Re: [radext] Fwd: New Version Notification for draft-dekok-radext-deprecating-radius-02.txt
Alexander Clouter <alex+ietf@coremem.com> Tue, 08 August 2023 22:45 UTC
Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75F12C151546 for <radext@ietfa.amsl.com>; Tue, 8 Aug 2023 15:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="WQezaxDe"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="apjbW8hs"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUgkynsv9Raj for <radext@ietfa.amsl.com>; Tue, 8 Aug 2023 15:45:20 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24DEEC15153D for <radext@ietf.org>; Tue, 8 Aug 2023 15:45:19 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 2A34432007F9 for <radext@ietf.org>; Tue, 8 Aug 2023 18:45:19 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Tue, 08 Aug 2023 18:45:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1691534718; x=1691621118; bh=0X P7J3SCINj96Zi+39M6yuLzKxfz4e8Xro8ssZdFrRI=; b=WQezaxDevxmSAy2Mft UjJUEzhGC2qtPrhatgptTFjvM5oO4Zf6RmmNmtGt6l+13lOa8FnIdGAmlrTZYVV8 7/M8Uvk5s6GVt1GYFubrob2a6kypfTbEdk6gFqATJ1vrSsqkn+5t+vwjQ/N688Et 7sCL8e+S1Ml2r/U4OEXlcsf0tg1BjXH+QwvNzFKRBWhlUFYpG85NRD6AbwIPmo7q /EMsA6zlBScdt0ZSKtrST+9jYUkJUTn6K4TBeK3Ku8RePWl/SjPxpPLhrKEtYPSh QYq1sbIDbFriotK+o6uVCMaYw7HZqOUiSyVAhwQSvfkpftCBUsk0JGU+IucIyTyw bwYg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1691534718; x=1691621118; bh=0XP7J3SCINj96 Zi+39M6yuLzKxfz4e8Xro8ssZdFrRI=; b=apjbW8hsUKCW9lsxtLhf424Kc+a2K tdilctmRoDxORfHnYZSCnwlNHCSeQZycyhNf6Turwzmw0KoxkOmew1yeJyD/NNzE fD8QPzV6cw/zG02DtnGnDQIU1BRkIu3VvcF+DpfAAceURkfv10IzEpuOLkfn/dzX COCG3czlX5/IY0r9BOR9KWcSaQ10qRLkxuSVYB6bHRBK1PwaORU0IyP8C5kDo255 URLe4SvLvmfT65iqPz2Y+GV+1pJ4uWjZwoxfS3goN+/pSdFMcY0fb0n+Z2UJkTST fNmItwgLVS67oIw8RMU0ynk1YDeMHXydKuNMUfb16U+getVp6Sbvtt/Mw==
X-ME-Sender: <xms:fsXSZEnLtKe6-TQpnH03Qnjub3mbuyH2Vbw9hXKqqQYh5xOVZsKMDA> <xme:fsXSZD1A4NOK6Za3iCpy0S6Atmsyjvs8zWz99fr4QcsPLYrDMXVBU-b3hOiX5ALXc 9vvhwx0mIr4d6iP7w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrleefgddufecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgv gidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpeegjeehgf eiueduuedufeethfeuvdeiffeggeduveekgedvhefhkeefiedtveekueenucffohhmrghi nhepihgvthhfrdhorhhgpdgrrhgthhhivhgvrdhorhhgpdhrhhhulhdrrggtrdhukhenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhgvgido ihgvthhfsegtohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:fsXSZCqAzsV4MBzBw1LjhPKYk2YD2TAMI7U5JVv7tT1aW4zyvARvqQ> <xmx:fsXSZAm6rZfFeHO5woNHXn0KA6o4xAHAapU4dXjfnfWF3W4-SlMDhg> <xmx:fsXSZC0QrDQJSyTjbSffmu_kjF3_XuMEtGFifBrYv-fvAjEdP7cXww> <xmx:fsXSZDD2bS3SwDRqcWAJeF3aooIqNGzFw3J8bQ3DVI7te_tUQ6BZrg>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 693A72A20085; Tue, 8 Aug 2023 18:45:18 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-624-g7714e4406d-fm-20230801.001-g7714e440
Mime-Version: 1.0
Message-Id: <1b114ab3-aef7-42a3-ad86-375228dbd3ac@app.fastmail.com>
In-Reply-To: <D522C7F4-1080-451D-9ECC-12CDAD23A59D@deployingradius.com>
References: <169033124042.23703.5142311414113665038@ietfa.amsl.com> <D522C7F4-1080-451D-9ECC-12CDAD23A59D@deployingradius.com>
Date: Tue, 08 Aug 2023 23:44:58 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/i1P4dNLITBsfZyYGFDDC4ft4taM>
Subject: Re: [radext] Fwd: New Version Notification for draft-dekok-radext-deprecating-radius-02.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2023 22:45:24 -0000
On Wed, 26 Jul 2023, at 01:38, Alan DeKok wrote: > I've added substantial text on how to make existing uses of RADIUS more secure. e.g. use EAP when proxying outside of your local network. > > Thanks to Margaret and the WG for making concrete suggestions at the meeting in SF. > >> Begin forwarded message: >> >> *From: *internet-drafts@ietf.org >> *Subject: **New Version Notification for draft-dekok-radext-deprecating-radius-02.txt* >> *Date: *July 25, 2023 at 5:27:20 PM PDT >> *To: *"Alan DeKok" <aland@freeradius.org> >> >> A new version of I-D, draft-dekok-radext-deprecating-radius-02.txt >> has been successfully submitted by Alan DeKok and posted to the >> IETF repository. >> >> Name: draft-dekok-radext-deprecating-radius >> Revision: 02 >> Title: Deprecating RADIUS/UDP and RADIUS/TCP >> Document date: 2023-07-25 >> Group: Individual Submission >> Pages: 24 >> URL: https://www.ietf.org/archive/id/draft-dekok-radext-deprecating-radius-02.txt >> Status: https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/ >> Html: https://www.ietf.org/archive/id/draft-dekok-radext-deprecating-radius-02.html >> Htmlized: https://datatracker.ietf.org/doc/html/draft-dekok-radext-deprecating-radius >> Diff: https://author-tools.ietf.org/iddiff?url2=draft-dekok-radext-deprecating-radius-02 Some nitpicking, but otherwise everything looks great, especially the CUI section: Section 1: * 'corporate executives' I think should be replaced with 'an individual' which is more pointed and resonates more to me the privacy worries here. * "The negative implications for security and individual safety are obvious" may read better dropping 'obvious' to become "These implications do not bode well for security and individual safety" * "AAA servers can also minimize the impact of such attacks using TLS connections with short lifetimes, though that practice can cause spurious errors in a proxy environment.", if you want to reference a source on the why there is [2] but I think we can do better here to suggest ways of avoiding interrupting by rekey'ing an existing connection (SSL_key_update) or failing that to open a second connection and drain the original connection. So maybe instead "AAA servers should minimize the impact of such attacks by using a byte (recommended) or time based limit before replacing the session keys though a process of either rekeying the existing connection, opening a new connection and draining the original or, at risk of causing spurious errors in a proxy environment, just to immediately close the connection" Section 7: A lot of this applies to even TLS connections, PII stripping whilst proxying and even hiding from the visited site is important. Maybe amend "Implementors and administrators need to be aware of all of these issues, ..." to "Implementors and administrators need to be aware of all of these issues, which also impact proxy and roaming environments, ..." Section 7.1.1: Do we want to describe a stateless method too? "In general, the simplest way to track CUIs long term is to associate the CUI to user identity in some kind of stateful database or alternatively stateless by using the week number." 'week number' could be a suggestion but nothing prevents the use of some other datetime modulo math. Supplement the math later with the stateless approach: CUI = HASH(visited network data + user identifier + week number + key) If we do this, we should highlight that 'week number' should probably have day offsets applied based on the visited network data and user identifier so that not every suddenly changes at the same time...though maybe this is actually desirable? Misc: Lastly, ran this through aspell and found these, there may be others: s/possbile/possible/g s/defintions/definitions/g s/Messge/Message/g s/attacket/attacker/g s/Acccess/Access/g s/transport thos data/transport this data/ s/obfsucated/obfuscated/g s/identies/identities/g s/aobut/about/g s/organizstion/organization/g s/mutliple/multiple/g s/managung/managing/g s/preceeding/preceding/g s/ssesion/session/g s/tunneled/tunnelled/g s/ddifferent/different/g s/cleartext/clear-text/ <-- single inconsistent occurrence s/implementer/implementor/ s/Margart/Margaret/g <-- first Matthew[1], and now Margaret...who will be the next 'M'-victim Cheers [1] https://mailarchive.ietf.org/arch/msg/radext/Gv_z9gALm4ML3orJTAGALq_kPpM/ [2] https://web.archive.org/web/20230512090344/https://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf
- [radext] Fwd: New Version Notification for draft-… Alan DeKok
- Re: [radext] Fwd: New Version Notification for dr… Margaret Cullen
- Re: [radext] Fwd: New Version Notification for dr… Alexander Clouter
- Re: [radext] New Version Notification for draft-d… Alan DeKok