Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
Sam Hartman <hartmans@painless-security.com> Fri, 05 April 2013 13:33 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2AE821F977B for <radext@ietfa.amsl.com>; Fri, 5 Apr 2013 06:33:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVqdrUPtwHVU for <radext@ietfa.amsl.com>; Fri, 5 Apr 2013 06:33:47 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 1360C21F9680 for <radext@ietf.org>; Fri, 5 Apr 2013 06:33:47 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS id 8E1C020219; Fri, 5 Apr 2013 09:32:30 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id A88404497; Fri, 5 Apr 2013 09:33:44 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: Alan DeKok <aland@deployingradius.com>
References: <1A5FDF7C-9E93-447E-A103-9700349CB2F5@gmail.com> <alpine.WNT.2.00.1304021450180.3988@SMURF> <515C3604.3040406@deployingradius.com> <alpine.WNT.2.00.1304042021411.3988@SMURF> <tslli8xnoms.fsf@mit.edu> <515ED047.3040200@deployingradius.com>
Date: Fri, 05 Apr 2013 09:33:44 -0400
In-Reply-To: <515ED047.3040200@deployingradius.com> (Alan DeKok's message of "Fri, 05 Apr 2013 09:23:19 -0400")
Message-ID: <tslehepnltz.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: radext@ietf.org, Peter Deacon <peterd@iea-software.com>, radext-chairs@tools.ietf.org
Subject: Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 13:33:47 -0000
>>>>> "Alan" == Alan DeKok <aland@deployingradius.com> writes:
Alan> Transitioning to DTLS is a process which needs to be done
Alan> carefully. A poorly handled transition is complex for
Alan> administrators, and potentially subject to security downgrade
Alan> attacks. It is not sufficient to just disable RADIUS/UDP and
Alan> enable RADIUS/DTLS. That approach would result in timeouts,
Alan> lost traffic, and network instabilities.
Alternative:
MOST clients can transition to RADIUS/DTLS by disabling UDP and enabling
RADIUS/DTLS.
Any UDP requests active during the transition will not receive a
response.
Servers need a way to indicate that a particular client is permitted to
send both UDP and DTLS requests during a transition so that timing of
transitions is not closely coordinated on the server and client.
there
Alan> The end result of this specification is that nearly all
Alan> RADIUS/UDP implementations should transition to using
Alan> RADIUS/DTLS. In some cases, RADIUS/UDP may remain where IPSec
Alan> is used as a transport, or where implementation and/or
Alan> business reasons preclude a change. However, long-term use of
Alan> RADIUS/UDP is NOT RECOMMENDED.
I'm uncomfortable with the above statement. I'm not sure that
RADIUS/DTLS is better than RADIUS/TLS. It seems a lot more complex, it
doesn't provide a solution to fragmentation, and I'm not convinced by
the arguments RFC 2865 makes against TCP.
So, I'm not sure I'd support a claim about where the world should go
other than to say away from RADIUS/UDP.
- [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jouni
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jim Schaad
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jim Schaad
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jim Schaad
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Joseph Salowey (jsalowey)
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Jim Schaad
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Dave Nelson
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Arran Cudbard-Bell
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Arran Cudbard-Bell
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Peter Deacon
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Sam Hartman
- Re: [radext] WGLC #2 for draft-ietf-radext-dtls-04 Alan DeKok