[radext] RADIUS/1.1 ALPN minor suggestions
Matthew Newton <matthew-ietf@newtoncomputing.co.uk> Sat, 15 April 2023 16:19 UTC
Return-Path: <matthew-ietf@newtoncomputing.co.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 599E2C14CE27 for <radext@ietfa.amsl.com>; Sat, 15 Apr 2023 09:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=newtoncomputing.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MhOpi9wwXvhb for <radext@ietfa.amsl.com>; Sat, 15 Apr 2023 09:19:45 -0700 (PDT)
Received: from mail.newtoncomputing.co.uk (mail.newtoncomputing.co.uk [IPv6:2001:8b0:b2:1::140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86A1FC151544 for <radext@ietf.org>; Sat, 15 Apr 2023 09:19:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=newtoncomputing.co.uk; s=feb2010; h=Content-Transfer-Encoding:Content-Type: Subject:From:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nKOmQX9zsjjzVWgFDakHAcaZFipaRfdmVZiejXLAvjw=; b=zBf58kb43252JCITLSt7vnnEaw zKmGQn9yDWHtz9REYzbF8WROqJ0DoMWyTyll7V5XBsi/VxrwOUgxSt0ZCjpZ1B0KnULZqo3aOnQ/6 +6HgrJ7Nsl7TiBldk5hxBG7y7RQSZcl2DEi6p/PfMBmrYeTkquTcpEIA3V3gvVxkJk4k=;
Received: from [2001:8b0:b2:1:e884:d1b7:7807:a9b8] by mail.newtoncomputing.co.uk with esmtpsa (Exim 4.92 #3 (Debian)) id 1pnicm-0006X8-FM for <radext@ietf.org>; Sat, 15 Apr 2023 17:19:40 +0100
Message-ID: <3c6cb8bf-8bfe-6008-868a-4022c596c3ad@newtoncomputing.co.uk>
Date: Sat, 15 Apr 2023 17:19:38 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
To: radext@ietf.org
Content-Language: en-GB
From: Matthew Newton <matthew-ietf@newtoncomputing.co.uk>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-NC-Fw-Sig: d28eb7783fcaa8a96965cdcb17b1e1fe matthew-ietf@newtoncomputing.co.uk
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/mkNoGn098HhrcRQldAafG4Od79U>
Subject: [radext] RADIUS/1.1 ALPN minor suggestions
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 16:19:51 -0000
A first pass at trivial and (hopefully) non-contentious suggestions and fixes for draft-dekok-radext-radiusv11-04.txt. Mostly typos or minor English issues (some may be just personal preference so take as you like.) Maybe too early in the game for fine detail fixes but I've noticed them so may as well feed back. I've got other more detailed comments which I'm working through and will send separately. Section 1 para 3 has/have - The ensuing years has shown that it is important for RADIUS to remove + The ensuing years have shown that it is important for RADIUS to remove List of changes (para 5) - inconsistencies. Suggest either 1) each bullet point is a sentence with capital letter and full stop, or 2) they are one continuous sentence, each starting with lowercase and ending in a semicolon, except the last. The former probably works better here. e.g. comma to full stop - * ALPN is used for negotiation of this extension, + * ALPN is used for negotiation of this extension. above plus capital - * all uses of the RADIUS shared secret have been removed, + * All uses of the RADIUS shared secret have been removed. Suggest removing comma before and in most cases, e.g. - * The Identifier field is no longer used, and has been replaced by - the Token field, + * The Identifier field is no longer used as it has been replaced by + the Token field. and * The Message-Authenticator attribute ([RFC3579] Section 3.2) is not - sent in any packet, and if received is ignored, + sent in any packet. If received it is ignored. Change to RFC crazy "string" terminology. - "octets" ([RFC8044] Section 3.5), without the previous MD5-based + "string" ([RFC8044] Section 3.5), without the previous MD5-based No comma needed. - obfuscation. This obfuscation is no longer necessary, as the data + obfuscation. This obfuscation is no longer necessary as the data is secured and kept private through the use of TLS. Similar comments in the second list - sentences probably make more sense than ending in commas (or semicolons), especially as one point is multiple sentences anyway. e.g. - * the RADIUS packet header is the same size, and the Code and Length + * The RADIUS packet header is the same size, and the Code and Length - as before, + as before. Connection"s" - server connection), it does not impact any other connection used + server connection), it does not impact any other connections used First paragraph after second list Fix comma / full stop A major benefit of this extensions is that a home server which implements it can also choose to also implement full FIPS-140 - compliance, That is, a home server can remove all uses of MD4 and + compliance. That is, a home server can remove all uses of MD4 and Comma-separated list, rather than A or B or C. - MD5. In that case, however, the home server will not support CHAP or - MS-CHAP, or any authentication method which uses MD4 or MD5. We note + MD5. In that case, however, the home server will not support CHAP, + MS-CHAP, or any other authentication method which uses MD4 or MD5. We note Two paragraphs further down, suggest slight rewrite to avoid doing "this specification. This specification" We reiterate that the decision to support (or not) any authentication method is entirely site local, and is not a requirement of this - specification. This specification does not not modify the content or - meaning of any RADIUS attribute other than Message-Authenticator (and - similar attributes), and the only change to the Message-Authenticator + specification. The contents or meaning of any RADIUS attribute, other + than Message-Authenticator (and similar attributes, see below), are not + modified. The only change to the Message-Authenticator attribute is that is no longer used. Section 2 Consistency - full stops on some not others: * ALPN - Application-Layer Protocol Negotiation, as defined in [RFC7301] + Application-Layer Protocol Negotiation, as defined in [RFC7301]. * RADIUS/TCP - RADIUS over the Transmission Control Protocol [RFC6613] + RADIUS over the Transmission Control Protocol [RFC6613]. * RADIUS/TLS - RADIUS over the Transport Layer Security protocol [RFC6614] + RADIUS over the Transport Layer Security protocol [RFC6614]. * RADIUS/DTLS RADIUS over the Datagram Transport Layer Security protocol - [RFC7360] + [RFC7360]. * TLS - the Transport Layer Security protocol. Generally when we refer + The Transport Layer Security protocol. Generally, when we refer to TLS in this document, we are referring interchangeably to TLS or DTLS transport. Section 4 "radius/1.1" - The protocol defined by specification. + The protocol defined by this specification. Section 4.2 - The value "RADIUS-1.1" flag is used by the client to determine + The value of the "RADIUS-1.1" configuration flag is used by the client to determine what to send: - forbid - no ALPN + forbid - ALPN is not used Section 4.4 Use [link] as elsewhere - When session resumption or session tickets (RFC5077) are used, the + When session resumption or session tickets [RFC5077] are used, the Section 5.1 Comma list not A and B and C - different meaning. The Identifier and the Request Authenticator and + different meaning. The Identifier, Request Authenticator and Response Authenticator fields are no longer used. Any operations In the list of fields: Not "definition in RADIUS" - maybe "unchanged from the previous RADIUS specification", or just "of". Or (see other e-mail) "is unchanged from standard RADIUS" if "standard RADIUS" is defined in the terminology section. The meaning of the Code field is unchanged from the previous - definition in RADIUS. + definition of RADIUS. The meaning of the Length field is unchanged from the previous - definition in RADIUS. + definition of RADIUS. Section 5.2.1 para 4 Comma from a 32-bit counter which is unique to each connection. Such a counter SHOULD be initialized to a random value, taken from a random - number generator whenever a new connection is opened. The counter + number generator, whenever a new connection is opened. The counter Section 5.2.2 para 2 Move comma Accounting-Request. This overlap requires that RADIUS clients and - servers, track the Identifier field not only on a per-connection + servers track the Identifier field, not only on a per-connection basis, but also on a per-packet type basis. This behavior adds complexity to implementations. Section 6.1 para 1 Missing full stop - observer + observer. Para 2 If they are obfuscated then they have already been obfuscated so they can't not be obfuscated. - Attributes which are obfuscated with MD5 no longer have the + Attributes defined as being obfuscated with MD5 no longer have the obfuscation step applied when RADIUSv11 is used. Instead, those Para 3 - Make it a bit more concrete - We understand that there is often concern in RADIUS that passwords + There are often concerns where RADIUS is used that passwords are sent "in cleartext" across the network. This allegation was Para 5 Remove extraneous space - These others ways to mitigate these risks . One is by ensuring that + These others ways to mitigate these risks. One is by ensuring that Section 6.1.1 Para 1 - Incorrect ref The User-Password attribute ([RFC2865] Section 5.2) MUST be encoded the same as any other attribute of data type 'string' ([RFC8044] - Section 3.4). + Section 3.5). Para 3 - Incorrect ref The contents of the User-Password attribute do not have to printable text, or UTF-8 data as per the definition of the 'text' data type in - [RFC8044] Section 3.5. + [RFC8044] Section 3.4. Section 6.1.2 Possible modification just to make the text flow better? use a Request Authenticator field, proxies may receive an Access- Request containing a CHAP-Password attribute ([RFC2865] Section 5.2) but without a CHAP-Challenge attribute ([RFC2865] Section 5.40). - Proxies which forward that CHAP-Password attribute over a RADIUSv11 + In this case, proxies which forward that CHAP-Password attribute over a RADIUSv11 connection MUST create a CHAP-Challenge attribute in the proxied packet using the contents from the Request Authenticator. Section 6.1.3 para 1 Comma to full stop - field or Data-Length fields as described in [RFC2868] Section 3,5, + field or Data-Length fields as described in [RFC2868] Section 3.5, Para 2 - Incorrect ref data type here, even though the attribute is no longer obfuscated. The contents of the Tunnel-Password attribute do not have to printable text, or UTF-8 data as per the definition of the 'text' - data type in [RFC8044] Section 3.5. + data type in [RFC8044] Section 3.4. Section 6.2 para 2 Remove comma for consistency with the rest of the document If the Message-Authenticator attribute is received over a RADIUSv11 connection, the attribute MUST be silently discarded, or treated an - as "invalid attribute", as defined in [RFC6929], Section 2.8. That + as "invalid attribute", as defined in [RFC6929] Section 2.8. That Section 7.1 para 2 Fix typos and full stop The rational for reserving one value of the Identifier field was the limited number of Identifiers available (256), and the overlap in Identifiers between Access-Request packets and Status-Server - packers.. If all 256 Identifier values had been used to send Access- + packets. If all 256 Identifier values had been used to send Access- Request packets, there would be no Identifier value available for - sending a Status-Sercer Packet. + sending a Status-Server Packet. Para 3 Avoid using 'which' twice in one sentence special meaning. The edge condition is that there are 2^32 outstanding packets on one connection with no new Token value - available for Status-Server. In which case there are other issues - which are more serious, such allowing billions of packets to be + available for Status-Server. In this case there are other more serious + issues, such allowing billions of packets to be oustanding. The safest way forward is likely to just close the connection. Section 7.3 para 4 Typo - All crypto-agility needed or use by this specification is implemented + All crypto-agility needed or used by this specification is implemented Section 7.4 para 2 Fix brackets by adding comma Change "octets" to "string" how those new attributes are transported in RADIUSv11. Since RADIUSv11 does not use MD5, any obfuscated attributes will by - definition be transported as their underlying data type ("text" + definition be transported as their underlying data type, "text" - ([RFC8044] Section 3.4) or "octets" ([RFC8044] Section 3.5). + ([RFC8044] Section 3.4) or "string" ([RFC8044] Section 3.5). Section 11 - typo - IANA is request to update the "TLS Application-Layer Protocol + IANA is requested to update the "TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry with one new entry: -- Matthew
- [radext] RADIUS/1.1 ALPN minor suggestions Matthew Newton
- Re: [radext] RADIUS/1.1 ALPN minor suggestions Alan DeKok
- Re: [radext] RADIUS/1.1 ALPN minor suggestions Matthew Newton