Re: [radext] Proposed charter text based on IETF-115 BoF
Bernard Aboba <bernard.aboba@gmail.com> Mon, 28 November 2022 21:52 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 382C2C14CF03 for <radext@ietfa.amsl.com>; Mon, 28 Nov 2022 13:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvDAwom6IvLn for <radext@ietfa.amsl.com>; Mon, 28 Nov 2022 13:52:46 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0404EC14CEE8 for <radext@ietf.org>; Mon, 28 Nov 2022 13:52:45 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id n20so29385617ejh.0 for <radext@ietf.org>; Mon, 28 Nov 2022 13:52:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bgLpvuC/LCtYGxULTlPWAellLM4sxtbPUBaqRuFJI5E=; b=pfX1LTDpwX1OBFkwxoAVMX8450G1nzZ4BsK4Ic28unLM3ZIrY9ItVz6ZbOv9d3PdUh h93gOSad/DKW+pwIyK+NHUE9deiEVIl+fLiyytAxFyhOCpGPlYXbs1LQulfnUNGWCMvb /6uIgIa1cZqs1QSQWVx6zayRHqkuOO1glPbyWPXJTEMVN5B+7CFE6o6PHOOxWhjVG5Na fZgsrXvh9/MLQ0z1CQuYMrMygayIn6w//PtPcqR2HobK82G2jqjMQ35ITCt2BfOY+vOc MXXy4C7rXgutiouR0jkZq/EHgIoyWeipIMYZcPBsqjGdZogMk+/Rdg+j2UUzNgUIR3+O XMmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bgLpvuC/LCtYGxULTlPWAellLM4sxtbPUBaqRuFJI5E=; b=oxenH1AW/iORL4xlNtvFYvA8BKxGrz8ROwmrlgWrw+eaDwTINnuirwDw3MEFDg6stE Gv3MDMKj7bbrTWK0a0JskxxqoBrtv+fpApIjoofie5MM2a+NgLIaoH+S39ATe/5/xRSp UJ/N1Gt5cn5sFTiym1s+FZGiLbxjt8aHVix3GYrK0oxcr4Kmw0qJ9MArvd+5lAkEkI8S Y7r+Dj2ZUFSWIRGFSKmwv05/QBdjKf24+cK3X4iy9ILcet8g/kJiFZLOSxGQlkGAOwqH eUQyW2gFKnCrapCaBXMb7ZaK8p+sexW0MPg1TaOUqUtoBQvyH+dhkfRcFki5BA2jXDhd iKJQ==
X-Gm-Message-State: ANoB5pkDTf068b5SSIZoavPqcrrilh9Prbwjgf2ebROV/GIu9z0gih2w 62HhqzAZ6ONiLcwxQIDw+n9tkqzGLiic8FwQGJbbxnhz550S7w==
X-Google-Smtp-Source: AA0mqf69+c4sTIRKAIvOQ3ILOEMbPXhOhoIBrS7ztpNTFbsXm5yXBK1ASEIuSoGhzB51r0udWiv0qF/uvcONm0pBqho=
X-Received: by 2002:a17:906:924e:b0:782:2d3e:6340 with SMTP id c14-20020a170906924e00b007822d3e6340mr45674738ejx.234.1669672363950; Mon, 28 Nov 2022 13:52:43 -0800 (PST)
MIME-Version: 1.0
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <CAOW+2dsKg_H9f3zRUnanCpgGO+G=VPyxzWa9hsrCJCpsnoBsxA@mail.gmail.com> <7CB701B8-BD8F-4ADC-9265-12FC7EBE8FB6@deployingradius.com> <CAOW+2dtDkN3Hvk1vmuyJYGP9KS5WaGDenwQBb7-g12e6SxvEzw@mail.gmail.com> <05f4711f-4f9f-7bb6-e04f-b3c9ebc73202@dfn.de> <9e24bb0f-b12b-8235-3e88-65d4c59f205c@newtoncomputing.co.uk> <e94b8273-6189-efc4-dfa5-3ab3bacbdac6@dfn.de> <7cdb23d1-1d91-71ed-14ee-157315beb278@newtoncomputing.co.uk> <7604703a-075f-7ad6-9c85-24e9a0f845fb@dfn.de> <CAA7Lko9wSP0E8tSQwQ4uhud-f+OBZf6Nw-EGf0XqLPkg8vpN8A@mail.gmail.com> <6D8C428B-D837-4FFE-9739-99C7C20FF64D@deployingradius.com>
In-Reply-To: <6D8C428B-D837-4FFE-9739-99C7C20FF64D@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Mon, 28 Nov 2022 13:52:32 -0800
Message-ID: <CAOW+2dvxo0cpg5+1W-Tyo=s3Ee7EGWFnn+GgW6juEous+6+dug@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002504e905ee8ee4c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/gARLWmFCl87atg-okWcWpSM0ri8>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2022 21:52:48 -0000
Alan said: " ALPN is about negotiating which application protocol is inside of TLS.... i.e. a hop-by-hop RADIUS packet (inside of TLS) which says "I have this capability". [BA] Since TLS ALPN negotiation will be "hop by hop", there could be scenarios where the SRADIUS ALPN could be negotiated on one hop, but not another. A RADIUS proxy can do the conversion, but that could yield unexpected results. For example, say a company requires that new NAS devices support SRADIUS, and upgrades the proxy to support SRADIUS. But because there are still some legacy devices left, they still have to maintain a legacy RADIUS server in addition to an SRADIUS server. Is there a way for the company to make sure that SRADIUS NAS devices communicate using SRADIUS on each hop? Or could an SRADIUS NAS Access-Request end up being routed to a legacy RADIUS server (or a legacy RADIUS over (D)TLS server)? If the proxy negotiates SRADIUS with the NAS, but legacy RADIUS or RADIUS over (D)TLS with the server, then even new devices supporting SRADIUS might not end up talking SRADIUS end-to-end. On Mon, Nov 28, 2022 at 7:27 AM Alan DeKok <aland@deployingradius.com> wrote: > On Nov 28, 2022, at 8:33 AM, Heikki Vatiainen <hvn@radiatorsoftware.com> > wrote: > > Would it be a good idea to add ALPN to RFC 6614 (RADIUS over TLS / > RadSec) update to create a foundation for SRADIUS and other possible future > enhancements? What ALPN provides appears to be a good match for what's > needed for RADIUS too. HTTP, for example, seems to have used it with good > success. > > I would keep the 6614bis document simple and clear. Adding ALPN to it > would serve no purpose for that document. > > > Maybe ideas, such as reverse CoA draft, could benefit from this too. The > reverse CoA draft has text about configuration flag and in-band signalling > to inform the other end about reverse CoA capability, but careful use of > ALPN might be a solution for this too. By careful I mean, for example, not > introducing ALPN Protocol IDs for each and every thing. > > ALPN is about negotiating which application protocol is inside of TLS. > The reverse CoA document is just RADIUS. So it needs negotiation inside of > the application layer. > > i.e. a hop-by-hop RADIUS packet (inside of TLS) which says "I have this > capability". > > Alan DeKok. > > _______________________________________________ > radext mailing list > radext@ietf.org > https://www.ietf.org/mailman/listinfo/radext >
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- [radext] Proposed charter text based on IETF-115 … Paul Wouters
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Paul Wouters
- Re: [radext] Proposed charter text based on IETF-… Peter Deacon
- Re: [radext] Proposed charter text based on IETF-… Michael Richardson
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Peter Deacon
- Re: [radext] Proposed charter text based on IETF-… josh.howlett
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Michael Richardson
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Paul Wouters
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Peter Deacon
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Alexander Clouter
- [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Stephen Farrell
- Re: [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Stephen Farrell
- Re: [radext] Proposed charter text based on IETF-… Michael Richardson
- Re: [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Stephen Farrell
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Paul Wouters
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alexander Clouter
- Re: [radext] Proposed charter text based on IETF-… Alexander Clouter
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alexander Clouter
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Matthew Newton
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Matthew Newton
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Heikki Vatiainen
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Jan-Frederik Rieckers
- Re: [radext] Proposed charter text based on IETF-… Heikki Vatiainen
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… Bernard Aboba
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Proposed charter text based on IETF-… josh.howlett
- Re: [radext] Proposed charter text based on IETF-… Margaret Cullen
- Re: [radext] Proposed charter text based on IETF-… Alan DeKok
- Re: [radext] Liaison to government agencies Margaret Cullen
- Re: [radext] Liaison to government agencies Margaret Cullen
- Re: [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Bernard Aboba
- Re: [radext] Liaison to government agencies Alan DeKok
- Re: [radext] Liaison to government agencies Alexander Clouter
- Re: [radext] Liaison to government agencies Behcet Sarikaya