Re: [radext] BoF request for IETF 115

Peter Deacon <peterd@iea-software.com> Fri, 23 September 2022 20:38 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85212C1526F9 for <radext@ietfa.amsl.com>; Fri, 23 Sep 2022 13:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Level:
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bFPmkCcwWckW for <radext@ietfa.amsl.com>; Fri, 23 Sep 2022 13:38:38 -0700 (PDT)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id ACABDC1526F7 for <radext@ietf.org>; Fri, 23 Sep 2022 13:38:38 -0700 (PDT)
Received: from smurf (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0006176088@aspen.iea-software.com> for <radext@ietf.org>; Fri, 23 Sep 2022 13:38:37 -0700
Date: Fri, 23 Sep 2022 13:38:43 -0700
From: Peter Deacon <peterd@iea-software.com>
To: radext@ietf.org
In-Reply-To: <CAOW+2ds134ZJ+somFXsL=27=pvtUT2hNU6G9_8cpM3VoWEcN9Q@mail.gmail.com>
Message-ID: <ab874879-3cdd-6cdb-e9a0-07a405272088@iea-software.com>
References: <CAOW+2ds134ZJ+somFXsL=27=pvtUT2hNU6G9_8cpM3VoWEcN9Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="792364547-10231-1663965523=:5116"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/iCBn2-LODMZ87Al9Dhbwsh6voAM>
Subject: Re: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2022 20:38:40 -0000

On Fri, 23 Sep 2022, Bernard Aboba wrote:

> Alan said: 
> "My preference would be to just punt the problem to TLS. That is also the historical approach
> (chosen implicitly) by prior discussions in RADEXT."

> [BA] Leaving the crypto-agility problem to TLS makes sense. However, 
> there are some security issues that TLS alone cannot solve.

> For example, there has been discussion of adding support for shared 
> secrets to RADIUS over (D)TLS, so as to allow configuration to be 
> familiar to RADIUS server administrators.

> My concern is that the "shared secrets" used in today's RADIUS 
> deployments often have little entropy, leaving them open to 
> password-guessing attacks. So some additional thinking may be required 
> here.

Recommend using PAKE like the old TLS-SRP instead of TLS-PSK for password 
based secrets.

regards,
Peter