe86nC4y0Bn24USTU5EuWW5xsZdm/u9rIGup8Wh2nw/XjnMBc8 hRIByDfTQJ7tEla6YrvWtvYyu9KVx+3vKbH3trNfcSxAymUJ8U8gg70FLoaI0tKTYOxu vW0uD4JN7mJ92i9OB7+XhSCcQ9NAMmqEThB+ryQiCYxu6CdTfj/kHchLknwWP+QXzllD 86RjWDT4lCKR8rSwjSz/f6Wh+ZFF/MygSUpIfhirBsX2NE6Z9c9P2mB8vcm6ltZdUw8b 5arp45qycHWAJDw2I3MnIbla5ziCV8ruPunT4sYhPe2DlHwvMdWcXV9bLMIYoHhdK4yx AYIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :x-gm-message-state:from:to:cc:subject:date; bh=ZtxIx6iXBQnkR0xG3kG6i6aoumnzY9Y6GoJp3vKyBX0=; b=S4MQXOmNjhFpb7/ZSxq/86qbpUbkuhyXu+/5Mw1JAj6a770tgByXjfeWMcxu9LSVKp p3oE0hiM6tCY/kDApGYWejMeGo+5Ho3CkVbi9AgUj8jLv8RbT2eSRX3vPjJVxzdqJRcX YTew7NaQPpUEEjmEFaBORvV9zNiU6mTrSvNycIt1gcAKHj8+lorkbyGbz1i7c27xcJaY 41GkMotcJ0nwmWNCbORGiDYzplrXEZvF6mNTfXetu2smgnD2lgphDjPN+D9LAfFfHwKa C16l3CubkxJTWM+xXkaZ6DaesdVRoNxUyHmoxwxeU7lnleHbbC4aWbQ2Qt961v1tTOY0 YImw==
X-Gm-Message-State: ACrzQf15ggv26gWksi2lrE6SiDQJoLvy/lIHIJgNsf/dWtgb+x4aL5gg gG6afjMIMzcKiWEqY4TggIqi4VFhQ7wS8+/eeXd+Ye1TSOWLC6b3pBdsswN45Trtob3cDX+89Q1 ZLaf6laqBsah/N/WkpIum/ml4RiH3XvdeqQxDsm8GRjxjSnrU+8pBQQjVEI5x6tOrTuKmcjrYSl 4NxQ==
X-Google-Smtp-Source: AMsMyM5azYAwq6xGivev5zuAqnwuwlaZQBtaGv2Yxjq5QqvMovXOju2TNyTiah8v6U4L6M/05SY0iw==
X-Received: by 2002:ac8:5e48:0:b0:35c:d4ee:5322 with SMTP id i8-20020ac85e48000000b0035cd4ee5322mr4241152qtx.255.1663875882516; Thu, 22 Sep 2022 12:44:42 -0700 (PDT)
Received: from smtpclient.apple ([2603:3005:1ff6:0:c54e:c7a4:b037:cca8]) by smtp.gmail.com with ESMTPSA id y11-20020a05622a120b00b003434f7483a1sm4095775qtx.32.2022.09.22.12.44.41 for <radext@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Sep 2022 12:44:41 -0700 (PDT)
From: Margaret Cullen <margaret@painless-security.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F984323E-8A4D-4B73-BF9D-16D8061734A6"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Thu, 22 Sep 2022 15:44:41 -0400
References: <LNXP123MB2569B8F0432A96CA9ED5F506887E9@LNXP123MB2569.GBRP123.PROD.OUTLOOK.COM>
To: radext@ietf.org
In-Reply-To: <LNXP123MB2569B8F0432A96CA9ED5F506887E9@LNXP123MB2569.GBRP123.PROD.OUTLOOK.COM>
Message-Id: <1375C9A8-6ADD-4168-B0F7-5AF718C1EA06@painless-security.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/fAXx5J1HHGI_Ier9B4mPeEstLio>
Subject: Re: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2022 19:44:48 -0000

I support holding this BOF at IETF 115, and I agree that work in this area is important for the continued success of RADIUS.  

Margaret


> From: radext <radext-bounces@ietf.org> on behalf of Alan DeKok <aland@deployingradius.com>
> Sent: Tuesday, 6 September 2022, 21:30
> To: radext@ietf.org <radext@ietf.org>
> Subject: [radext] BoF request for IETF 115
> 
>   I've submitted a BoF request to recharter RADEXT for IETF 115.  The request is at: https://datatracker.ietf.org/doc/bofreq-dekok-bofreq-dekok-radius-extensions-and-security-00/ <https://datatracker.ietf.org/doc/bofreq-dekok-bofreq-dekok-radius-extensions-and-security-00/>
> 
>   It includes a proposed charter.
> 
>   Depending on the opinion of the IESG, the request might be rejected, we might have a BoF, or RADEXT might just be rechartered as WG.
> 
>   The preliminary charter has been shared with the ADs.  It would be good to hear if other people have opinions on (a) the proposal to restart RADEXT, or (b) the charter and work items.
> 
>   The high-level summary was to why we need RADEXT is included here, too.  The link above has more information.
> 
> ---
> There is increasing conflict between the security practices defined in RADIUS and modern cryptographic requirements. The move to RADIUS over TLS / DTLS has helped to secure the base protocol. However, the use of MD4 / MD5 is still "baked into" RADIUS. The use of these digest algorithms makes it impossible to use RADIUS in a FIPS-140 compliant system.
> 
> The WG will define a new SRADIUS which drops all use of MD4 / MD5, and will be suitable for use in a FIPS environment. This work is expected to require only minor changes to existing implementations.
> 
> As part of this effort, the IETF will formally deprecate the use of RADIUS over UDP. There are still many cloud providers sending bare RADIUS packets over the Internet. This practice is insecure, and should be forbidden.
> 
> RADIUS over TLS / DTLS are in wide-spread use. They should be updated to use TLS 1.3, to require Server Name Indication (which helps with sites hosting multiple authoritative servers), and to move the documents to standards track.
> 
> In order to address the 8-bit ID limitation, we also propose to allow for more than 256 packets "in flight" on one connection between client and server. This change will permit higher throughput connections. Some vendors have already implemented their own versions of this work, which has proven to be successful in practice. This behavior should be documented and standardized.
> ---
> 
>   Alan DeKok.
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext <https://www.ietf.org/mailman/listinfo/radext>
>

v2.23.0 | Report a Bug | By Email