[radext] Small issues in the ALPN draft
Jan-Frederik Rieckers <rieckers@dfn.de> Mon, 18 March 2024 06:34 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65434C14F6FC for <radext@ietfa.amsl.com>; Sun, 17 Mar 2024 23:34:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y86l_bkHVDL7 for <radext@ietfa.amsl.com>; Sun, 17 Mar 2024 23:34:41 -0700 (PDT)
Received: from a1004.mx.srv.dfn.de (a1004.mx.srv.dfn.de [IPv6:2001:638:d:c301:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9935C14F6BD for <radext@ietf.org>; Sun, 17 Mar 2024 23:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:organization:subject:subject:from:from :content-language:user-agent:mime-version:date:date:message-id :received; s=s1; t=1710743671; x=1712558072; bh=xiK3aIQcFzgWB6M0 76bDcQsNpgHRCbnf51jY3qm8Svw=; b=dRz0wVdD4fqlVUGYae62KGyjcYIVyR/b /3S56pTs34dOGSo2XzD1sPf32JUNe0vvzAEO1QMvzIarau/g5Q51TFEc32F/fq1n YlgyK2JjY43S6JZfIyqfwiZ+wB0jmXty3DubCI7o6+UTaUeQAsRFoCC/ykBG9oOE ztw1aJ3wSHY=
Received: from mail.dfn.de (mail.dfn.de [IPv6:2001:638:d:c102::150]) by a1004.mx.srv.dfn.de (Postfix) with ESMTPS id F0FAF2000E9 for <radext@ietf.org>; Mon, 18 Mar 2024 07:34:30 +0100 (CET)
Received: from [IPV6:2001:67c:370:128:7bfd:7fb7:d5b5:18af] (unknown [IPv6:2001:67c:370:128:7bfd:7fb7:d5b5:18af]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id AE4343D6 for <radext@ietf.org>; Mon, 18 Mar 2024 07:34:28 +0100 (CET)
Message-ID: <3a5885c2-fa5a-4aae-a1f4-e79b9456ad94@dfn.de>
Date: Mon, 18 Mar 2024 16:34:23 +1000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: radext@ietf.org
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Organization: DFN e.V.
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms010600030700030408030309"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/fPFY7ZafCsMVAxqS6AjOqdmO2Zg>
Subject: [radext] Small issues in the ALPN draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 06:34:45 -0000
Hi, I've will post my Doc Shepherd Write-Up for the RADIUS ALPN (RADIUSv1.1) draft in a few moments. (I wanted to have the archive link to this mail first) While reading through the document one last time, I've found some small issues. Neither of those issues justify holding the process again, I just want to keep them in mind, maybe get feedback from the other reviewers, if these issues actually exist (for some of the issues), or just to have them in mind for a possibly new version or the Auth48, if no other major issues are found: In Section 1 Introduction: "All attributes which have simple encodings (i.e. without using MD5 obfuscation), all have the same encoding and meaning as before," remove ", all" in the middle. Also I'd remove the "i.e." and replace it with "meaning" or something similar, since only attributes with shared-secret-based MD5-obfuscation are encoded differently. In Section 2 Terminology: I'd reorder the terminology, so "historic RADIUS/TLS" is ordered after "RADIUS over TLS" and I'd also replace the "RADIUS/TLS" in the description for "Historic RADIUS/TLS" with "RADIUS over TLS", since "RAIDUS/TLS" is defined as RFC6614 and "RADIUS over TLS" as RFC6614 or RFC7360 In Section 3.3: One paragraph states that implementations which are set to forbid RADIUS/1.1 behave like RFC6614/RFC7360 implementations, but that is not completely accurate. Those implementations may still send "RADIUS/1.0" ALPN in the TLS Client Hello, in fact it is specified (without an RFC2119 modifier) that clients should do that. Section 3.3.1: As far as I read this section, the text assumes that the packet format of the Protocol-Error packet is equal to RADIUS/1.0, since it mentions the Response Authenticator. The Response Authenticator does not exist in RADIUS/1.1. It may be worth to explicitly state which packet format should be used and explicitly state what packet identifier should be used and if other attributes than the one specified are allowed. Section 3.3.2: "The server ACKs with..." I think the "ACK" should be replaced, it's always good to assume that not everyone understands terminology, and although I think most implementers will understand what "to ACK something" means, some may not. Section 4.2.1: Typo: "For An implementation" -> "For an implementation" Section 4.2.2: The first section states "e.g. TLS transport" for deduplication, but with DTLS we may still need deduplication. Since we introduced "TLS" as "TLS or DTLS" in the terminology, it would be good to explicitly exclude DTLS here. After having read the document again, I'm also not exactly clear about the reasoning behind the 3rd paragraph (closing a connection that re-uses token values). Having a rationale behind this specification would be good. Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Alexander Clouter
- Re: [radext] Small issues in the ALPN draft Alan DeKok
- Re: [radext] Small issues in the ALPN draft Jan-Frederik Rieckers
- Re: [radext] Small issues in the ALPN draft Heikki Vatiainen
- Re: [radext] Small issues in the ALPN draft Alan DeKok