Re: [radext] BoF request for IETF 115
Bernard Aboba <bernard.aboba@gmail.com> Fri, 23 September 2022 19:59 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B47ABC152588 for <radext@ietfa.amsl.com>; Fri, 23 Sep 2022 12:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kraHwjPPOjS6 for <radext@ietfa.amsl.com>; Fri, 23 Sep 2022 12:59:13 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 501AEC15256A for <radext@ietf.org>; Fri, 23 Sep 2022 12:59:13 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id v2so712931edc.7 for <radext@ietf.org>; Fri, 23 Sep 2022 12:59:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date; bh=oNFwbCVGdj0Mu8GGUl8eg+40HXuCuiGH8bUdpkQ67lQ=; b=VcCHHUtEmvwJVG9S5iOElxUj/LKlNIhDUDL7kY5MwIoQkTGJwJDm4vZ38dyaC1WG2y N+ZGlZgtDG8hQFQLCwQ7ZOxwtoD4N88CluMSrYgj9ERk5C/NObI0excC9kOanCz/JzHN EggNXMyt6/1ZA9/sbwahiEL9W82Ac/3oRw6HjwKfz1khGYyq6S1e/GyzR/kuqFuVakPu a8lgLH7aKAh9c7Cr0+0QETfezJv5f/hIUmVOGmLSpytAEIeb2xcpAgKbDH2tI0655IUg Yes6e9heAuX7011TnbTjPanDia8eVR/vSd2icL22JbVT9Oa9KGvk4DRXLGWbgp7oy1me xYxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date; bh=oNFwbCVGdj0Mu8GGUl8eg+40HXuCuiGH8bUdpkQ67lQ=; b=Y3uFwgEv1j9376BZzMABcogWs70ZbumMd0gkvQfyDSF6UI5bRsOlizQuCyDwFTXsG9 24BLkWhhwuMPIrEOkTJ7LF0d9Rvv4mZv3aG8GcKByyQTJFXqKiFdf7VstZaGUB3Q2FMe ftjA+7rTU+lQCrxy5OhSjgnZ7qtnTXjDIZc/kX9qtugjUCfpTiySjtmJXEjCLq5aer3P 8pZzMCuxBk/+Eshly2HnKERknQ75abWWj+jyvocg5abiXlv90JUqc+jp4gXnD/KcE2pW toORT8bf9/1K5wJ+0kP23rL+cVoZPkGVVcX5kbCDuPvPSHw4+j5vJ4Zl2HBt77oXNtjl F1jg==
X-Gm-Message-State: ACrzQf2fuYBzJaRc0c8LDKD5Fwqr55tfAVq7yPx0Tvdhl68CgbFgNoEQ pTVlx+P1vodJVT/8K0GxrJmKKxjF9OjdCPtijDxctlGWP8y/nw==
X-Google-Smtp-Source: AMsMyM5TEFgOJLMfVeMWAzpyky4R16vZueJr2Sq7m9j8fKOn/8NbQqHnx5kTL3mBNQhG0XZG7SU/LxkUxWgu6bXEYAc=
X-Received: by 2002:a05:6402:ca9:b0:44e:d8f3:3d0e with SMTP id cn9-20020a0564020ca900b0044ed8f33d0emr9952124edb.397.1663963151093; Fri, 23 Sep 2022 12:59:11 -0700 (PDT)
MIME-Version: 1.0
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Fri, 23 Sep 2022 12:58:59 -0700
Message-ID: <CAOW+2ds134ZJ+somFXsL=27=pvtUT2hNU6G9_8cpM3VoWEcN9Q@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008a55db05e95d9cff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/iPDgjPo24mRB7IoDlfoODoUaIa8>
Subject: Re: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2022 19:59:13 -0000
Alan said: "My preference would be to just punt the problem to TLS. That is also the historical approach (chosen implicitly) by prior discussions in RADEXT." [BA] Leaving the crypto-agility problem to TLS makes sense. However, there are some security issues that TLS alone cannot solve. For example, there has been discussion of adding support for shared secrets to RADIUS over (D)TLS, so as to allow configuration to be familiar to RADIUS server administrators. My concern is that the "shared secrets" used in today's RADIUS deployments often have little entropy, leaving them open to password-guessing attacks. So some additional thinking may be required here. " To my recollection, the RADEXT WG never seriously discussed any of those points. Instead, once the RADIUS / TLS work was started, all of the crypto agility requirements were silently dropped. The preference was to not design any new cryptographic primitives in RADEXT." [BA] The crypto-agility requirements were not dropped or ignored. There were quite a few submissions that claimed to meet the RADIUS crypto-agility requirements, but after evaluation against the RFC 6421 criteria, only the RADIUS over (D)TLS proposals went forward for publication as Experimental RFCs. " That is, RFC 6421 was published, and was resoundingly ignored. It would be worth perhaps explaining why in a new document. Perhaps the one which deprecates RADIUS / UDP." [BA] It is true that the (now closed) RADEXT WG ignored its responsibilities under RFC 6421 to publish a crypto-agile version of RADIUS on the standards track. But that's what that the WG proposed in this BOF is trying to fix, right?
- [radext] BoF request for IETF 115 Alan DeKok
- Re: [radext] BoF request for IETF 115 Bernard Aboba
- Re: [radext] BoF request for IETF 115 Stefan Winter
- Re: [radext] BoF request for IETF 115 josh.howlett
- Re: [radext] BoF request for IETF 115 klaas@wierenga.net
- Re: [radext] BoF request for IETF 115 Margaret Cullen
- Re: [radext] BoF request for IETF 115 Bernard Aboba
- Re: [radext] BoF request for IETF 115 Alan DeKok
- Re: [radext] BoF request for IETF 115 Alexander Clouter
- Re: [radext] BoF request for IETF 115 Bernard Aboba
- Re: [radext] BoF request for IETF 115 Peter Deacon
- Re: [radext] BoF request for IETF 115 Alan DeKok
- Re: [radext] BoF request for IETF 115 Alexander Clouter
- Re: [radext] BoF request for IETF 115 Alan DeKok
- Re: [radext] BoF request for IETF 115 josh.howlett
- Re: [radext] BoF request for IETF 115 Peter Deacon
- Re: [radext] BoF request for IETF 115 Alan DeKok
- Re: [radext] BoF request for IETF 115 Bernard Aboba
- Re: [radext] BoF request for IETF 115 Stefan Winter
- Re: [radext] BoF request for IETF 115 Alan DeKok
- Re: [radext] BoF request for IETF 115 Karri Huhtanen
- Re: [radext] BoF request for IETF 115 josh.howlett
- Re: [radext] BoF request for IETF 115 Alan DeKok
- Re: [radext] BoF request for IETF 115 josh.howlett
- Re: [radext] BoF request for IETF 115 Alan DeKok
- Re: [radext] BoF request for IETF 115 josh.howlett
- Re: [radext] BoF request for IETF 115 Margaret Cullen
- Re: [radext] BoF request for IETF 115 Jan-Frederik Rieckers
- Re: [radext] BoF request for IETF 115 Alan DeKok