Re: [radext] New draft: RFC6614bis (RADIUS/TLS)
Jan-Frederik Rieckers <rieckers@dfn.de> Tue, 25 October 2022 12:13 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC974C15256F for <radext@ietfa.amsl.com>; Tue, 25 Oct 2022 05:13:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sixaIKtfEd1l for <radext@ietfa.amsl.com>; Tue, 25 Oct 2022 05:13:55 -0700 (PDT)
Received: from b1004.mx.srv.dfn.de (b1004.mx.srv.dfn.de [194.95.235.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5621C14CF09 for <radext@ietf.org>; Tue, 25 Oct 2022 05:13:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:subject:subject :organization:from:from:references:content-language:user-agent :mime-version:date:date:message-id:received; s=s1; t=1666700027; x=1668514428; bh=VkVCDq7fh1iLOb8t6xzexVeMJaNTvvnbQ23reaIyM/o=; b= mlO+HLCIohbaxRXRMoVKCz/HZvpVgth8Yuh+YvjRlLWon7fpJXUZ31PweA+6nT1A UP8Iz2EG+GgPvTlmDd83ffbSEDR0VeekyuxAPQpO8FTO5ztiQGHyfNGdIKyIRBLw wjiTWn8QYu1Yy0mpE2R6/kR49vUBSrhoa/qcNCvsf4s=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by b1004.mx.srv.dfn.de (Postfix) with ESMTPS id 90F832200D0 for <radext@ietf.org>; Tue, 25 Oct 2022 14:13:46 +0200 (CEST)
Received: from [IPV6:2001:638:d:1016::1000] (unknown [IPv6:2001:638:d:1016::1000]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.srv.dfn.de (Postfix) with ESMTPSA id 217EA103 for <radext@ietf.org>; Tue, 25 Oct 2022 14:13:45 +0200 (CEST)
Message-ID: <09aad51c-cea0-102b-5353-c5fcd3a2384a@dfn.de>
Date: Tue, 25 Oct 2022 14:13:44 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3
Content-Language: en-US
To: radext@ietf.org
References: <d9a015f8-60a7-8eb1-65e0-ea19633c3784@dfn.de> <7ba979a3-7eca-4d14-86a2-10141ba4b437@app.fastmail.com>
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Autocrypt: addr=rieckers@dfn.de; keydata= xjMEYS90/RYJKwYBBAHaRw8BAQdAWXYFYTJZD1YR1SztUNqHenPGnf+gdQe/9LjiHlr2XATN J0phbi1GcmVkZXJpayBSaWVja2VycyA8cmllY2tlcnNAZGZuLmRlPsKWBBMWCAA+AhsDBQsJ CAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE/fv7DCp4WBOrb8RyDYuiXSS+ypYFAmMXdJkFCQNL 9JwACgkQDYuiXSS+ypYZhQD+IvXSlzMB632TceTFUZ66vWijHZA9TymKjM27QzxjCcQA/ilb zGnQRFxRvpqGeJCwK/9MP9CZyyUjgAPQBaZNoTcOzjgEYS90/RIKKwYBBAGXVQEFAQEHQBxo 6esD49rxn4d3su5fJJL79XjfKNy26LiFE9Gpg38+AwEIB8J+BBgWCAAmAhsMFiEE/fv7DCp4 WBOrb8RyDYuiXSS+ypYFAmMXdKIFCQNL9KUACgkQDYuiXSS+ypY8IwEA5hkI+oA2pFmD6zXj rULCT+G9o8A5xSkMZBiw6U6yKcMBAMpTki1h4qCwaQR+hvt1rNjJr4ISUtd+ErlHlPWsxIgI
Organization: DFN e.V.
In-Reply-To: <7ba979a3-7eca-4d14-86a2-10141ba4b437@app.fastmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------tkUuXGzzgT7zRf9IPxfVwgVc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/h4zSig3w6Q5psFjAbCF3VY1zoDA>
Subject: Re: [radext] New draft: RFC6614bis (RADIUS/TLS)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2022 12:13:59 -0000
Hello Alexander, On 25.10.22 13:14, Alexander Clouter wrote: > I cannot find anything mentioned earlier, but do we now get to remove Message-Authenticator[1]? No, RADIUS/TLS is "only" a transport, it does not change the RADIUS protocol itself. Removing the Message-Authenticator would mean that the implementations need to handle the packets differently and can't use the same parsing mechanism. With the current specification, we just wrap the RADIUS communication with the fixed shared secret in a TLS tunnel and could even use a middlebox to handle the encryption/decryption and forward the packet from the middlebox using plain RADIUS. (Not saying this is a good idea, just that it is possible) > > At the moment Message-Authenticator is a MUST for EAP-Message and the draft Status-Realm-Request[2] attributes. > > Not sure what the secret would be in a (D)TLS connection unless we intend to use a hardcoded 'radsec' but then there is still the issue that MD5 is lurking in there. For removing the MD5-issue see the drafts from Alan, where we define a new transport for RADIUS where we rely on TLS for encryption and integrity protection, so we can finally get rid of the MD5 obfuscation. https://datatracker.ietf.org/doc/draft-dekok-radext-sradius/ For the RFC6614bis it would be important to keep backward compatibility to the existing implementations, so removing the Message Authenticator would not be an option. Greetings Janfred -- E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin www.dfn.de Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 1366/23822
- [radext] New draft: RFC6614bis (RADIUS/TLS) Jan-Frederik Rieckers
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Jan-Frederik Rieckers
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Karri Huhtanen
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alexander Clouter
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Jan-Frederik Rieckers
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Jan-Frederik Rieckers
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Peter Deacon
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Bernard Aboba
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Bernard Aboba
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Matthew Newton
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Stefan Winter