IETF Logo Mail Archive

Re: [radext] Small issues in the ALPN draft

Alan DeKok <aland@deployingradius.com> Mon, 18 March 2024 22:40 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00E5C14F60D for <radext@ietfa.amsl.com>; Mon, 18 Mar 2024 15:40:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKjWb4oL5tJv for <radext@ietfa.amsl.com>; Mon, 18 Mar 2024 15:40:00 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340AEC180B51 for <radext@ietf.org>; Mon, 18 Mar 2024 15:39:59 -0700 (PDT)
Received: from smtpclient.apple (dhcp-809c.meeting.ietf.org [31.133.128.156]) by mail.networkradius.com (Postfix) with ESMTPSA id 97858160D for <radext@ietf.org>; Mon, 18 Mar 2024 22:39:54 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Tue, 19 Mar 2024 08:39:51 +1000
References: <3a5885c2-fa5a-4aae-a1f4-e79b9456ad94@dfn.de>
To: radext@ietf.org
In-Reply-To: <3a5885c2-fa5a-4aae-a1f4-e79b9456ad94@dfn.de>
Message-Id: <3C061F54-4D3A-4523-AC5B-E744A22A8EA3@deployingradius.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/g9oAx6kOspAbpnZtu0TQ1AVKgK4>
Subject: Re: [radext] Small issues in the ALPN draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 22:40:01 -0000

On Mar 18, 2024, at 4:34 PM, Jan-Frederik Rieckers <rieckers@dfn.de> wrote:
> In Section 1 Introduction:
> 
> "All attributes which have simple encodings (i.e. without using MD5 obfuscation), all have the same encoding and meaning as before,"
> 
> remove ", all" in the middle.
> Also I'd remove the "i.e." and replace it with "meaning" or something similar, since only attributes with shared-secret-based MD5-obfuscation are encoded differently.

  Fixed:

* All attributes which have simple encodings (that is, attributes which do not use MD5 obfuscation) have the same encoding and meaning as before,


> In Section 2 Terminology:
> 
> I'd reorder the terminology, so "historic RADIUS/TLS" is ordered after "RADIUS over TLS" and I'd also replace the "RADIUS/TLS" in the description for "Historic RADIUS/TLS" with "RADIUS over TLS", since "RAIDUS/TLS" is defined as RFC6614 and "RADIUS over TLS" as RFC6614 or RFC7360

  I've tweaked this to be clear that "RADIUS over TLS" is used in reference to TLS issues.  i.e. "anything like RADIUS" over "anything like TLS"  In contrast, "historic RADIUS/TLS" is limited to 6614 / 7360 implementations.

  I've taken a pass through the document to confirm / update the uses of both of those terms,

> In Section 3.3:
> 
> One paragraph states that implementations which are set to forbid RADIUS/1.1 behave like RFC6614/RFC7360 implementations, but that is not completely accurate.
> Those implementations may still send "RADIUS/1.0" ALPN in the TLS Client Hello, in fact it is specified (without an RFC2119 modifier) that clients should do that.

  Added a note to that effect:

We reiterate that systems implementing this specification, but which are configured with setting that forbid RADIUS/1.1, will behave largely the same as systems which do not implement this specification.  The only difference is that clients may send the ALPN name "radius/1.0".

> Section 3.3.1:
> 
> As far as I read this section, the text assumes that the packet format of the Protocol-Error packet is equal to RADIUS/1.0, since it mentions the Response Authenticator. The Response Authenticator does not exist in RADIUS/1.1.
> It may be worth to explicitly state which packet format should be used and explicitly state what packet identifier should be used and if other attributes than the one specified are allowed.

  Updated:

... If this is done, the Identifier and Token fields of the Protocol-Error packet cannot be copied from any request, and therefore those fields MUST be set to all zeros.

The Protocol-Error packet SHOULD contain a Reply-Message attribute with a textual string describing the cause of the error.  The packet SHOULD also contain an Error-Cause attribute, with value Unsupported Extension (406).  The packet SHOULD NOT contain other attributes.


> Section 3.3.2:
> 
> "The server ACKs with..."
> I think the "ACK" should be replaced, it's always good to assume that not everyone understands terminology, and although I think most implementers will understand what "to ACK something" means, some may not.

  Updated:

The client sends the ALPN string "radius/1.1.  The server acknowledges this negotiation with a reply of "radius/1.1", and then RADIUS/1.1 is used.

> Section 4.2.1:
> Typo: "For An implementation" -> "For an implementation"

  I can't see that.

> Section 4.2.2:
> The first section states "e.g. TLS transport" for deduplication, but with DTLS we may still need deduplication.
> Since we introduced "TLS" as "TLS or DTLS" in the terminology, it would be good to explicitly exclude DTLS here.

  Updated:

... Where RADIUS does not require deduplication (e.g. TLS transport), the server SHOULD NOT do deduplication.  However, DTLS transport is UDP-based, and therefore still requires deduplication.

> After having read the document again, I'm also not exactly clear about the reasoning behind the 3rd paragraph (closing a connection that re-uses token values).
> Having a rationale behind this specification would be good.

  Updated:

  ...  If it determines that the sender is re-using Token values for distinct outstanding packets, then an error should be logged, and the connection MUST be closed.  There is no way to negotiate correct behavior in the protocol.  Either the parties both operate normally and can communicate, or one end misbehaves, and no communication is possible.


  The idea is that you can't negotiate your way out of protocol violations.  If a server receives two packets at the same time, with the same Token but different packet contents, then the client is broken.  There's no way to say "please follow the spec".

  Alan DeKok.

v2.23.0 | Report a Bug | By Email