Re: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)
"Mark Grayson (mgrayson)" <mgrayson@cisco.com> Wed, 10 April 2024 07:58 UTC
Return-Path: <mgrayson@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC14DC14F5FE for <radext@ietfa.amsl.com>; Wed, 10 Apr 2024 00:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.663
X-Spam-Level:
X-Spam-Status: No, score=-14.663 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.08, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="mp7rU3uP"; dkim=pass (1024-bit key) header.d=cisco.com header.b="Xry0LIIO"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BG4OhkG9EUlB for <radext@ietfa.amsl.com>; Wed, 10 Apr 2024 00:58:38 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93DD8C14F6B8 for <radext@ietf.org>; Wed, 10 Apr 2024 00:58:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=13630; q=dns/txt; s=iport; t=1712735904; x=1713945504; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=2Dr3irmtik2SttxUKQP4tw+z6BLVBKLge7hLt53cPd8=; b=mp7rU3uPG/BuUldhXQi99fuadSBcOuFY9UGzfYqgsaiuin//r0dFpN2e /0e86rBsXIYedwmUFeI5KGoEDw53dpHBsSoZfIbWRKOdzTvvSRjMoY5e8 BWsQsOzT13UqCfeeiM1XQf+K7Tf9ttTiMG28MmxtNJNnJmhcTtb1xlONf U=;
X-CSE-ConnectionGUID: hIhc6LUkQ1qm7hGrX6Q9Dw==
X-CSE-MsgGUID: ycxi8f/vT46cMt6s00JC4A==
X-IPAS-Result: A0ATAAA1RRZmmI0NJK1RCRwBAQEBAQEHAQESAQEEBAEBQCWBFgcBAQsBgUAxUnoCgQUSSIghA4ROX4ZKgiIDlzaGUYElA1YPAQEBDQEBMRMEAQGFBgKIFAImNAkOAQICAgEBAQEDAgMBAQEBAQEBAQYBAQUBAQECAQcFFAEBAQEBAQEBHhkFDhAnhW0NhlkBAQEBAxIuAQE4DwIBCBEDAQIBLjEdCAIEARIIDgyCXgGCF0gDAaQ9AYFAAoooeIE0gQGCCgEBBgQF3XQDBoFIAYJUgXaDYgEkgTGIYicbgUlEgRVCgmg+gQWBXAKBNBQaHg2DZ4Ivh1WIYoMUQYFYgRaBI4hMVHciAyYzIQIRAVUVNQk6DwwaAhsUDSQjAiw+AwkKEAIWAx0UBDARCQsmAyoGNgISDAYGBlsgFgkEIwMIBANQAyBwEQMEGgQLB3WCAIE9BBNHEIEyBooQDIF9gQwCBSOBeSmBERiDCgtCcROBDAKDAANEHUADC209FCEGDhsFBB8BgRkFnAIBPAGCCoFVBE0GIDgjFoECGQsDQKFogXqhVAqEE6FhF4QFpUpkmGIggjSgNYVSAgQCBAUCDwEBBoFkOoFbcBWDIlIZD44gGR+DQjOaO3g7AgcBCgEBAwmKaAEB
IronPort-PHdr: A9a23:xOeF7hG5k+0H5ivwAjLW951GfuoY04WdBeZdwoAsh7QLdbys4NG4e kfe/v5qylTOWNaT5/FFjr/Ourv7ESwb4JmHuWwfapEESRIfiMsXkgBhSM6IAEH2NrjrOgQxH d9JUxlu+HToeVNNFpPGbkbJ6ma38SZUHxz+MQRvIeGgH4HIhtWs0Oaa8JzIaAIOjz24Mvt+K RysplDJv9INyct6f7w8yBbCvjNEev8Dw2RuKBPbk0P359y7+9ho9CE4hg==
IronPort-Data: A9a23:DixpwqPgrHsGgOjvrR3bl8FynXyQoLVcMsEvi/4bfWQNrUoh12FSx mMXCGGBP/uLZjanetp+YYXg/E1QuMXSn9dmTXM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCdaphyFjmF/kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/W1zlV e/a+ZWFZAf5g28saAr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQrl58R7PSq 07rldlVz0uBl/sfIorNfoXTLiXmdoXv0T2m0RK6bUQNbi9q/UTe2o5jXBYVhNw+Zz+hx7idw /0V3XC8pJtA0qDkwIwgvxdk/y5WPYxG8+HjHHuG6NWWkE3paUuy+qRCExRjVWEY0r4f7WBm/ PgcLnUGaQqOwrLwy7OgQe4qjcMmRCXpFNpA4Tc7k3eAVrB/Hcmrr6bivbe02B81idpHDO3ZY eISaCFka1LLZBgn1lI/Us5uzL302yagG9FegEOetatn7S/N8FAv253xbsGNIv6hGewAyy50o UqdojymWUtFXDCF8hKf+36hlvPnnC7nVsQVDrLQyxJxqFSXwmpWAxoMWB7r5/K4kUW5HdlYL iT45xbCs4Ay1UygEP3AXCThuXvbvjEGa4RpQsElvVTlJrXv3y6VAW0NTzhkYdMgtdMrSTFC6 rNvt42wbdCImOPMIU9x5oupQSWO1T/5xFLuiAcNSQ8DptLkuox23lTET81oF+i+idid9dDML 9Ki8nhWa1Y71JJjO0CHEbbv2GvESn/hFV5d2+kvdjj5hj6Vnab8D2BS1XDV7OxbMKGSRUSbs X4PlqC2tb9XV8/dy3DSHblVTNlFAspp1hWB0TaD+LF8plyQF4KLLOi8HRknfRg5bJxYEdMXS BaC4Vk5CGBv0IuCNvIvPNnrVKzGPIDrFM/uUbjPf8FSb51qPA6B92cGWKJj9z6FraTYqolmY c3zWZ/1VR4yUP07pBLoHL11+eFwmUgDKZb7GMqTI+KPi+TOPRZ4iN4tbTOzUwzOxPrd+FSFo 4sPZpDiJtc2eLSWXxQ7OLU7dDgiBXM6Hpvx7cdQc4a+zsBORQnN19e5LWsdRrFY
IronPort-HdrOrdr: A9a23:EqFZ8aqzGZpRU4RUcqb1fBAaV5t5LNV00zEX/kB9WHVpm5Oj5q OTdaUgtSMc1gxxZJh5o6H/BEDhex/hHO1OkPgs1NaZLUTbUQ6TXeNfBOTZskfd8kHFh4lgPO JbAtdD4b7LfBRHZKTBkXSF+r8bqbHtntHM9IPjJjVWPH1Xgspbnn5E43OgYzZLrX59dOIE/f Snl6x6jgvlU046Ku68AX4IVfXCodrkqLLKCCRtOzcXrCO1oXeN8rDVLzi0ty1yb9pI+9gf2F mAtza8yrSosvm9xBOZ/XTU9Y5qlNzozcYGLNCQi+AOQw+cxDqAVcBEYfmvrTo1qOag5BIBi9 /XuSotOMx19jf4Yny1mx3wwAPtuQxeqkMKiGXowUcLk/aJBg7SOPAxwL6xtSGpr3bIiesMk5 6jGVjp8Ka/Qymw2hgVrOK4Jy2C3nDE0kbK19RjwEC2leAlGedsRUt1xjINLL4QWC3984wpC+ 9oEYXV4+tXa0qTazTDsnBo28HEZAV6Iv6qeDl1hiWu6UkeoFlpi08DgMAPlHYJ85wwD5FC+u TfK6xt0LVDVNUfY65xDPoIBZLfMB2GfTvcdGaJZVj3HqAOPHzA75bx/bUu/emvPJgF1oE7lp jNWE5R8WQyZ0XtA8uT24AjyGGHfEytGTD2js1O7ZlwvbPxALLtLC2YUVgr19Ctpv0Oa/erLM pb+Kgmd8MLd1Gea7qh9zeOLqVvFQ==
X-Talos-CUID: 9a23:sniAPmwl834AKBQwWBeQBgUUO8AuLFngz06JOkrnCUlzeOOsGHOPrfY=
X-Talos-MUID: 9a23:DxGKEA864brJ+K2tYDX/q3+Qf9Zj86X+BgcTrclYsOyYazcoYxW20B3iFw==
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-8.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:58:23 +0000
Received: from rcdn-opgw-2.cisco.com (rcdn-opgw-2.cisco.com [72.163.7.163]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 43A7wNv3016934 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <radext@ietf.org>; Wed, 10 Apr 2024 07:58:23 GMT
X-CSE-ConnectionGUID: AQGzTjzXQ4qe7Op9Vv+BPw==
X-CSE-MsgGUID: YeCdnQY3S6WnEg+OPQ8cyA==
Authentication-Results: rcdn-opgw-2.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=mgrayson@cisco.com; dmarc=pass (p=reject dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.07,190,1708387200"; d="scan'208,217";a="12073543"
Received: from mail-bn8nam12lp2168.outbound.protection.outlook.com (HELO NAM12-BN8-obe.outbound.protection.outlook.com) ([104.47.55.168]) by rcdn-opgw-2.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2024 07:58:23 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BTmeygQVM5BPJrkIZWV9MWncRxvCuhlRrjt94Wnux/a3NJNgcSDos3CnMtmjueohiE4BAUc9MmAp+gVcNpYbVc4Y3Ga8osI5+imHvAewPjEXd38BfDMZfTU5Rdz0RtKYgQYM2uvqfS9x/gVOkQpgDOVNH4naV4A4OpFk7ZOVzqYgyJku7Eu9eCOWJ4Hnkl4sfVGDhRrsXQmJyS2FRGH0teqT3B12F17no9RE+NQT9hI5LiDVdr8ztl1mE7S3LNvItAXh1kzUR1fC/4o1+IG2UUkJ9QHEt4CmgbglYN84u+C/qI+faa5RYVdVaut+ukKn0nMyLG5ERgimM0cPzxvjRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2Dr3irmtik2SttxUKQP4tw+z6BLVBKLge7hLt53cPd8=; b=gNxDIvcXFFsyQYZcqb6tKSNF66KhVlPhFUEbfBn8C9sSOUPKthmZ1dNPVT/fvGQBh/FX9AEISXUZo4w4QwqOOe/loUpLo5qbgUnE1VDSEzYsL4MbGnHJfXZdYuloWRsYYm7uXCzuVDzMWubNrDaX07HxgGpWSwVQ5Twco0R0d2lcEPKrUI8o66+rT3YmBVylJq9JAu/7xHCaDOQ2kL2mptHWMU6zc9PJxLmWAgf7uJ0CcLd8B34Uc9HNXTLVEZ4Kc1l1mCmtervNKN/2AjYiumq+b5J11Wpa7mt6CHOiP616czwSS+wUkcrHnmQIYHbdtuAjz5EZ0IOhTBUUGr91tA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2Dr3irmtik2SttxUKQP4tw+z6BLVBKLge7hLt53cPd8=; b=Xry0LIIOjwOjKpsbjjaPNQya4+nKngoUDweHh1TVWArwlajK1EqNhJdbN/raOP4WX/lzkVXfLBZIWiQR+MmNxrDau8xuvWTVSMulb81gEqNoog0uOC0gIGupu1A3piY+tjcZ02xcWU13MTFyXrbvTgiZahM1YnE55cI1obcnaL0=
Received: from PH0PR11MB5928.namprd11.prod.outlook.com (2603:10b6:510:144::16) by SA1PR11MB8320.namprd11.prod.outlook.com (2603:10b6:806:37c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.22; Wed, 10 Apr 2024 07:58:21 +0000
Received: from PH0PR11MB5928.namprd11.prod.outlook.com ([fe80::f126:dcac:294f:1998]) by PH0PR11MB5928.namprd11.prod.outlook.com ([fe80::f126:dcac:294f:1998%2]) with mapi id 15.20.7452.019; Wed, 10 Apr 2024 07:58:21 +0000
From: "Mark Grayson (mgrayson)" <mgrayson@cisco.com>
To: Jan-Frederik Rieckers <rieckers@dfn.de>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)
Thread-Index: AQHaixmvXbCFma3uF0e0nfGNHK4RmLFhIT5I
Date: Wed, 10 Apr 2024 07:58:21 +0000
Message-ID: <PH0PR11MB5928CD1EB7DBD5349EB84055D2062@PH0PR11MB5928.namprd11.prod.outlook.com>
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de>
In-Reply-To: <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR11MB5928:EE_|SA1PR11MB8320:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZV02s4BWCzDDLOys8NSbx8RGEIKcDyp0hWLXEK7JOy7miIYu3bvCBiAlPNgs7MoXEZqtQzrjKqpAa1Nc11Nb/tXOvqwZOIXC6EvZgGzwcy4w5R6hr8RkT5BaDinq1DFpg1Pbck9yAWD4wBaOyX0KvlB523zLhPryJcFfFJgi/7I3ZYfTEbwlTDOLsupXa8ybXOnOB9D1qKAgs4NBTJQOyKX/oAdfD/VOITOROaCtpK9sbU77ngpsPYgyNo/KXUGcSlQSQjP9U9TbFbkaQ65lvq10+FZN/CAHLFQZtNV8uPDKlAhsZvk2PY5R5WMHOIiZ8jR3hQ1MBF6YedL664xfbKcWdzCkEIykmoLUdN9JIY7oDHYOUwmp/uD4nm8lC6sA06VTFp8KUMGBRTL2DQ1RR9DGIf3/TgQNLrM36ACV0tnKO8L+JolfFlVc3GOBwNs+0oIbW5JnA1bcYjqLvXqJw6bnoo8HQwAkulqSXAiJJcgQc4t1ewzAdweCTG04SRh8/JKcDwFXZrNOcjp3YvQbP5ucFhw3z+xIak6wcPmq0mn9cDt9Ol7rjcX4LZTHLe1e2HRH7JgaZ+wM4vdRwFBVDR83fBYxynNMkX7izMvLIuQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB5928.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cKxaBytf8petkATjhq8JU4d6wL0w4aJNUEqywAUUs18BU01hKocVgjKWwj+0DjB8NBr4oj8esHJXrMuImfgFvNk9+wzKmaODGCTHid8A6XENNf0I7w+d6r9Ra/ONq1OsGoC4CZuJHK05BnupYrBORZaZFZih//Ve9waJ38ZguWxN7WAU9eFoMjvKYydcLYxelBzorK5ldUr63qdflIIhv0atuHSpI7y4aRyfbQ+Blt/akTnZhQk48yp+YnBjlGPAUxMdmBVApnmMt79cKtrz6iwMttXtRJg6Lxy5YKaHkyajqI33TMrr+RWaYWY4KUwUA72T6R53nfqwdlAtcuAsEmHPnk0Kgu4BeMAgG0Pk2w1h0Z4aGUT6ArhjH90Kydha0giSrfNNHGg8tr72yaIF02mi3znILbB9s0YfE2T1o5K2BVGrPYMfZvZAT6AcjDxX8PkxLP0XHu7+zt6pE+mRWApDbJk8F5xDd/ts5R0qDucWuUohnwP77Ow34CJZJYaTml10wL5YgtiVmwUz0woJt+h9mN1EMltrFTyIgZJ73cu5ZuKihTdXUqhxtHXaRMiduO6vYQTGwM053F5aRa+yspAMjYoec5oeYtTgDUw2dEW++QOz8d/ojbJy1KUWrjcweEru88glZeB0g3eSEOCnfw8dHwtBlOEuYOKGfEp/vt3TemDDdNRjDuRlZSCyfzt5tSrn7LgINCYqfUxR6FvGBNExN0afCyk6G1i83C41d0vFMxTEXBZmLzWjWttuzDGjLqZS4mIBiZNDH0vL62lGkXDEqi5D1CctIA+yki9AKIJnTn43bGD1Ysy1eBz0Q7dqyeCFe+oo14AU7ZjVM+j4NODEd54e0y3XscBMjTqIuVU1/q72F/FOwnUbwBVG89KsXSNyWboXz3gizWpOlolPBtG26OxgUBmAeNO/mqL66/lvw1nBRNc1J3FvLAHFb19z+VqLVd2zMslfghRUppI/Yo0Z+IKq6ITObVEN5PwZ6dfITTNNHIbKJrRJd9McVQyNkjE32Gg6Zuf8dWXFk6+6dHY8mTZatNzOK4XYC45JFQWBom3euaccVGphlRxTEflOQDWJQE28D2ApCqCA1b55EdvpkEqilN502YTN/B92P/4vhUQyLgvEtuV3P8g/ec68AbaOSsdntum+dQOW6aHnemhPeCm9++fiwVDFdRer5iobr2n52yNCljYjEQb1RviYi8QHVrPNKmZvz+IbMqEB7ENgF2lA1hp9Bi1TT1WVqcId8W94shZuZKjw7xwaeVGjcIslbBWgnvVFAyDJJeVSVSbKSiImx195/PxsSD/poIhlLR5xZcbuGA3fidOtq4rZVemqSNSVdXxd9B3hrXfkG++RCuWr0+CVwoXuUOMNcf8IBt52FxmSCoOWlZjcSRnCtXkYLIUohF79moc2db3zclYEbGjKux6ZX6IRFZ8Fzf6hlV6Ins/AwvXeUWTcsLg2xH8sdTi1VmuntgwEGTJ7JVpstANHiXWJMaWbQg+8ryvyg/aGHKZzECyGIbueLCHUEYo31KJlQWBrcplBFI1EyJSnOS0nFQP2DxCSTLW7/1XsKl8dRnuEkhbZKa6y9x0GPbfqMp8PD0S21hxHuO9ncw==
Content-Type: multipart/alternative; boundary="_000_PH0PR11MB5928CD1EB7DBD5349EB84055D2062PH0PR11MB5928namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5928.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b40ce928-ad71-4e99-23f5-08dc5933fd9c
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2024 07:58:21.2298 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cfM7LeI1q0X0IBlNIIAxk2BKOox4GecHBUKyEF3e/N93vEi8ZecT365QqViDsBjQID+bSmW5fRP3vKxj/FmnWg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR11MB8320
X-Outbound-SMTP-Client: 72.163.7.163, rcdn-opgw-2.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/hU3Vxz9DTCYNAFyuNJyPRV3q85U>
Subject: Re: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 07:58:44 -0000
As it relates to 7585, WBA recently had to clarify the same in terms of cache TTL, but also recommendation on maximum TCP lifetime for dynamic connections: there are some scenarios where significant traffic between access providers and identity providers means any idle timeout is never triggered and the dynamic connection becomes persistent, which then prevents the identity provider from gracefully terminating connections on an old server instance. * M From: radext <radext-bounces@ietf.org> on behalf of Jan-Frederik Rieckers <rieckers@dfn.de> Date: Wednesday, 10 April 2024 at 08:35 To: radext@ietf.org <radext@ietf.org> Subject: [radext] Server identity and RFC7585bis (was: Review of draft-ietf-radext-radiusdtls) On 20.03.24 03:55, Jan-Frederik Rieckers wrote: >> ... If a RADIUS/(D)TLS client has multiple connection to a server, >> it MUST NOT decide to mark the whole server as DOWN until all >> connections to it have been marked DOWN. >> >> Maybe add a discussion of what, exactly, is a "server". Destination >> IP? How is this affected by RFC 7585 dynamic DNS lookups? > > I've added a TODO for after the IETF. I've started to write a section to explain how a server is uniquely identified, but I am failing to come up with anything other than destination IP address and destination port. Is there some better qualifier? I'm not sure if this warrants a whole section "Server Identity" which basically just says "If it's the same IP addr and port, its the same server". This would probably still be the same with dynamic lookups. If you already have a standing session with the server, then you wouldn't need to open a new connection. Just save the reference to the server in your dynamic lookup table. This also opens up the discussion about RFC 7585 again. This is currently an experimental RFC too, with one Erratum in "hold for document update", so we could issue a -bis document there too. I'd be happy to get the ball rolling on that one too, if there is interest. Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- [radext] Certficate and certificate chain selecti… Heikki Vatiainen
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- [radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
- Re: [radext] Certficate and certificate chain sel… Alan DeKok
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
- [radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- [radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Michael Richardson
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
- Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Fabian Mauchle
- Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
- Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
- Re: [radext] Session closure in DTLS Fabian Mauchle
- Re: [radext] Session closure in DTLS Alan DeKok