Re: [radext] Server identity and RFC7585bis
Jan-Frederik Rieckers <rieckers@dfn.de> Fri, 12 April 2024 08:36 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38F18C14F603 for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 01:36:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2iPm4mjlXYB for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 01:36:01 -0700 (PDT)
Received: from a1004.mx.srv.dfn.de (a1004.mx.srv.dfn.de [194.95.233.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 213E9C14F5F1 for <radext@ietf.org>; Fri, 12 Apr 2024 01:35:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :content-language:references:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1712910956; x=1714725357; bh=PVYP3Pk/TVu4hsrY6Gg2lfBkGROLBo/ny/XJVcpbwlk=; b= sPyV0VdFwhVNlBVoXNH0Fp2xEPyLGN4fgi0tG+WV7YhEzrKi3FpyIqUNp3SgFghC UEQN/3pQOcCEAJ9prq9ua4b/RQIHBxaOIIkeNOCHooaoiU2BGiUtoHSpqMCSODkH 4cs2rjV7CJy15gE/PjK5SlOLRc+2bj97DFtInPVvMFM=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by a1004.mx.srv.dfn.de (Postfix) with ESMTPS id 826732000E8 for <radext@ietf.org>; Fri, 12 Apr 2024 10:35:56 +0200 (CEST)
Received: from [10.100.252.162] (airoserv.dfn.de [192.76.176.250]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 5BF6B41C for <radext@ietf.org>; Fri, 12 Apr 2024 10:35:56 +0200 (CEST)
Message-ID: <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de>
Date: Fri, 12 Apr 2024 10:35:54 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <10347.1712778967@obiwan.sandelman.ca> <7D282A57-B68E-43DA-A6A2-7E14A8C09119@deployingradius.com>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Organization: DFN e.V.
In-Reply-To: <7D282A57-B68E-43DA-A6A2-7E14A8C09119@deployingradius.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms040109050507010604000401"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/pX1cn_RnaRnqeu5MBXc-sohK_SQ>
Subject: Re: [radext] Server identity and RFC7585bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 08:36:06 -0000
On 11.04.24 15:15, Alan DeKok wrote: > On Apr 10, 2024, at 3:56 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: >> You need to give the certificate SAN dNSName for the server, or you can't >> verify the certificate correctly. >> >> I think that "same IP addr and port" is a bad test for same server, as one >> way to do multi-tenant would be to inspect the SNI and punt to different >> backend servers. > > I tend to agree here. The server identity is the certificate (or DNSName in the cert). The IP/port are pretty much irrelevant. > > I've added some comments to this effect in https://github.com/radext-wg/draft-ietf-radext-radiusdtls-bis/pull/1 > > Alan DeKok. I completely disagree. The purpose of defining a way to check if it is the same server is to make sure that we mark broken servers as down and don't use them in our load-balancing any more. Nowhere does it say "A server certificate MUST NOT be used in more than one single server" I would strongly object to putting it in, because there are use cases where you might use the same server certificate for multiple servers, i.e. because they are in a load-balancing or other form of redundancy setup, or because they have a common TLS termination point (i.e. a DPI-Firewall). And just because the server presented the same certificate (with maybe multiple SANs) it doesn't mean that all connections to the server are the same. If we go down the path with SNI, then I could have a connection that used eduroam-federation.example.com for one connection and openroaming-federation.example.com for another. The certificate may be valid for both DNS names, but the policy is different on the connections. If we would say "Just compare the certificate" then the client would send OpenRoaming packets to the eduroam federation, or the other way round, depending on which connection was there first. If we completely ignore the IP/port part, then a client would mark the whole redundancy cluster as down, just because they opened up a connection to one of them and they stopped answering. And, the other way round, if there were other connection open to other members of the cluster, it would keep trying the broken server in the cluster, because there are still open connections to "this server", so the software can't mark the server as down. We should make sure why we need to identify a client and a server. From my perspective, identifying a server has two reasons: 1. Make sure that redundancy mechanisms work (as described above) 2. Prevent opening unnecessarily many open connections to a server with dynamic discovery, just because the client is not sure if it's the same, while keeping deployment options open (i.e. different policies hidden behind different Server Names, but with the same certificate) I'm not entirely sure, why we need to identify a specific client in the way the specification in RFC6614 was written (i.e. "What is the problem we solve by having a way to identify a client" or more specifically "what are the consequences of identifying that two connections come from the same client") Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- [radext] Certficate and certificate chain selecti… Heikki Vatiainen
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- [radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
- Re: [radext] Certficate and certificate chain sel… Alan DeKok
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
- [radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- [radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Michael Richardson
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
- Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Fabian Mauchle
- Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
- Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
- Re: [radext] Session closure in DTLS Fabian Mauchle
- Re: [radext] Session closure in DTLS Alan DeKok