IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Alan DeKok <aland@deployingradius.com> Thu, 24 November 2022 13:57 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65D9BC14CEEA for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 05:57:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QRE93p2VzrLa for <radext@ietfa.amsl.com>; Thu, 24 Nov 2022 05:57:26 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95C2CC14CEE7 for <radext@ietf.org>; Thu, 24 Nov 2022 05:57:25 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 750C9384; Thu, 24 Nov 2022 13:57:21 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOW+2dv6+F_ccB19qFxMTwhxOz0CJPVZNnjyWpGXZiTg10A2tQ@mail.gmail.com>
Date: Thu, 24 Nov 2022 08:57:19 -0500
Cc: Paul Wouters <paul.wouters@aiven.io>, Peter Deacon <peterd@iea-software.com>, "radext@ietf.org" <radext@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D34034A-304B-4BF4-991B-A320EE6A8D8C@deployingradius.com>
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com> <EAAC2507-5D29-4453-8881-BC8D9D5314D8@deployingradius.com> <4ce6d292-bb34-5dd7-7b8b-d43c282658f1@iea-software.com> <CAGL5yWbd3u+eUqe8vNZ-qKiQt+vr+jHGqtmQpskW-PwCNrYD5g@mail.gmail.com> <CAOW+2dv6+F_ccB19qFxMTwhxOz0CJPVZNnjyWpGXZiTg10A2tQ@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/puiSQYYj8dzKUcz3BEtTwFxxohQ>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 13:57:28 -0000

On Nov 23, 2022, at 11:26 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> [BA] In “FIPS mode” the RADIUS server cannot execute user authentication mechanisms that depend on MD5, such as EAP-MD5 (for 802.1X) or CHAP.

  I'll add a nit here.  in FIPS mode, the crypto libraries supplied by the system generally do not include MD5.  However, RADIUS servers still need MD5 for packet signing, etc.  So... they ship a local implementation of MD5.

  Which means that EAP-MD5 and CHAP can then be supported.  The RADIUS server implementation in fact has to jump through extra hoops to say "FIPS means some uses of MD5, but not all uses of MD5".

  It's all a bit ugly.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email