IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Alan DeKok <aland@deployingradius.com> Thu, 24 November 2022 14:15 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1A1C14CEEB for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 06:15:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jU8RlIBB29Ze for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 06:15:38 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29436C14CEE7 for <radext@ietf.org>; Thu, 24 Nov 2022 06:15:37 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 177255BC; Thu, 24 Nov 2022 14:15:34 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOW+2dsKg_H9f3zRUnanCpgGO+G=VPyxzWa9hsrCJCpsnoBsxA@mail.gmail.com>
Date: Thu, 24 Nov 2022 09:15:33 -0500
Cc: Peter Deacon <peterd@iea-software.com>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7CB701B8-BD8F-4ADC-9265-12FC7EBE8FB6@deployingradius.com>
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <CAOW+2dsKg_H9f3zRUnanCpgGO+G=VPyxzWa9hsrCJCpsnoBsxA@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/oHrsiv9qSP0T-YugApHkKBEK5UI>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 14:15:40 -0000

On Nov 23, 2022, at 6:58 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> If the intent is to integrate those portions of the draft that garner WG consensus into the RADIUS over (D)TLS specifications, then the document represents a useful contribution. 

  OK.

> But if the end result is a specification for each transport in addition to a separate SRADIUS specification, then this seems problematic to me, because you'd effectively have 4+ protocol variants (2 transports + SRADIUS on or off), each of which could declare itself a "Proposed Standard". 

  The goal of the draft is to define a (D)TLS transport profile for RADIUS.  Everything else is 100% RADIUS.

  But the issue of variants is a problem.  It would be ideal to just re-use RADIUS/TLS port 2083, and then do some kind of negotiation.  Since RADIUS doesn't include per-hop negotiation, that's difficult to do.

> Since protocol variants and "options" greatly expand the test matrix and certification cost, if the WG produces 4+ variants of "secure RADIUS" there will be a temptation for industry consortia to produce their own "profiles" of SRADIUS + (D)TLS in order to reduce the complexity.  

  I'm not sure I see how that will happen.  The only profiles available for customization are TLS parameters.  Everything else is mandated by the RADIUS specifications.

> But there is also an awful lot of "amateur lawyering" in the document, including statements relating to the implications of FIPS-140 requirements that differ very substantially from NIST documentation and official guidance. 

  That text can be updated, of course.

  Until there's an official statement from NIST, we're largely left with amateur lawyering.  What would be ideal is for NIST to publish an explicit statement about RADIUS and it's use of MD5.

  When people point at NIST specifications and make claims, it is very difficult to counter those claims with logical arguments.  After all, I'm just a random internet commenter, and NIST is an official organization.

  Why would anyone believe me?  I have a hard enough time convincing people to believe the documentation I write about the software I've written.  It's essentially impossible to convince people that I somehow know more / better than their reading of NIST specifications.

  The only practical way to counter NIST documentation saying "MD5 is not allowed" is another bit of NIST documentation saying "It's OK for RADIUS to use MD5 with (D)TLS".

  Alan DeKok.

v2.23.0 | Report a Bug | By Email