IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Bernard Aboba <bernard.aboba@gmail.com> Mon, 28 November 2022 21:52 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 382C2C14CF03 for <radext@ietfa.amsl.com>; Mon, 28 Nov 2022 13:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvDAwom6IvLn for <radext@ietfa.amsl.com>; Mon, 28 Nov 2022 13:52:46 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0404EC14CEE8 for <radext@ietf.org>; Mon, 28 Nov 2022 13:52:45 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id n20so29385617ejh.0 for <radext@ietf.org>; Mon, 28 Nov 2022 13:52:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bgLpvuC/LCtYGxULTlPWAellLM4sxtbPUBaqRuFJI5E=; b=pfX1LTDpwX1OBFkwxoAVMX8450G1nzZ4BsK4Ic28unLM3ZIrY9ItVz6ZbOv9d3PdUh h93gOSad/DKW+pwIyK+NHUE9deiEVIl+fLiyytAxFyhOCpGPlYXbs1LQulfnUNGWCMvb /6uIgIa1cZqs1QSQWVx6zayRHqkuOO1glPbyWPXJTEMVN5B+7CFE6o6PHOOxWhjVG5Na fZgsrXvh9/MLQ0z1CQuYMrMygayIn6w//PtPcqR2HobK82G2jqjMQ35ITCt2BfOY+vOc MXXy4C7rXgutiouR0jkZq/EHgIoyWeipIMYZcPBsqjGdZogMk+/Rdg+j2UUzNgUIR3+O XMmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bgLpvuC/LCtYGxULTlPWAellLM4sxtbPUBaqRuFJI5E=; b=oxenH1AW/iORL4xlNtvFYvA8BKxGrz8ROwmrlgWrw+eaDwTINnuirwDw3MEFDg6stE Gv3MDMKj7bbrTWK0a0JskxxqoBrtv+fpApIjoofie5MM2a+NgLIaoH+S39ATe/5/xRSp UJ/N1Gt5cn5sFTiym1s+FZGiLbxjt8aHVix3GYrK0oxcr4Kmw0qJ9MArvd+5lAkEkI8S Y7r+Dj2ZUFSWIRGFSKmwv05/QBdjKf24+cK3X4iy9ILcet8g/kJiFZLOSxGQlkGAOwqH eUQyW2gFKnCrapCaBXMb7ZaK8p+sexW0MPg1TaOUqUtoBQvyH+dhkfRcFki5BA2jXDhd iKJQ==
X-Gm-Message-State: ANoB5pkDTf068b5SSIZoavPqcrrilh9Prbwjgf2ebROV/GIu9z0gih2w 62HhqzAZ6ONiLcwxQIDw+n9tkqzGLiic8FwQGJbbxnhz550S7w==
X-Google-Smtp-Source: AA0mqf69+c4sTIRKAIvOQ3ILOEMbPXhOhoIBrS7ztpNTFbsXm5yXBK1ASEIuSoGhzB51r0udWiv0qF/uvcONm0pBqho=
X-Received: by 2002:a17:906:924e:b0:782:2d3e:6340 with SMTP id c14-20020a170906924e00b007822d3e6340mr45674738ejx.234.1669672363950; Mon, 28 Nov 2022 13:52:43 -0800 (PST)
MIME-Version: 1.0
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <CAOW+2dsKg_H9f3zRUnanCpgGO+G=VPyxzWa9hsrCJCpsnoBsxA@mail.gmail.com> <7CB701B8-BD8F-4ADC-9265-12FC7EBE8FB6@deployingradius.com> <CAOW+2dtDkN3Hvk1vmuyJYGP9KS5WaGDenwQBb7-g12e6SxvEzw@mail.gmail.com> <05f4711f-4f9f-7bb6-e04f-b3c9ebc73202@dfn.de> <9e24bb0f-b12b-8235-3e88-65d4c59f205c@newtoncomputing.co.uk> <e94b8273-6189-efc4-dfa5-3ab3bacbdac6@dfn.de> <7cdb23d1-1d91-71ed-14ee-157315beb278@newtoncomputing.co.uk> <7604703a-075f-7ad6-9c85-24e9a0f845fb@dfn.de> <CAA7Lko9wSP0E8tSQwQ4uhud-f+OBZf6Nw-EGf0XqLPkg8vpN8A@mail.gmail.com> <6D8C428B-D837-4FFE-9739-99C7C20FF64D@deployingradius.com>
In-Reply-To: <6D8C428B-D837-4FFE-9739-99C7C20FF64D@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Mon, 28 Nov 2022 13:52:32 -0800
Message-ID: <CAOW+2dvxo0cpg5+1W-Tyo=s3Ee7EGWFnn+GgW6juEous+6+dug@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002504e905ee8ee4c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/gARLWmFCl87atg-okWcWpSM0ri8>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2022 21:52:48 -0000

Alan said:

"  ALPN is about negotiating which application protocol is inside of
TLS....   i.e. a hop-by-hop RADIUS packet (inside of TLS) which says "I
have this capability".

[BA] Since TLS ALPN negotiation will be "hop by hop", there could be
scenarios where the SRADIUS ALPN could be negotiated on one hop, but not
another.  A RADIUS proxy can do the conversion, but that could yield
unexpected results.

For example, say a company requires that new NAS devices support SRADIUS,
and upgrades the proxy to support SRADIUS.  But because there are still
some legacy devices left, they still have to maintain a legacy RADIUS
server in addition to an SRADIUS server.

Is there a way for the company to make sure that SRADIUS NAS devices
communicate using SRADIUS on each hop?  Or could an SRADIUS NAS
Access-Request end up being routed to a legacy RADIUS server (or a legacy
RADIUS over (D)TLS server)? If the proxy negotiates SRADIUS with the NAS,
but legacy RADIUS or RADIUS over (D)TLS with the server, then even new
devices supporting SRADIUS might not end up talking SRADIUS end-to-end.



On Mon, Nov 28, 2022 at 7:27 AM Alan DeKok <aland@deployingradius.com>
wrote:

> On Nov 28, 2022, at 8:33 AM, Heikki Vatiainen <hvn@radiatorsoftware.com>
> wrote:
> > Would it be a good idea to add ALPN to RFC 6614 (RADIUS over TLS /
> RadSec) update to create a foundation for SRADIUS and other possible future
> enhancements? What ALPN provides appears to be a good match for what's
> needed for RADIUS too. HTTP, for example, seems to have used it with good
> success.
>
>   I would keep the 6614bis document simple and clear.  Adding ALPN to it
> would serve no purpose for that document.
>
> > Maybe ideas, such as reverse CoA draft, could benefit from this too. The
> reverse CoA draft has text about configuration flag and in-band signalling
> to inform the other end about reverse CoA capability, but careful use of
> ALPN might be a solution for this too. By careful I mean, for example, not
> introducing ALPN Protocol IDs for each and every thing.
>
>   ALPN is about negotiating which application protocol is inside of TLS.
> The reverse CoA document is just RADIUS.  So it needs negotiation inside of
> the application layer.
>
>   i.e. a hop-by-hop RADIUS packet (inside of TLS) which says "I have this
> capability".
>
>   Alan DeKok.
>
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
>

v2.23.0 | Report a Bug | By Email