IETF Logo Mail Archive

Re: [radext] BoF request for IETF 115

Bernard Aboba <bernard.aboba@gmail.com> Fri, 23 September 2022 19:59 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B47ABC152588 for <radext@ietfa.amsl.com>; Fri, 23 Sep 2022 12:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kraHwjPPOjS6 for <radext@ietfa.amsl.com>; Fri, 23 Sep 2022 12:59:13 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 501AEC15256A for <radext@ietf.org>; Fri, 23 Sep 2022 12:59:13 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id v2so712931edc.7 for <radext@ietf.org>; Fri, 23 Sep 2022 12:59:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date; bh=oNFwbCVGdj0Mu8GGUl8eg+40HXuCuiGH8bUdpkQ67lQ=; b=VcCHHUtEmvwJVG9S5iOElxUj/LKlNIhDUDL7kY5MwIoQkTGJwJDm4vZ38dyaC1WG2y N+ZGlZgtDG8hQFQLCwQ7ZOxwtoD4N88CluMSrYgj9ERk5C/NObI0excC9kOanCz/JzHN EggNXMyt6/1ZA9/sbwahiEL9W82Ac/3oRw6HjwKfz1khGYyq6S1e/GyzR/kuqFuVakPu a8lgLH7aKAh9c7Cr0+0QETfezJv5f/hIUmVOGmLSpytAEIeb2xcpAgKbDH2tI0655IUg Yes6e9heAuX7011TnbTjPanDia8eVR/vSd2icL22JbVT9Oa9KGvk4DRXLGWbgp7oy1me xYxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date; bh=oNFwbCVGdj0Mu8GGUl8eg+40HXuCuiGH8bUdpkQ67lQ=; b=Y3uFwgEv1j9376BZzMABcogWs70ZbumMd0gkvQfyDSF6UI5bRsOlizQuCyDwFTXsG9 24BLkWhhwuMPIrEOkTJ7LF0d9Rvv4mZv3aG8GcKByyQTJFXqKiFdf7VstZaGUB3Q2FMe ftjA+7rTU+lQCrxy5OhSjgnZ7qtnTXjDIZc/kX9qtugjUCfpTiySjtmJXEjCLq5aer3P 8pZzMCuxBk/+Eshly2HnKERknQ75abWWj+jyvocg5abiXlv90JUqc+jp4gXnD/KcE2pW toORT8bf9/1K5wJ+0kP23rL+cVoZPkGVVcX5kbCDuPvPSHw4+j5vJ4Zl2HBt77oXNtjl F1jg==
X-Gm-Message-State: ACrzQf2fuYBzJaRc0c8LDKD5Fwqr55tfAVq7yPx0Tvdhl68CgbFgNoEQ pTVlx+P1vodJVT/8K0GxrJmKKxjF9OjdCPtijDxctlGWP8y/nw==
X-Google-Smtp-Source: AMsMyM5TEFgOJLMfVeMWAzpyky4R16vZueJr2Sq7m9j8fKOn/8NbQqHnx5kTL3mBNQhG0XZG7SU/LxkUxWgu6bXEYAc=
X-Received: by 2002:a05:6402:ca9:b0:44e:d8f3:3d0e with SMTP id cn9-20020a0564020ca900b0044ed8f33d0emr9952124edb.397.1663963151093; Fri, 23 Sep 2022 12:59:11 -0700 (PDT)
MIME-Version: 1.0
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Fri, 23 Sep 2022 12:58:59 -0700
Message-ID: <CAOW+2ds134ZJ+somFXsL=27=pvtUT2hNU6G9_8cpM3VoWEcN9Q@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008a55db05e95d9cff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/iPDgjPo24mRB7IoDlfoODoUaIa8>
Subject: Re: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2022 19:59:13 -0000

Alan said:

"My preference would be to just punt the problem to TLS. That is also the
historical approach (chosen implicitly) by prior discussions in RADEXT."

[BA] Leaving the crypto-agility problem to TLS makes sense.  However, there
are some security issues that TLS alone cannot solve.

For example, there has been discussion of adding support for shared secrets
to RADIUS over (D)TLS, so as to allow configuration to be familiar to
RADIUS server administrators.

My concern is that the "shared secrets" used in today's RADIUS deployments
often have little entropy, leaving them open to password-guessing attacks.
So some additional thinking may be required here.

" To my recollection, the RADEXT WG never seriously discussed any of those
points. Instead, once the RADIUS / TLS work was started, all of the crypto
agility requirements were silently dropped. The preference was to not
design any new cryptographic primitives in RADEXT."

[BA] The crypto-agility requirements were not dropped or ignored.  There
were quite a few submissions that claimed to meet the RADIUS crypto-agility
requirements, but after evaluation against the RFC 6421 criteria, only the
RADIUS over (D)TLS proposals went forward for publication as Experimental
RFCs.

" That is, RFC 6421 was published, and was resoundingly ignored. It would
be worth perhaps explaining why in a new document. Perhaps the one which
deprecates RADIUS / UDP."

[BA] It is true that the (now closed) RADEXT WG ignored its
responsibilities under RFC 6421 to publish a crypto-agile version of RADIUS
on the standards track.

But that's what that the WG proposed in this BOF is trying to fix, right?

v2.23.0 | Report a Bug | By Email