IETF Logo Mail Archive

Re: [radext] Proposed charter text based on IETF-115 BoF

Bernard Aboba <bernard.aboba@gmail.com> Tue, 22 November 2022 15:39 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36200C15259D for <radext@ietfa.amsl.com>; Tue, 22 Nov 2022 07:39:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGdhPKZL7m_0 for <radext@ietfa.amsl.com>; Tue, 22 Nov 2022 07:39:04 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B333FC14CE4E for <radext@ietf.org>; Tue, 22 Nov 2022 07:39:04 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id ha10so341172ejb.3 for <radext@ietf.org>; Tue, 22 Nov 2022 07:39:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OuO6PmC8eg/3lTCY8m4aU394+7r3HZXy6Ugly8EdTWE=; b=esjKMxizcL1FzT2EB9UkltRN1YPsrz0bn7ID2bPO61jx9+6B0sKM/smMUjnOklRy/N rz9rBXkDS6Meja6AB9mfpYOH9bp8uDJYV3xypNExLYsJ/iKnKCjVu97r7y+xTkKLwK+t bIOO6mnmtzvsZ6s96n2uVdk+Ban34hj+foFa83gWdjokvrWIyfskpzr3osf4Hlo+AET3 RTB84keZfBJPGXVzoOxX1UUlRbnNWdGjHR9zRAefa3HWHlrfHYcUmLDPVxu0TEgTCHrH ziu7rQNQGS8MI03odtF1k0EWAjuCD5ll5VH9X+RIL0ax0jHF/8kszxpqp/1WFzu/qFxj MQvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OuO6PmC8eg/3lTCY8m4aU394+7r3HZXy6Ugly8EdTWE=; b=7kUXn2QOR0Ic8tygd7OkLrby2OAYBJdxNC3NqA2Fgssc5MRhbJEBDv4cQw4rpSyv1O M3sPmVdtwCueZwD5fVsz2TB2qIjPq9YI4B9zM6jUU7V/AU/OGDoyqLz4N0YyHRFRrUuc NfdSwf/+XtnO5R9VqVPzNBoRmSQOp5aBZ8euwQu7Bz4Rb/eTNjj2vU46nHoPHJzes/dk Y/jBWKBgcRHMjhSdWiyQtrnj6i0PfG/E3s0l8UrPfp4Jb7TSgj0UyLefNVzhtAS7fXFd +MyX4P/dsmZo92+YlcM/4VRVFka06sqNJSLzfZ9Ir8dblMnFzvTZD7L2ErSpVMfau9nw i+vg==
X-Gm-Message-State: ANoB5plGO3oWfOF1INWAkmIzNN9CnM/pmd9cNXwx2o/J6bRqwJu2PJsa o6a8nf4Bb1mS9ojFzUWlppX8zvn/da/zY/kM2hk=
X-Google-Smtp-Source: AA0mqf4nFA7/dc5fD4hbfDyrzJ4C6sTthcHTUUHp5MGu2MZIf6CxioEbEyLmIzXFltJuhgptR/qEgGoJsB5lp1LLwvw=
X-Received: by 2002:a17:906:1188:b0:7b2:c594:2182 with SMTP id n8-20020a170906118800b007b2c5942182mr6448466eja.290.1669131542152; Tue, 22 Nov 2022 07:39:02 -0800 (PST)
MIME-Version: 1.0
References: <FD0507D4-2C1D-478A-97E0-ECEEF1A5613B@deployingradius.com> <E82B0ECD-4580-4F35-B07B-35685CFC5C44@aiven.io> <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com>
In-Reply-To: <883f3572-121f-5ed8-7378-1a91c5525f88@iea-software.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Tue, 22 Nov 2022 07:38:51 -0800
Message-ID: <CAOW+2dswxm5mcjayPjqK6VHQexG2iimfPnrcqTC2VR-iAvXNxQ@mail.gmail.com>
To: Peter Deacon <peterd@iea-software.com>
Cc: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, Alan DeKok <aland@deployingradius.com>, "radext@ietf.org" <radext@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a74d4b05ee10f8da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/v5-oT2m3KbwiSrsfdqV0iejoRuQ>
Subject: Re: [radext] Proposed charter text based on IETF-115 BoF
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 15:39:05 -0000

Peter Deacon said:

"I am concerned with the idea of multiple seemingly identical incompatible
versions of RADIUS.  SRADIUS naming in particular is likely to be a
source of avoidable operator confusion."

[BA] Exactly. For RFC 3579's definition of RADIUS over IPsec, it was not
necessary to create a new version of RADIUS so it should not be required
here either.

"Hey isn't RADIUS over TLS S(ecure)RADIUS?  It connects ok but why does the
connection keep dropping as soon as I send an authentication request?
Presumably some operators wouldn't even have a choice to select
non-SRADIUS and interopability would be impossible.

I would prefer there be only one RADIUS over TLS standard not multiple
incompatible ones."

[BA] That's my take as well.  RADIUS over (D)TLS won't need MD5 in the
authenticator anyway, so why not specify how to avoid this usage within the
specs?  Why is it necessary to define an entirely new protocol??

On Tue, Nov 22, 2022 at 6:48 AM Peter Deacon <peterd@iea-software.com>
wrote:

> On Tue, 22 Nov 2022, Paul Wouters wrote:
>
> >>  In order for RADIUS to work in a FIPS -140 environment, the RADIUS
> >>  protocol has to be purged of dependencies on MD5.
>
> > Indeed, there is a special exemption for radius when I was involved with
> > FIPS certifications at redhat because there is no way to do radius
> > without md5. Fixing this is one of the main reasons for doing the radius
> > work. This is not about transport security, which can be configured to
> > be FIPS compliant.
>
> It is understandable for security standards to specify allowed algorithms.
>
> Also understandable for security stacks to not make unallowed algorithms
> available to applications.
>
> What I'm not clear on is where in any applicable security standards are
> such algorithms prohibited in applications for reasons other than
> security?
>
>
> I am concerned with the idea of multiple seemingly identical incompatible
> versions of RADIUS.  SRADIUS naming in particular is likely to be a
> source of avoidable operator confusion.
>
> Hey isn't RADIUS over TLS S(ecure)RADIUS?  It connects ok but why does the
> connection keep dropping as soon as I send an authentication request?
> Presumably some operators wouldn't even have a choice to select
> non-SRADIUS and interopability would be impossible.
>
> I would prefer there be only one RADIUS over TLS standard not multiple
> incompatible ones.
>
> regards,
> Peter
>

v2.23.0 | Report a Bug | By Email