IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Margaret Cullen <mrcullen42@gmail.com> Wed, 30 November 2022 15:43 UTC

Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 471DEC152590 for <radext@ietfa.amsl.com>; Wed, 30 Nov 2022 07:43:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xQcUchzqxVd6 for <radext@ietfa.amsl.com>; Wed, 30 Nov 2022 07:43:47 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 273B2C1526F0 for <radext@ietf.org>; Wed, 30 Nov 2022 07:43:35 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id c15so11368087qtw.8 for <radext@ietf.org>; Wed, 30 Nov 2022 07:43:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=KNWD4tkhvdreeY6AHppUgTnzfvjgDHUtkrdJZoKBYXQ=; b=EkWakxL4Z0WJmGOlMjYPS66lPwOmqmNvgoVkS8ikeARY2Xqi2gGEGCu6WKugnnVIBC dDnc/CPoQYN+5SkzaMoKHKrDk5byjqxIHFB0gmt3nyeKw48qvBoOCyoN8JAZQ5ZfT+7g G5LMLydfV7AL1I6ISXY896f/0ssIehBDt+iWKgsLc96D9cW/+4OrfTkfiDqXE9JGPKDU GACvKAIlPbl+Oenf7ApX2I1dkeo7uEHBPY0vF3E3kTYOdqV6IW8fXzyc+e6YtZ6earg1 dSIqb91zbZMudThXNhtB7GPBVvr/bJlqZxpvlbT+/TxupG6v0/dHngK0MgWz5SoiTV4v AMoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KNWD4tkhvdreeY6AHppUgTnzfvjgDHUtkrdJZoKBYXQ=; b=Gt4ayF8pb6zjd48LpZ6/LoP9WO+klJK6CznZ2aveGMg9uBg+0rMTcXUCS/S6iC+MKf cychNM3LjmUWpM4zlmARw3ViKPalM6t1aRW3OVaJZkdtD5Sh82jff/Z8SVBn7M2F+hTk WLzR+wt6FLoqfx3/LZAj3EE6gBC8otRVwAotkuktAY0ucoqdW514/rwJKieE6pDY24S6 AmcO3Nx38IcdRkOzoCY8BqYDV+hTIaNivf6B5PRSs5PlR6/XYXaJhFPh47hlKBXGaL1i 3lXeKYIYTdypRowXo0qBnwD3Z1/0p1PIMyIE1thACn58HI8yAVMRAis0BYCPJR2nD8jL 2YXg==
X-Gm-Message-State: ANoB5pmX2lNUQQpd/SeA5v5d16I6YbeHQWIe/c6T6Ny80NOw0bGRN4aP qMFYeX7MWh8laLuvN7nzhjNmwk8O1ng=
X-Google-Smtp-Source: AA0mqf6EL0PulOpXbZJdpfpS99hwkk3ELSYDtAWna8jONG3AQpe6P8934zWjlEBbusoR8UKLvrpWPw==
X-Received: by 2002:ac8:7492:0:b0:3a6:6eb1:e5c5 with SMTP id v18-20020ac87492000000b003a66eb1e5c5mr22238850qtq.536.1669823013538; Wed, 30 Nov 2022 07:43:33 -0800 (PST)
Received: from smtpclient.apple ([2601:18c:502:ea50:bc55:f6bd:d91b:b15a]) by smtp.gmail.com with ESMTPSA id 10-20020ac8564a000000b003a66cd05c51sm1008136qtt.72.2022.11.30.07.43.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Nov 2022 07:43:32 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Margaret Cullen <mrcullen42@gmail.com>
In-Reply-To: <329FE6EA-C1E6-4E16-8D0C-A68C32B67FB9@gmail.com>
Date: Wed, 30 Nov 2022 10:43:31 -0500
Cc: Peter Deacon <peterd@iea-software.com>, radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A3A6C03-8A36-44C0-B52D-9167CF0C1C7A@gmail.com>
References: <4ce6d292-bb34-5dd7-7b8b-d43c282658f1@iea-software.com> <329FE6EA-C1E6-4E16-8D0C-A68C32B67FB9@gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/iHDDMk5RFmtpuSlRbS4xZZSTLK0>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 15:43:49 -0000


> On Nov 22, 2022, at 2:06 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> 
> On Nov 22, 2022, at 08:56, Peter Deacon <peterd@iea-software.com> wrote:
>> 
>> It seems to me given the list examples of non-approved algorithms for non-security that SRADIUS is not necessary to comply with FIPS requirements.  With regards to RADIUS over TLS MD5 use is "redundant" and security is provided by an approved cryptographic algorithm.
>> 
>> regards,
>> Peter
> 
> +1 This is how RADIUS over IPsec was deployed to meet FIPS-140 requirements. If a known shared secret is used, and MD5 is turned off for user auth and attribute hidimg then MD5 serves no security purpose. 

Is MD5 still used to calculate the Message Authenticator?  Or is there no MD5 used at all?  Is it possible/advisable to proxy from FIPS to non-FIPS environments? 

I’m not questioning your general approach, but I do think it would be useful to document how it works to promote  interoperability between different implementations.

Margaret

v2.23.0 | Report a Bug | By Email