[radext] #149: Multiplexing secure and insecure on the same port
"radext issue tracker" <trac+radext@trac.tools.ietf.org> Fri, 05 April 2013 04:39 UTC
Return-Path: <trac+radext@trac.tools.ietf.org>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975BF21F9681 for <radext@ietfa.amsl.com>; Thu, 4 Apr 2013 21:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdJGYuRNrTrb for <radext@ietfa.amsl.com>; Thu, 4 Apr 2013 21:39:17 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id 9FF0821F964C for <radext@ietf.org>; Thu, 4 Apr 2013 21:39:12 -0700 (PDT)
Received: from localhost ([127.0.0.1]:43214 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+radext@trac.tools.ietf.org>) id 1UNyQd-0006yd-3i; Fri, 05 Apr 2013 06:39:07 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: radext issue tracker <trac+radext@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: jsalowey@cisco.com
X-Trac-Project: radext
Date: Fri, 05 Apr 2013 04:39:05 -0000
X-URL: http://tools.ietf.org/radext/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/radext/trac/ticket/149
Message-ID: <059.ad1c3a15fdae56f93fecef9b0fcb1ac6@trac.tools.ietf.org>
X-Trac-Ticket-ID: 149
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: jsalowey@cisco.com, radext@ietf.org
X-SA-Exim-Mail-From: trac+radext@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Cc: radext@ietf.org
Subject: [radext] #149: Multiplexing secure and insecure on the same port
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Reply-To: radext@ietf.org
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 04:39:19 -0000
#149: Multiplexing secure and insecure on the same port As I mentioned in the Orlando meeting I am becoming less convinced that multiplexing RADIUS over UDP and RADIUS over DTLS is the appropriate path to take. It would be better to use multiplexing at the UDP level port instead. Using UDP ports allows existing network devices to differentiate between encrypted and unencrypted RADIUS and enforce a security policy that allows only encrypted traffic. Using the same port also increases the probability that there will be more implementation errors that impact the system security. The overloading of command code 22 is somewhat of a kludge, it is possible that TLS could introduce new message codes that could make new enhancements to TLS incompatible with this specification. The only argument that I have heard for running insecure and secure on the same port is that you will not have to modify firewall rules, however If you are already using a firewall to filter RADIUS traffic you will want to differentiate between insecure and secure RADIUS. -- --------------------------------+----------------- Reporter: jsalowey@cisco.com | Owner: Type: defect | Status: new Priority: major | Milestone: Component: RDTLS | Version: Severity: In WG Last Call | Keywords: --------------------------------+----------------- Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/149> radext <http://tools.ietf.org/radext/>
- [radext] #149: Multiplexing secure and insecure o… radext issue tracker
- Re: [radext] #149: Multiplexing secure and insecu… radext issue tracker
- Re: [radext] #149: Multiplexing secure and insecu… radext issue tracker